On Mon, Jun 04, 2007, Iljitsch van Beijnum wrote: > > On 4-jun-2007, at 17:37, Donald Stahl wrote: > > >>I want NAT to die but I think it won't. > > >Far too many "security" folks are dictating actual implementation > >details and that's fundamentally wrong. > > >A security policy should read "no external access to the network" > >and it should be up to the network/firewall folks to determine how > >best to make that happen. Unfortunately many security policies go > >so far as to explicitly require NAT. > > Don't forget that the reason NAT works to the degree that it does > today is because of all the workarounds in applications or protocol- > specific workarounds in the NATs (ALGs). In IPv6, you don't have any > of this stuff, so IPv6 NAT gets you nowhere fast with any protocol > that does more than something HTTP-like. (Yes, I've tried it.)
Won't stateful firewalls have similar issues? Ie, if you craft a stateful firewall to allow an office to have real IPv6 addresses but not to allow arbitrary connections in/out (ie, the "stateful" bit), won't said stateful require protocol tracking modules with similar (but not -as-) complexity to the existing NAT modules? Adrian
