[e2e] NAT traversal for src+dst routing

Melinda Shore mshore at cisco.com
Thu Nov 4 08:58:34 PST 2004


On Thursday, November 4, 2004, at 11:37 AM, Joe Touch wrote:
> I.e., cute traversal hacks work fine when the NAT _wants_ to be found,
> but they fail exactly where - and why - most NATs are actually 
> deployed,
> IMO.

Unfortunately that's probably become reasonable for several related 
reasons,
and that's that NATs are now very widely being used as outside->inside 
access
control devices for networks.  The default policy is stupid ("any flows
initiated from inside are good, any flows initiated from outside are 
bad")
and the natural evolution is towards a mechanism for providing 
finer-grained
policy enforcement at the edges.  Yes, that's a firewall, but that's 
what
NATs have become.

Melinda



More information about the end2end-interest mailing list