> I agree. One of the goals of this effort, IMO, should be to avoid > conflating NAT and stateful firewall functionality. A firewall is > much more manageable/configurable than a N:1 or port translating NAT. > So, I am hopeful that we can explain this well, make it clear how one > would provide a stateful firewall with this benefit and also define a > 1:1 algorithmic, non-port-mapping NAT algorithm that can be used when > translation is actually _wanted_, not as a poor man's substitute for a > firewall.
As an application developer, I am not so sure. In practice, it takes about the same effort to run an application through a NAT and through a basic "stateful" firewall. Most of the failures modes in person-to-person applications today are caused by firewalls, not buy NATs. -- Christian Huitema _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
