Hi Chris,
On Oct 25, 2010, at 11:02 AM, Chris Engel wrote:
The flavor of NAT66 being proposed here wouldn't even cover it.... since we would want something statefull that supports both 1:1 and many:1 translations as well as Port Translations and has some built in level of blocking Inbound traffic (i.e. exactly what we have in IPv4 NAT now).
Do you think that what you want could be provided by NAT66 coupled with a stateful firewall? Or is there something more that you would need?
It sounds like the many:1 translation might be missing... What is that used for?
However, the flavor of NAT66 being proposed here will go a long way toward helping SOME organizations consider adoption of IPv6. Stating that deploying FW packet filtering rules which default to closed, isn't spreading FUD about IPv6... it's helping address some of the real security concerns that organizations and individuals have about IPv6 adoption. Note that those SAME rules generaly existed by default as a best practice in IPv4 world... with deprication of statefull many:1 NAT...many organizations are actualy LOOSING a layer of protection here.... some of which (including mine) consider that in itself a barrier to adoption of IPv6.
It is my impression that you can achieve that same level of protection from a stateful IPv6 firewall as you would from an IPv4 NAT. Does that match your experience?
Margaret _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
