On Mon, Mar 30, 2009 at 8:57 PM, Erik Kline <[email protected]> wrote: > On Mon, Mar 30, 2009 at 8:51 PM, Keith Moore <[email protected]> > wrote: >> Tom Pusateri wrote: >>> So once you limit NAT for IPv6 to a 1:1 mapping (i.e. you no longer >>> share an address), then it seems like there's isn't a big advantage over >>> an application gateway. >> >> wtf? application gateways have to be written for each protocol, whereas >> NATs do not (at least for those protocols that don't do referrals). >> >> that makes for a huge deployment mess. it also breaks apps when the end >> points upgrade their protocols and the ALGs don't keep track. >> >> Keith >> >> (now if we're going to have NATs at all, I'm a big fan of having a >> standard signaling/control protocol that should work for all NATs. but >> that's not the same as an application gateway) >> >> _______________________________________________ >> nat66 mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/nat66 >> > > Actually I would imagine that most applications would just need a > "generic" TCP or UDP proxy. In essence a /128 to /128 NAT, with ALGs. > Doing this requires listing all traffic mappings that need to be > permitted. A lot of work, but explicit allow with implicit deny would > make most of the security that I know more comfortable. It would be > more like have VIPs for things that need them. > > 2 cents, > -Erik >
s/security/security folks/ oops _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
