On Oct 26, 2010, at 2:11 PM, Chris Engel wrote: > Yeah, and I can try to address that with each of them in turn. Right now you > are basicaly telling me that you want to be part of the problem not part of > the solution.
Well, I'm sorry you feel that way. You're asking for a different solution than is the stated topic of this list, and as near as I can tell the reason you want it in IPv6 is because you have had it in IPv4. From that perspective, it's off-topic for this list, which is talking about stateless network prefix translators, not stateful network address translators. If there is a market for what you want, I think we can expect vendors to make products for it; that product won't be this one. So I'm not going to further discuss stateful NAT in IPv6 in this thread. > Yes and if you can walk into my offices and hold a sawed-off 12 GA shotgun to > my head, you can get me to map out the entire network for you and probably > give you every password I know. What's your point? I've got to deal with lots > of different attack vectors, not just the network boundary. That's not an > excuse for making it easier to compromise the network boundary....which > transparency does. Well, thanks for making my point, which is that address obfuscation at the network boundary isn't much of a solution. By accident, it gives you part of what you are actually looking for, which is a stateful firewall, but it is not a stateful firewall. > So your arguement is that FW filtering rules shouldn't be based on IP > Addresses? I'll agree with you completely about higher level applications. > But it strikes me that devices which are intended to control access to the > network layer should... well know something about the network layer. Yes, they probably should. Your stateful firewall should know what traffic your policy permits into your network, and if your policy is (as they usually are) based on prefix or address, it should be looking at prefixes and addresses. _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
