Re: draft-ietf-v6ops-nap-04

[Pekka Savola <pekkas@netcore.fi>]

On Thu, 2 Nov 2006, Rémi Denis-Courmont wrote:
> On Thu, Nov 02, 2006 at 01:58:17PM +0100, Brian E Carpenter wrote :
> > As Fred has pointed out, NAT is functionally
> > equivalent to a stateful firewall.
> 
> Errmm, NAT do no more than stateful firewall, and are in many but not
> all case so close to it that can be considered equivalent. But it's not
> always so. In particular, stateful firewalls tend to be more strict as
> to what they accept as a "solicited response" from the outside toward
> the inside than NATs.

Indeed.  If you look at draft-ietf-behave-udp-08.txt (in RFC editor's 
queue), those recommendations very specifically recommend designs 
where the inbound packets will be accepted from a wider set of 
addresses and ports that would be strictly required (by traditional 
apps) by inside-to-outside communication.

I raised this issue during IETF LC, but this was not changed because 
p2p-like apps seem to require more relaxed behaviour for easier 
interworking.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings