[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The argument for writing a general purpose NAT for IPv6
Le mercredi 18 avril 2007 21:25, james woodyatt a écrit :
> The transport proxies don't exist just because the IPv4 box is a
> NAT. They would need to be there even if the box implemented IPv4
> stateful packet inspection/filtering without NAT. Let me outline the
> logical flow:
>
> 1) SPI -> ALG
You can do connection tracking with SPI, without ALG. You only need an
ALG *if/because* you have a NAT because the SDP content will then be
broken, not the other way around.
> We will never need NAT for translating between global and private
> IPv6 address realms. That's not at issue. However, we *do* need NAT
> for transparently redirecting IPv6 flows into transport proxies to
> implement application layer gateways to permit stateful packet
> inspection filters to keep from breaking Internet applications.
ALG do keep breaking Internet applications.
By putting more ALGs, you will only incite software vendors and
protocols designers to use TLS for just about everything (SIP outbound
being one current example, STUN and Teredo XOR mapped addresses another
one).
--
Rémi Denis-Courmont
http://www.remlab.net/