What I am really objecting to here is the normative aspect of the discussion. NAT may be good or it may be the work of Satan. Either way we have to deal with the issue more constructively than simply telling people 'please do not'. I don't like NAT workarounds either. In fact I would like to suggest that we return to an old principle of layered network architecture in which no layer knows or cares as to what is going on in any other layer it does not interface to directly. So instead of saying NAT is good or bad lets instead frame the debate in terms of 'A NAT box operates at layer 3 and should not therefore make assuptions about application interactions at layer 7'. It is equally a layer violation for FTP to communicate IP addresses and port numbers in the protocol. An application should not know if the transport is IPv4, IPv6 or SNA. Get rid of FTP type layer violations and the need for NAT workarrounds is also eliminated. And at the same time let us ask 'how can we share an IPv4 connection on an IPv4 network without causing layer violations?' or 'how can Alice log into her corporate VPN from a hotel?' > -----Original Message----- > From: Melinda Shore [mailto:mshore@xxxxxxxxx] > Sent: Monday, July 02, 2007 12:51 PM > To: Hallam-Baker, Phillip; itojun@xxxxxxxxxx > Cc: ietf@xxxxxxxx > Subject: Re: Domain Centric Administration, RE: > draft-ietf-v6ops-natpt-to-historic-00.txt > > On 7/2/07 12:40 PM, "Hallam-Baker, Phillip" > <pbaker@xxxxxxxxxxxx> wrote: > > The $50 includes the cost of administration. I get the NAT > effect for > > free when I plug the box in. Turning it off on the other > hand requires > > rather a lot of thinking for the average user. > > There's no reason that a default firewall configuration need > be any more complicated than a NAT. Somewhat less, actually. > But anyway, I think you're muddying the discussion somewhat > by framing it in terms of NAT. You're talking about network > policy and NAT is not a policy function. > NAT workarounds tend to introduce security problems while a > decent, usable policy infrastructure would not, or would at > least localize them. I think we probably both see the same > outcome as desirable but I do think that it's a big mistake > to frame the problem as "NAT is good" rather than "default > deny is good." > > Melinda > _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf