Okay, this is my last respond on this topic, as I think this discussion
(as even been hold off-list) is more or less useless.
On 12.11.2009 01:05 Roger Marquis wrote:
Whether routers are capable of NAT is irrelevant. NAT is not used on
routers. NAT is used on edge devices i.e., firewalls. Firewalls by
definition are not simple packet filters and they are not simple "packet
forwarding devices". Firewalls implement statefulness. Statefulness
breaks SCTP with or without NAT.
No no no. NAT is not used on edge devices. My notebook for instance
doesn't implement NAT, although it would like to use an SCTP-based
protocol. My default gateway does however and this default gateway acts
as ... a router.
Statefulness as implemented for a firewall does *not* break SCTP. It is
the network translation that does. Statefulness is just about given any
ingress flow for IP address X, protocol port Y, and protocol z that
needs to correspond to a given egress flow. That works perfectly fine
with SCTP or any other protocol above that uses address information in
its payload. But with NATs that does not work anymore.
You can argue against statefulness but all you want, but there is no market
for edge devices that do not implement statefulness. Without statefulness
it is impossible to implement effective security policies. Nobody builds
such devices because nobody would buy them. If OTOH you know of some other
method of implementing flow validation we would all like to hear about it.
The patent alone would be worth millions.
See above. Stateful firewalls would still be supported in a NAT-free world.
Bottom line: in the real world NAT is not used without statefulness. To
make an argument against NAT that holds water you have to explain where NAT
breaks anything (in real world application) that wouldn't otherwise be
broken by the need to keep state.
To hold water I would recommend you to explain to me and many other how
protocols like SCTP or any other given protocol that holds address
information in its payload can be supported by NAT gateways.
That's it,
Martin
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
