Margaret Wasserman:
There _also_ seem to be use cases where enterprise administrators use NAT specifically for the purpose of blocking (most or all?) incoming connections. I do not know if we have explored that use cases well enough to know if it could be served by a stateful firewall and/or a combination of NAT66 and a stateful firewall.
_Also_? Some? Really? I don't mean to question Margaret's experience but I have to wonder what this statement is based on. Most of us security professionals use NAT to block _all_ incoming connections _by_default_. This is known as fail-closed. Internal hosts that need static mappings to external IPs get them, as exceptions to the default rule. Question for Margaret: would you consider firewalls that fail-open to be best practice? If not then why do you consider that model to be appropriate when applied to NAT66?
I think it would make sense for the IETF to look into those use cases in more detail, as was already done for CPE equipment.
Why would the IETF analyze what is codified in nearly every firewall security policy and standard practice across the overwhelming majority of home and business uplinks? Roger Marquis _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
