Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."

[Pekka Savola <pekkas@netcore.fi>]

On Fri, 18 Mar 2005, Mark Smith wrote:
> > There are probably a few places to expand upon the discussion of proxy
> > servers within a NAP-based security program.  NAT and proxies are not the
> > just the same thing at different levels of the ISO stack.  NAT does simple
> > address translation, whereas proxy implementations - especially in larger
> > enterprises - do much more, including caching, L4-L7 security functions, and
> > policy enforcement.  Proxies also do a great job of topology hiding.
> > <snip>
>
> Unfortunately, proxys break the end-to-end argument, as they maintain
> state within the network. If the proxy breaks, devices would not be able
> to access the resources they may still have an IP layer path to. Proxys
> are worth avoiding for the same reason NAT is.
[...]

Personally, I have to agree with John Spence here, I think.  While 
proxys are not nice from the architectural perspective, they're the 
lesser of the evils in some sense.  If the users need to solve a 
problem (e.g., internal addressing stability using ULAs, ...), they're 
going to do it somehow in any case.  It's just the question whether 
they use NAT, NAT-PT, proxies, or whatever for the task.

At least from that list, proxies look the least of the evils..

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings