Le 28 oct. 2010 à 20:51, Chris Engel a écrit : > That's exactly the type of scenario most Enterprises DON'T want to see work. > In cases of INBOUND connections, Enterprises generally WANT them to fail > unless the Enterprise has taken explicit measures to make them work.
Can't FW's do that without needing address translation;? > Furthermore, more often then not, when the Enterprise does want them to work, > it's going to FORCE said apps to go through some well known, centrally > managed point (i.e. some sort of Proxy/ALG) where it can be > monitored/audited/controlled and perhaps some policies regarding how it is > being used can be enforced. If some proxy is traversed, what is the use of NAT66? > > In other words, NAT generally isn't breaking anything that the Enterprise > doesn't want broken anyway.... and *may* actually be helping to break certain > things that would be somewhat more difficult to break without it. Could you be more precise (asterisks added)? > This is an area where Enterprises and Transit Providers seem to be entirely > different animals with different priorities. Agreed, but questions about enterprise configurations that really need NAT66 are still legitimate. > Let's look at something like VOIP. From the individual consumers point of > view the idea that you can sit down at any internet connection anywhere in > the world and have a free/low cost voice conversation with anyone at an > internet connection anywhere else in the world is awesomely cool. However > from the perspective of many Enterprises this is very problematic for > business related calls. Enterprises may require specific things happen in > relation to business calls (such as monitoring, auditing, recording) that are > infinitely harder to achieve unless such calls are FORCED to go through a > central service. > > So for example, when customer calls up the company and says... "One of your > Operators called me up at 2 AM and promised me X". The response from IT > isn't.... > > "OK we'll try to search through every single workstation in the company, > including those which are out for repairs, and see If anyone was running > Skype at 2 AM....and Oh god, I hope they were following policy and recording > the call if they did....and Oh god, I hope someone didn't screw up and let a > personal device plug into our network jacks." > > The response is.... > > "We have a record of every call originating from our network. Searching the > call log db we can see that a call was placed to this number at 5:02 PM from > Operator #231 at workstation 211 in the Houston Branch. Here is the > voice-recording of the content of that call. Shall I play it for you so that > you can hear exactly what was said?" That's clear. But WHY would this require address translation? Regards, RD _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
