On Oct 29, 2010, at 6:31 PM, S.P.Zeidler wrote: >>> In a world where even subnets are plenty, if I have a few hosts that I want >>> to run an app like that I can assign them their very own public /64 in their >>> own DMZlet. >> >> As long as you're trying to make a destination IP address be an >> authentication token for your hosts, your security is always going to be >> very weak and fragile. > > I'm not sure where you get "authentication token" where I simply say "I can > afford to exempt a few hosts from NATting but not all of them".
it's the idea that you need to NAT all or most of your hosts for security reasons that is fatally flawed. > I'm really curious what types of novel apps you envision that are so > compelling even enterprises that have to be paranoid by law will want > to have on each and every one of their devices, while being unable to run > across application proxies. You wrote I was too daft, well go ahead and > educate me then. being concerned about security (whether or not by law) and running NATs have nothing to do with each other. at least not if you know what you're doing. Keith _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
