[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: on NAT-PT
On Wed, 4 Dec 2002, Keith Moore wrote:
> > > it looks that you mean something else, like avoiding the use of
> > > DNS-ALG from NAT-PT (= alter NAT-PT spec). i don't see real
> > > technical ground for that.
> >
> > There is some ground: the possibility to use NAT-PT when the remote
> > address is learned outside of the DNS channel.
>
> more generally, the possibility to selectively enable NAT-PT for specific
> services while leaving it disabled for others, regardless of how the
> application learns which address(es) to use.
>
> e.g. to support IPv6 access to a domain's v4-only SMTP servers I would
> like to be able to set up MX records for that domain that point to DNS
> names that resolve to v6 addresses of NAT-PT boxes that will forward
> the SMTP traffic to the v4-only SMTP servers. the primary MX records
> can point to v4 addresses, secondary MX records can point to NAT-PT
> boxes. that way the mail will be accepted even from v6-only clients.
>
> similar techniques can be used with SRV records, or with other protocols
> that do referrals.
>
> what I do not want is to have those NAT-PT boxes try to intercept all
> traffic to a particular domain, because this will break some apps.
> I'd much rather be able to specify handling on a per-port or per-service
> basis, even if that means returning 'connection refused' for some ports.
This sounds awfully lot like a selective TCP relay, and we use it for
exactly that purpose.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords