Tom Pusateri wrote: > Obviously I didn't communicate clearly enough. The NAT box is the one > that sneakily fabricates headers. I am totally against this. I would > rather it do what it is doing out in the open by terminating the TCP > connection or re-originating the UDP packets from the policy box. This > follows the end to end model which is what I'm advocating.
it only follows the e2e model if the application endpoint that establishes the connection intends to connect to that box. if the connection is intercepted (say by having the box lie about DNS results or by having the box accept traffic destined for someone else's IP address) it still violates the e2e model. > I am just trying to bring whats currently in the dark out into the light. > > I run an HTTP proxy on my home gateway. > I run a sip proxy server on my gateway. > I run an SMTP server on my gateway. > For the needs of people behind current NAT boxes, we're not that far away. a) for many protocols, application gateways do more harm than NATs b) interception proxies of any kind are evil c) you've named 3 protocols out of hundreds of thousands of protocols in use again, wtf? Keith _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
