REQ-8: If application transparency is most important, it is
RECOMMENDED that a NAT have an "Endpoint independent filtering"
behavior. If a more stringent filtering behavior is most
important, it is RECOMMENDED that a NAT have an "Address dependent
a) The filtering behavior MAY be an option configurable by the
administrator of the NAT.
==> I think this is WAY too dangerous approach. I'd say that the filtering
behaviour MUST be at least address dependent, unless explicitly configured
I'd strongly disagree with that. I'd say that NATs MUST NOT have
address dependent filtering unless configured otherwise; and even then,
filtering SHOULD be configurable on a (destination) port-by-port basis.
In other words, transparency MUST be the default setting.
NAT ALGs may interfere with UNSAF methods or protocols that try to be
NAT-aware and must therefore be used with extreme caution.
REQ-10: If a NAT includes ALGs that affect UDP, it is RECOMMENDED
that all of those ALGs be disabled by default.
a) If a NAT includes ALGs, it is RECOMMENDED that the NAT allow
the NAT administrator to enable or disable each ALG separately.
==> this seems like a VERY bad advice.
I agree with this. The problem, I suspect, is that this invites
questions about which ALGs to enable and how those ALGs should behave,
which is a big can of worms. Some kinds of ALGs are very bad, others
are essential and semi-harmless. But it certainly should not be
expected that apps will use UNSAF methods, as UNSAF methods are woefully
While I appreciate the desire to limit the problem, I think this
document is too narrowly scoped - there's no way to define a desirable
NAT behavior that doesn't, at a minimum, allow explicit host/application
control over bindings in the NAT.
Ietf mailing list