[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

quietly....



On Wed, Feb 2, 2011 at 10:34 PM, Jay Ashworth <jra at baylink.com> wrote:
[snip]
> I won't run an edge-network that *isn't* NATted; my internal machines
> have no business having publicly routable addresses. ?No one has *ever*
> provided me with a serviceable explanation as to why that's an invalid
> view.

If you want to provide an edge network IPv6 connectivity with no
routable address space,
then use a proxy server /  application layer gateway  for every
allowed application.
SOCKS5 can be used to forward any TCP based protocol,  and most UDP protocols,
other UDP protocols do not actually function correctly in NAT
environments anyways
(neither do protocols such as FTP which require client side to accept
port bound connections).

There's no reason for the internet community to  re-design  every
protocol to allow and
try to function in a NAT environment,  for the benefit  of a small
number of edge networks,
who want a private castle with hosts  on their network not connected
to the internet,
for no reason that has been adequately justified.

In IPv4,  this had to be accepted,  because with limited IP address space,
it was not an option to have no NAT.     Now with IPv6 it is not an
option to have NAT.


No one has ever provided me with a serviceable explanation of why a
stateful firewall
is an insufficient method for implementing any desired network policy,  with
regards to limiting accepted traffic to outbound connections for nodes
on an edge network.

> -- jra
--
-JH