On Mon, Mar 30, 2009 at 8:51 PM, Keith Moore <[email protected]> wrote: > Tom Pusateri wrote: >> So once you limit NAT for IPv6 to a 1:1 mapping (i.e. you no longer >> share an address), then it seems like there's isn't a big advantage over >> an application gateway. > > wtf? application gateways have to be written for each protocol, whereas > NATs do not (at least for those protocols that don't do referrals). > > that makes for a huge deployment mess. it also breaks apps when the end > points upgrade their protocols and the ALGs don't keep track. > > Keith > > (now if we're going to have NATs at all, I'm a big fan of having a > standard signaling/control protocol that should work for all NATs. but > that's not the same as an application gateway) > > _______________________________________________ > nat66 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nat66 >
Actually I would imagine that most applications would just need a "generic" TCP or UDP proxy. In essence a /128 to /128 NAT, with ALGs. Doing this requires listing all traffic mappings that need to be permitted. A lot of work, but explicit allow with implicit deny would make most of the security that I know more comfortable. It would be more like have VIPs for things that need them. 2 cents, -Erik _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
