> Understood. But very little of that security benefit is
> really due to NAT; most of it is due to the fact that
> connections have to be initiated from within. That's
> certainly an artifact of NAT (actually NAPT) but it can
> be done just as easily without translating addresses.
Unfortunately the problem with anything labelled 'security'
is that once it is installed it is practically impossible
to shift.
We still have people who refuse to countenance moving from
DES which has been broken in practice to AES because they
don't know how secure AES will prove... well duuhh, it ain't
gonna be worse than DES. So we give them 3DES rather than argue.
Co-opting the NAT box as you suggest to become a 6 to 4 type
box is the real answer. Wishing they will go away is simply
futile.
Phill
Phillip Hallam-Baker (E-mail).vcf- Re: (ngtrans) Joint DNSEXT & NGTRANS sum... Keith Moore
- Re: (ngtrans) Joint DNSEXT & NGTRANS... Daniel Senie
- Re: (ngtrans) Joint DNSEXT & NGTRANS... Robert Elz
- Re: (ngtrans) Joint DNSEXT & NGTRANS sum... Robert Elz
- Re: (ngtrans) Joint DNSEXT & NGTRANS... Daniel Senie
- Re: (ngtrans) Joint DNSEXT & NGTRANS summary Robert Elz
- Re: (ngtrans) Joint DNSEXT & NGTRANS summary Alexis Yushin
- Re: (ngtrans) Joint DNSEXT & NGTRANS sum... Paul A Vixie
- Re: (ngtrans) Joint DNSEXT & NGTRANS... Jun-ichiro itojun Hagino
- Re: (ngtrans) Joint DNSEXT & NGTRANS... Johan Ihren
- Re: (ngtrans) Joint DNSEXT & NGTRANS summary Hallam-Baker, Phillip
- Re: (ngtrans) Joint DNSEXT & NGTRANS summary Bernard Aboba
- Re: (ngtrans) Joint DNSEXT & NGTRANS sum... Nathan Jones
- RE: (ngtrans) Joint DNSEXT & NGTRANS... Tony Hain
- Re: (ngtrans) Joint DNSEXT & NGT... D. J. Bernstein
- Re: (ngtrans) Joint DNSEXT & NGT... Johan Ihren
- Re: (ngtrans) Joint DNSEXT &... Bill Manning
- Re: (ngtrans) Joint DNSEXT ... Nathan Jones
- Re: (ngtrans) Joint DNS... Bill Manning
- Re: (ngtrans) Joint DNS... Johan Ihren
- Re: (ngtrans) Joint DNS... Randy Bush
