Hi,
Thus wrote Fred Baker ([email protected]):
> On Mar 15, 2011, at 6:42 PM, james woodyatt wrote:
>
> > I am talking about the implications for firewalls and PCP-capable hosts
> > deployed behind site multi-homing NPTv6 systems as described in section 2.4
> > of your draft.
>
> They will be exactly the same as any other firewall. Since the feature
> doesn't change the ports, PCP will turn them on or off, exactly as it does
> with any other firewall.
If I understand correctly, the intended use for the pinhole control
protocol is that you can tell an upstream firewall "hey, I'm
2001:db8:a:b:c:d:e:f and I want to accept incoming connections on port 12345"
whereupon the firewall goes from "deny all inbound" to "deny all inbound
except to 2001:db8:a:b:c:d:e:f port 12345".
Since it'll be for incoming connections, you'll want all possible paths
opened, and of course for the addresses apparent on the "outside"
interface of the firewall.
I think the "you may need a proxy if your translator is between you and
the firewall" is better situated in the PCP draft, since it will not only
apply to one kind of translation.
Other need to mention it in the NPTv6 document does not exist: Since the
address translation itself is utterly deterministic in the NPTv6 case,
you do not need to build hooks into the NPTv6 translator, the PCP proxy
can calculate them itself given inside and outside prefixes.
regards,
spz
--
[email protected] (S.P.Zeidler)
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
