On Feb 9, 2009, at 3:33 PM, Mark Newton wrote:
On 10/02/2009, at 9:54 AM, Stephen Sprunk wrote:
Yes, an ALG needs to understand the packet format to open pinholes -- but with NAT, it also needs to mangle the packets. A non-NAT firewall just examines the packets and then passes them on unmangled.
Sure, but at the end of the day a non-NAT firewall is just a special case of NAT firewall where the "inside" and "outside" addresses happen to be the same.
Uh, that's a pretty twisted view. I would say that NAT is a special additional capability of the firewall which mangles the address(es) in the packet. I would not regard passing the address unmangled as a "special case" of mangling. In terms of implementing the code, sure, the result is about the same, but, the key point here is that there really isn't a benefit to having that packet mangling code in IPv6. Owen