[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The argument for writing a general purpose NAT for IPv6

To: Brian E Carpenter <brc@zurich.ibm.com>
Subject: Re: The argument for writing a general purpose NAT for IPv6
From: Wesley Eddy <weddy@grc.nasa.gov>
Date: Wed, 18 Apr 2007 10:03:42 -0400
Cc: james woodyatt <jhw@apple.com>, IETF V6OPS WG <v6ops@ops.ietf.org>
In-reply-to: <4625D4B8.4070804@zurich.ibm.com>
References: <70C6EFCDFC8AAD418EF7063CD132D06404352E36@WIN-MSG-21.wingroup.wi ndeploy.ntdev.microsoft.com> <200704130208.l3D28UWs017668@cichlid.raleigh.ibm.com> <F7359BE1-601E-4047-AC44-8653872303E2@apple.com> <20070415095925.28786098.ipng@69706e6720323030352d30312d31340a.nosense.org> <406C954E-B2D4-4EE0-904F-12C65902EA13@apple.com> <20070417061641.6df36300.ipng@69706e6720323030352d30312d31340a.nosense.org> <D9E32C70-B89D-4417-8340-38C79657F6A9@apple.com> <46248630.8020804@zurich.ibm.com> <A264E1A8-679B-4EEC-8FE6-453BB3AB5EC5@apple.com> <4625D4B8.4070804@zurich.ibm.com>
Reply-to: weddy@grc.nasa.gov
User-agent: Mutt/1.5.5.1i

On Wed, Apr 18, 2007 at 10:20:08AM +0200, Brian E Carpenter wrote:
> I am confused.
>  
> If the issue is stateful packet filters the solution is
> to be able to configure them off for specified hosts. I can't
> see why transport proxies are needed (as far as you describe them,
> they exist *because* the IPv4 box is a NAT, not because it
> contains stateful filters).
> 

I think I agree.  It looks like James is saying that *in his code*,
implementing IPv6-NAT is the easiest way to re-use existing upper-layer
packet inspection code in order to poke holes in the firewall.  I don't
think that this in any way applies to implementations in general.

I believe he's only said that this seems like the path of least
resistance in his code, but I don't think he's said that it would be
impossible to re-use his packet inspection code through some other means
without implementing IPv6-NAT, but I may have missed something.

I think this is being blown out of proportion and confusing one
implementation's decisions with the protocol requirements in general.

-- 
Wesley M. Eddy
Verizon Federal Network Systems

Follow-Ups:
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>

References:
- Re: IPv6-PMP?
  - From: Thomas Narten <narten@us.ibm.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Brian E Carpenter <brc@zurich.ibm.com>

Prev by Date: Re: The argument for writing a general purpose NAT for IPv6
Next by Date: Re: The argument for writing a general purpose NAT for IPv6
Previous by thread: Re: The argument for writing a general purpose NAT for IPv6
Next by thread: Re: The argument for writing a general purpose NAT for IPv6
Index(es):
- Date
- Thread