Margaret, > Margaret Wasserman wrote: > That depends on what you mean by "global reachability". > I am writing to you from behind a NAT right now. > From here, I can reach web sites on the global > Internet, etc. I can't run servers here
Why is that? (note that I am not trying do defend or condone NAT by any means, just for my understanding). I run my HTTP, HTTPS, FTP, SMTP servers on RFC1918 addresses behind NAT. At home I also do p2p music sharing on RFC1918 behind NAT. This is an extremely common setup these days. > The one-way reachability (outbound, but not inbound) > that is experienced by users of IPv4 NAT is a side-effect > of NAT. So, if we are successful in avoiding NAT in IPv6, > the "security" models that depend on this one-way > reachability won't apply in IPv6. Correct, this is why we will need IPv6 firewalls. Although NAT itself does not perform stateful packet inspection for other purposes than ALGs, it does implement hard state that provides this "one-way reachability" which is a most desired feature of firewalls. > I don't have any interest in eliminating load balancers, > but are you sure that this is how they work? The ones that I have seen, yes. > What happens when the server passes its IP addresses in FTP, > SCTP or SIP packets (or any other application-layer protocol)? > Does the loadbalancer also translate those addresses to point > to the loadbalancer, You meant to the host I suppose and the answer is yes. There are ALGs in the load balancers that I have seen that rewrite packets and they do have the exact same issues as NAT WRT apps that embed IP addresses in the packet. The typical config of load balancers is that the load balancer's address is the one published in DNS, and the load balancer is indeed a NAT box that NATs traffic to the least busy server in a pool. Michel. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
