Grmf. WI-fi down on the shuttle today, so I need to compose this followup on my phone.
There is an additional point worth mentioning in the NPTv6 draft. If the firewall is instead positioned between the translators and the protected hosts, then a proxy is still required to support the external address discovery part of the PCP protocol. Making NPTv6 and PCP play together requires mentioning the problems NPTv6 deployments pose for PCP implementors, or explicitly coming out and saying that PCP isn't expected to be compatible with NPTv6 and describing the reasons for it. --jhw (sent from my phone) On Mar 16, 2011, at 8:18, james woodyatt <[email protected]> wrote: > Finally, *somebody* understands me. <sniff/> > > --jhw (sent from my phone) > > On Mar 16, 2011, at 0:41, "S.P.Zeidler" <[email protected]> wrote: > >> Hi, >> >> Thus wrote Fred Baker ([email protected]): >>> On Mar 15, 2011, at 6:42 PM, james woodyatt wrote: >>> >>>> I am talking about the implications for firewalls and PCP-capable hosts >>>> deployed behind site multi-homing NPTv6 systems as described in section >>>> 2.4 of your draft. >>> >>> They will be exactly the same as any other firewall. Since the feature >>> doesn't change the ports, PCP will turn them on or off, exactly as it does >>> with any other firewall. >> >> If I understand correctly, the intended use for the pinhole control >> protocol is that you can tell an upstream firewall "hey, I'm >> 2001:db8:a:b:c:d:e:f and I want to accept incoming connections on port 12345" >> whereupon the firewall goes from "deny all inbound" to "deny all inbound >> except to 2001:db8:a:b:c:d:e:f port 12345". >> >> Since it'll be for incoming connections, you'll want all possible paths >> opened, and of course for the addresses apparent on the "outside" >> interface of the firewall. >> >> I think the "you may need a proxy if your translator is between you and >> the firewall" is better situated in the PCP draft, since it will not only >> apply to one kind of translation. >> >> Other need to mention it in the NPTv6 document does not exist: Since the >> address translation itself is utterly deterministic in the NPTv6 case, >> you do not need to build hooks into the NPTv6 translator, the PCP proxy >> can calculate them itself given inside and outside prefixes. >> >> regards, >> spz >> -- >> [email protected] (S.P.Zeidler) > _______________________________________________ > nat66 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nat66 _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
