"Keith" == Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu> writes:
>> REQ-8: If application transparency is most important, it is
>> RECOMMENDED that a NAT have an "Endpoint independent filtering"
>> behavior. If a more stringent filtering behavior is most
>> important, it is RECOMMENDED that a NAT have an "Address
>> dependent filtering" behavior. a) The filtering behavior MAY
>> be an option configurable by the administrator of the NAT. ==>
>> I think this is WAY too dangerous approach. I'd say that the
>> filtering behaviour MUST be at least address dependent, unless
>> explicitly configured otherwise.
Keith> I'd strongly disagree with that. I'd say that NATs MUST
Keith> NOT have address dependent filtering unless configured
Keith> otherwise; and even then, filtering SHOULD be configurable
Keith> on a (destination) port-by-port basis. In other words,
Keith> transparency MUST be the default setting.
I have not yet read the document, but believe I understand the context
for this discussion point well enough to contribute.
I think that it is important to separate NAT from firewall
functionality. One device may provide both functions. But if the
intent is to provide only a NAT function,, then Keith is right and
transparency needs to be the default.
If the intent is to provide a firewall function then all the
manageability and configuration concerns of a firewall apply.
Ietf mailing list