v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
mohacsi at niif.hu
Tue Feb 10 02:21:27 CST 2009
On Mon, 9 Feb 2009, Ricky Beam wrote:
> On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk <stephen at sprunk.org>
>> Non-NAT firewalls do have some appeal, because they don't need to mangle
>> the packets, just passively observe them and open pinholes when
> This is exactly the same with NAT and non-NAT -- making any anti-NAT
> arguments null.
> In the case of NAT, the "helper" has to understand the protocol to know what
> traffic to map.
> In the case of a stateful firewalling ("non-NAT"), the "helper" has to
> understand the protocol to know what traffic to allow.
> Subtle difference, but in the end, the same thing... if your gateway doesn't
> know what you are doing, odds are it will interfere with it. In all cases,
> end-to-end transparency doesn't exist. (as has been the case for well over a
You arguments making any pro-NAT arguments null. You agree, that NAT and
Stateful Packet Inspetion firewall doing similar things. Advantage of the
SPI firewall is that you have to maintain only one forwarding/state table.
While in NAT you have to maintain two table. Therefore SPI firewall is
Network Engineer, Research Associate, Head of Network Planning and Projects
Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882
More information about the NANOG