On Feb 9, 2009, at 3:33 PM, Mark Newton wrote:
On 10/02/2009, at 9:54 AM, Stephen Sprunk wrote:
Yes, an ALG needs to understand the packet format to open pinholes
-- but with NAT, it also needs to mangle the packets. A non-NAT
firewall just examines the packets and then passes them on unmangled.
Sure, but at the end of the day a non-NAT firewall is just a special
case
of NAT firewall where the "inside" and "outside" addresses happen to
be the same.
Uh, that's a pretty twisted view. I would say that NAT is a special
additional capability of the firewall which mangles the address(es)
in the packet. I would not regard passing the address unmangled
as a "special case" of mangling.
In terms of implementing the code, sure, the result is about the same,
but, the key point here is that there really isn't a benefit to having
that
packet mangling code in IPv6.
Owen
