Re: [RFC PATCH 00/18] netfilter: IPv6 NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please dont' let this deviate to a flame war.
I just said there are use cases, nothing more, nothing less.

This is software. There are lots of ways to archive the same goal.
Every solution has its pro and cons, its not always black and white.


On 28.11.2011 23:03, Amos Jeffries wrote:
I'm going to dare to call FUD on those statements...
   * Load Balancing - what is preventing your routing rules or packet
  marking using the same criteria as the NAT changer? nothing. Load
  balancing works perfectly fine without NAT.

Nothing, you archive the same in a different way.
However keep in mind that not all computers out there run Linux.

Its quite simple to setup NAT rules, they work with every OS.

On the other hand, balancing by changing MAC address or
IPv6inIPv6 Tunnels can be a headache, getting this going with
Windows, Mac, Solaris and so on.

Issues with DAD and source address selection doesn't make it easier.
Have a look at net/netfilter/ipvs/ip_vs_xmit.c. There is a reason, why
NAT for IPv6 is already in the Kernel since three years.

   * outgoing packet control - packets will happily leave the "wrong"
  interface after NAT unless you add routing and firewall controls
  separate to NAT. Packet control works *better* without NAT erasing
  original IP information resulting in mistakenly NAT'ed packets go out
  the wrong interface.


I fully agree. NAT can not replace your firewall rules.

However with NAT you could get some kind of anonymity.
Think of Tor: If your server/client operates with private IP addresses,
your public IP address is still masked after a security breach.

  I have long been of the opinion that all NAT really offers is the
  ability to easily and cleanly multi-home several global public prefixes
  from a unified PI space. This is a very important aspect for some
  networks, even with plentiful IPv6 addresses.
Also in my opinion the most important reason for NAT.

Cheers
 Ulrich

--
Ulrich Weber | ulrich.weber@xxxxxxxxxx | Senior Software Engineer
Astaro - a Sophos company | Amalienbadstr 41 | 76227 Karlsruhe | Germany
Phone +49-721-25516-0 | Fax –200 | www.astaro.com

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux