Finally, *somebody* understands me. <sniff/> --jhw (sent from my phone)
On Mar 16, 2011, at 0:41, "S.P.Zeidler" <[email protected]> wrote: > Hi, > > Thus wrote Fred Baker ([email protected]): >> On Mar 15, 2011, at 6:42 PM, james woodyatt wrote: >> >>> I am talking about the implications for firewalls and PCP-capable hosts >>> deployed behind site multi-homing NPTv6 systems as described in section 2.4 >>> of your draft. >> >> They will be exactly the same as any other firewall. Since the feature >> doesn't change the ports, PCP will turn them on or off, exactly as it does >> with any other firewall. > > If I understand correctly, the intended use for the pinhole control > protocol is that you can tell an upstream firewall "hey, I'm > 2001:db8:a:b:c:d:e:f and I want to accept incoming connections on port 12345" > whereupon the firewall goes from "deny all inbound" to "deny all inbound > except to 2001:db8:a:b:c:d:e:f port 12345". > > Since it'll be for incoming connections, you'll want all possible paths > opened, and of course for the addresses apparent on the "outside" > interface of the firewall. > > I think the "you may need a proxy if your translator is between you and > the firewall" is better situated in the PCP draft, since it will not only > apply to one kind of translation. > > Other need to mention it in the NPTv6 document does not exist: Since the > address translation itself is utterly deterministic in the NPTv6 case, > you do not need to build hooks into the NPTv6 translator, the PCP proxy > can calculate them itself given inside and outside prefixes. > > regards, > spz > -- > [email protected] (S.P.Zeidler) _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
