On Mar 31, 2009, at 12:23 AM, Keith Moore wrote:
You miss the point. If someone wants to build a big box that controls
traffic and sneakily fabricates headers, they can build a big box
that
does it upfront and follows the end to end model without altering the
packets.
wtf? how does such a box follow the end to end model if it "sneakily
fabricates headers"? either the box allows the endpoints to talk to
each other without interference (i.e. the e2e model) or it doesn't.
a box that munges traffic breaks the e2e model no matter whether it's
doing it at layer 3 or layer 4 or layer 7.
Obviously I didn't communicate clearly enough. The NAT box is the one
that sneakily fabricates headers. I am totally against this. I would
rather it do what it is doing out in the open by terminating the TCP
connection or re-originating the UDP packets from the policy box. This
follows the end to end model which is what I'm advocating.
I am just trying to bring whats currently in the dark out into the
light.
I run an HTTP proxy on my home gateway.
I run a sip proxy server on my gateway.
I run an SMTP server on my gateway.
For the needs of people behind current NAT boxes, we're not that far
away.
Thanks,
Tom
A NAT firewall box that filters everything but the few applicatons
that
they want to allow through smells alot like multiple application
gateways.
I certainly won't claim that providers can't do this, but such a thing
would break enough apps (whether deliberately or accidentally) that at
least in any market resembling the current one I'd expect significant
pushback from users.
Keith
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
