Re: on NAT-PT

[Pekka Savola <pekkas@netcore.fi>]

On Wed, 4 Dec 2002, Keith Moore wrote:
> > >       it looks that you mean something else, like avoiding the use of
> > >       DNS-ALG from NAT-PT (= alter NAT-PT spec).  i don't see real
> > >       technical ground for that.
> > 
> > There is some ground: the possibility to use NAT-PT when the remote
> > address is learned outside of the DNS channel.
> 
> more generally, the possibility to selectively enable NAT-PT for specific 
> services while leaving it disabled for others, regardless of how the 
> application learns which address(es) to use.
> 
> e.g. to support IPv6 access to a domain's v4-only SMTP servers I would 
> like to be able to set up MX records for that domain that point to DNS 
> names that resolve to v6 addresses of NAT-PT boxes that will forward
> the SMTP traffic to the v4-only SMTP servers.  the primary MX records 
> can point to v4 addresses, secondary MX records can point to NAT-PT 
> boxes.  that way the mail will be accepted even from v6-only clients.
> 
> similar techniques can be used with SRV records, or with other protocols
> that do referrals.
> 
> what I do not want is to have those NAT-PT boxes try to intercept all
> traffic to a particular domain, because this will break some apps.
> I'd much rather be able to specify handling on a per-port or per-service
> basis, even if that means returning 'connection refused' for some ports.

This sounds awfully lot like a selective TCP relay, and we use it for
exactly that purpose.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords