Re: The Devil's in the Deployment RE: NATs as firewalls

[Mark Andrews <Mark_Andrews at isc.org>]

> > 	We have IPv6 Locally Assigned Local Addresses.
> 
> Doesn't this presume that if people used these locally assigned
> addresses they would then NAT to a public address space?

	No.  Locally Assigned Local Addresses are for talking to
	other machines within the locally assigned realm/scope.
 
> I think the main thing folks might miss is that a lot of people really
> want all of this on a single address--while having multiple addresses
> concurrent on a single machine is acceptable for larger machines,
> specifically servers, having multiples on a single host as a general
> rule hasn't met with much in the way of acceptability for the vast
> majority of hosts.

	Most people really don't care what address a machine has.
	They basically only ever use it as a client machine. You
	don't need fixed addresses for these machines.  You just
	need a address that can reach the servers you want to
	talk to.

	You then have the few servers.  For these you decide what
	clients they serve and give them addresses to match.  These
	addresses along with relevent ports for the services they
	are offering make it into firewalls, etc.

	Servers are also clients so they also use the same techiques
	as pure clients when choosing the address they use to initiate
	connections.

> At least that's what I'm hearing.
> 
> :-)
> 
> Russ
> 
> 
> - --
> riw at cisco.com CCIE <>< Grace Alone
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFF7CNVER27sUhU9OQRAqf0AKCZuM30XPZO5SUYkFKpuueq3q/MIQCg/5k1
> TeUcUHxrrjd755ovY1cG1/E=
> =i0+D
> -----END PGP SIGNATURE-----
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf