On Tue, Sep 4, 2012 at 3:45 PM, William Herrin <b...@herrin.us> wrote:
> On Tue, Sep 4, 2012 at 2:22 PM, Jay Ashworth <j...@baylink.com> wrote: > > It is regularly alleged, on this mailing list, that NAT is bad *because > it > > violates the end-to-end principle of the Internet*, where each host is a > > full-fledged host, able to connect to any other host to perform > transactions. > > That's what firewalls *are for* Jay. They intentionally break > end-to-end for communications classified by the network owner as > undesirable. Whether a particular firewall employs NAT or not is > largely beside the point here. Either way, the firewall is *supposed* > to break some of the end to end communication paths. > Exactly - talking about a *(subtle?)* difference here. 1) Breaking the E2E model because your security policy (effectively) dictates it. For the record, this is fine as it is your decision for your network. 2) Being forced to break that model by deficiencies in the underlying protocol/address-family. This is, shall we say, sub-optimal. /TJ
