My posting wasn't concerning what I think, it was concerning what is commonly
done today in industry. I also didn't intend to imply that the NAT was being
used as a firewall, rather that the NAT is commonly used today as an element
within firewalls.
My own thoughts (which is off-topic) is that traditional firewalls have had
their day and remain valuable. However, I am actively pursuing alternatives
which perform the same functions without impacting the end-to-end performance
of the protocols. Research into several approaches like this have excited me.
But then, I've wandered far off topic.
-----Original Message-----
From: James Seng [mailto:jseng(_at_)pobox(_dot_)org(_dot_)sg]
Sent: Wednesday, June 18, 2003 10:38 PM
To: Fleischman, Eric
Cc: EKR; Keith Moore; pbaker(_at_)verisign(_dot_)com;
Ronald(_dot_)vanderPol(_at_)rvdp(_dot_)org;
aarsenau(_at_)bbn(_dot_)com; ietf(_at_)ietf(_dot_)org
Subject: Re: myth of the great transition (was US Defense Department
forma lly adopts IPv6)
If you need a secure zone, and you want a firewall, then should install
a firewall. You should not put an NAT thinking that it is also a firewall.
But I agree with you that NAT is here to stay.
-James Seng
Fleischman, Eric wrote:
Eric Rescorla [mailto:ekr(_at_)rtfm(_dot_)com] wrote:
similarly, people who install NAT usually don't realize how much this
costs them in lost functionality and reliability.
Really? You have evidence of this?
I don't either, but my intuition is that you're wrong. Once you have
decided to have a firewall in place (which you may think is evil, but
I consider pretty much a necessary evil), I suspect that most people
suffer almost not at all from having a NAT.
I believe that Eric is pointing out an important point: many deployments of
NATs have nothing to do with IPv4 address conservation. Rather, they are
firewall adjuncts implemented to hide internal networks from outside scrutiny
and direct access.
One point where I disagree with my IPv6-advocating friends is that I expect
firewall-related NATs to continue to be deployed within Internet (including
IPv6) environments until such a time as real-time-protocol and
peer-to-peer-protocol friendly "distributed firewall" (policy zones) variants
become the preferable "due diligence" alternative for CIOs.