Thus wrote Andrew Yourtchenko ([email protected]):
> On Thu, 28 Oct 2010, Roger Marquis wrote:
>
> >basically what EU Privacy Directives are all about. By using NAT end
> >users get the privacy they require, freedom from vendor lock-in, and are
>
> I've been watching this discussion with great interest, and I think
> the above may be optimistic.
>
> http://panopticlick.eff.org/ behaves identically with or without NATs.
Application layer gateways that understand what they are transporting tend
to be better at this game, which is why I'd prefer using them where ever
available over any methods that munge packet headers but don't look at the
payload.
Especially with the case of hiding a web server (or web servers) and mail
servers behind one stable address (as far as your provider agreements let
you), setting up a reverse proxy (if not a fully-fledged WAF) and a
filtering mail relay beats plain stateful NATs by a lot.
That requires application gateways to be available, though, and they incur
extra cost (device, power, cooling, maintenance), so may not be practical
for everybody.
To get back to the topic of the proposal (stateless nat66 prefix
translation), and no longer referring to the cited mail:
I could cover my strict business needs with a selection of proxies
and telling users who need to connect to anything in the Internet
by other means to either cough up the money for the application gateway
or to use their phone. Mind that connections to business partners
don't fall under this heading because they run through IPSEC tunnels,
and my ULA net talking to their ULA net is expected to work just fine.
I would like to do somewhat better regarding Internet traffic, though.
I can get a situation where I can let users machines directly connect
to some outside services if I get prefix translation. It has the
benefit that it does as little to the packet as it can get away with,
and that appeals to me from a simple-is-good aesthetic.
Using stateful NAT would not fix anything I want to achieve, because I
have better options to achieve what it would bring me. That is, of course,
just one data point.
I have a use case for port redirection (eg bouncing traffic to port 80
to port 8080), but I wouldn't necessarily consider that in scope for
this list (addresses don't get translated :).
So please consider me a proponent of the draft as is, modulo a few typos,
and +1 on "this isn't stateful NAT" clarification on the abbreviation.
regards,
spz
--
[email protected] (S.P.Zeidler)
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
