Keith Moore wrote:
Any router? Router? When was the last time anyone implemented NAT on a
router? NAT is a firewall technology, not a router technology.
no, NAT is not a firewall technology. it's not exactly a router
technology either, though it is often incorporated in routers, and
devices that primarily exist to perform NAT are often marketed as "routers".
We all know how NAT is used, and what the terms firewall, router, and
statefulness mean Keith.
the point is that ordinary packet forwarding devices (i.e. routers)
don't break SCTP, but NATs do.
In the real world end-node networks do not use routers they use firewalls.
All firewalls implement stateful filtering of ingress flows. Since
statefulness breaks SCTP with or without NAT your argument against NAT is
tangental.
Whether routers are capable of NAT is irrelevant. NAT is not used on
routers. NAT is used on edge devices i.e., firewalls. Firewalls by
definition are not simple packet filters and they are not simple "packet
forwarding devices". Firewalls implement statefulness. Statefulness
breaks SCTP with or without NAT.
You can argue against statefulness but all you want, but there is no market
for edge devices that do not implement statefulness. Without statefulness
it is impossible to implement effective security policies. Nobody builds
such devices because nobody would buy them. If OTOH you know of some other
method of implementing flow validation we would all like to hear about it.
The patent alone would be worth millions.
Bottom line: in the real world NAT is not used without statefulness. To
make an argument against NAT that holds water you have to explain where NAT
breaks anything (in real world application) that wouldn't otherwise be
broken by the need to keep state.
Roger Marquis
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
