On Apr 26, 2007, at 17:07, Tony Hain wrote:
While that is a simple hack that would work within a single administrative domain, I am not sure we want to standardize that as such. If it turns out that the firewall can insert a routing header and push the real dst there when overwriting with the proxy, then the proxy only has to do standardextension header parsing.
At this point, I'm now persuaded that having a proxy remote from the filtering router will require the path between them to use some kind of encapsulation that looks like a routing extension header. I'm still convinced that type code zero is the *wrong* one, but whatever... (at the diversion point, on the return path from the proxy, the source address needs to be rewritten to match the real destination, not the proxy, and normal routing extension header processing doesn't do that.)
I agree I'm guilty of a poor choice in words. The IETF has defined a way to scribble on the destination addresses in IPv6 headers, and despite my long habit of calling that behavior by the name "network address translation," I should stop calling it that because, with IPv6, there is only one address realm involved. Of course, I do need a way to scribble on source addresses as well as destination addresses...
-- j h woodyatt <jhw@apple.com>