[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
On Wed, Feb 2, 2011 at 10:34 PM, Jay Ashworth <jra at baylink.com> wrote:
> I won't run an edge-network that *isn't* NATted; my internal machines
> have no business having publicly routable addresses. ?No one has *ever*
> provided me with a serviceable explanation as to why that's an invalid
If you want to provide an edge network IPv6 connectivity with no
routable address space,
then use a proxy server / application layer gateway for every
SOCKS5 can be used to forward any TCP based protocol, and most UDP protocols,
other UDP protocols do not actually function correctly in NAT
(neither do protocols such as FTP which require client side to accept
port bound connections).
There's no reason for the internet community to re-design every
protocol to allow and
try to function in a NAT environment, for the benefit of a small
number of edge networks,
who want a private castle with hosts on their network not connected
to the internet,
for no reason that has been adequately justified.
In IPv4, this had to be accepted, because with limited IP address space,
it was not an option to have no NAT. Now with IPv6 it is not an
option to have NAT.
No one has ever provided me with a serviceable explanation of why a
is an insufficient method for implementing any desired network policy, with
regards to limiting accepted traffic to outbound connections for nodes
on an edge network.
> -- jra
- From: jra at baylink.com (Jay Ashworth)
- From: drais at icantclick.org (david raistrick)