[e2e] NAT traversal for src+dst routing
Melinda Shore
mshore at cisco.com
Thu Nov 4 08:58:34 PST 2004
On Thursday, November 4, 2004, at 11:37 AM, Joe Touch wrote:
> I.e., cute traversal hacks work fine when the NAT _wants_ to be found,
> but they fail exactly where - and why - most NATs are actually
> deployed,
> IMO.
Unfortunately that's probably become reasonable for several related
reasons,
and that's that NATs are now very widely being used as outside->inside
access
control devices for networks. The default policy is stupid ("any flows
initiated from inside are good, any flows initiated from outside are
bad")
and the natural evolution is towards a mechanism for providing
finer-grained
policy enforcement at the edges. Yes, that's a firewall, but that's
what
NATs have become.
Melinda
More information about the end2end-interest
mailing list