What I am really objecting to here is the normative aspect of the discussion. 
NAT may be good or it may be the work of Satan. Either way we have to deal with 
the issue more constructively than simply telling people 'please do not'.

I don't like NAT workarounds either. In fact I would like to suggest that we 
return to an old principle of layered network architecture in which no layer 
knows or cares as to what is going on in any other layer it does not interface 
to directly.


So instead of saying NAT is good or bad lets instead frame the debate in terms 
of 'A NAT box operates at layer 3 and should not therefore make assuptions 
about application interactions at layer 7'. 

It is equally a layer violation for FTP to communicate IP addresses and port 
numbers in the protocol. An application should not know if the transport is 
IPv4, IPv6 or SNA. Get rid of FTP type layer violations and the need for NAT 
workarrounds is also eliminated.

And at the same time let us ask 'how can we share an IPv4 connection on an IPv4 
network without causing layer violations?' or 'how can Alice log into her 
corporate VPN from a hotel?'




> -----Original Message-----
> From: Melinda Shore [mailto:[EMAIL PROTECTED] 
> Sent: Monday, July 02, 2007 12:51 PM
> To: Hallam-Baker, Phillip; [EMAIL PROTECTED]
> Cc: ietf@ietf.org
> Subject: Re: Domain Centric Administration, RE: 
> draft-ietf-v6ops-natpt-to-historic-00.txt 
> 
> On 7/2/07 12:40 PM, "Hallam-Baker, Phillip" 
> <[EMAIL PROTECTED]> wrote:
> > The $50 includes the cost of administration. I get the NAT 
> effect for 
> > free when I plug the box in. Turning it off on the other 
> hand requires 
> > rather a lot of thinking for the average user.
> 
> There's no reason that a default firewall configuration need 
> be any more complicated than a NAT.  Somewhat less, actually. 
>  But anyway, I think you're muddying the discussion somewhat 
> by framing it in terms of NAT.  You're talking about network 
> policy and NAT is not a policy function.
> NAT workarounds tend to introduce security problems while a 
> decent, usable policy infrastructure would not, or would at 
> least localize them.  I think we probably both see the same 
> outcome as desirable but I do think that it's a big mistake 
> to frame the problem as "NAT is good" rather than "default 
> deny is good."
> 
> Melinda
> 

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Reply via email to