[arin-ppml] IPv6 Non-connected networks
Roger Marquis
marquis at roble.com
Fri Mar 26 14:35:05 EDT 2010
> STUN, SNAT, UPNP, and a myriad of other often poorly implemented
> incompatible and unreliable NAT traversal mechnisms, Application
> layer Gateways, etc.
Sounds like you're asserting that any application wishing to embed the
remote IP in the data portion of an IP packet (SIP/STUN/...) or requiring
a "hole" in the firewall (UPNP) are valid reasons to get rid of NAT? I
don't think you'll find much support for those assertions in
security-related groups (like firewall-wizards).
> However, at the far end when I'm trying to figure out why something didn't
> work, any of the following behaviors related to NAT make things more
> difficult to debug:
This is an issue with logging, not with NAT or even stateful inspection.
> There are many many others, but, I think these three that come
> to me off the top of my head from my own experience are
> enough to make the point.
I don't know who might be persuaded to dump NAT from these examples but
from a security perspective they're simply not convincing. That's just
my opinion of course, but I encourage you to post them to a computer or
network security mailing list and see if they hold water.
Roger Marquis
More information about the ARIN-PPML
mailing list