Re: shim6 @ NANOG

• Previous message: Edward B. DREGER: "Re: shim6 @ NANOG"
• Maybe in reply to: Stephen Sprunk: "Re: shim6 @ NANOG"
• Next in thread: Owen DeLong: "Re: shim6 @ NANOG"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Sun, 5 Mar 2006, Iljitsch van Beijnum wrote:
>
> Of course having a TCP session or the like change addresses halfway
> through the session may throw stateful firewalls a bit.
>

I just love that shim6 basically == natv6... It WILL be implemented as
such if available to folks in that manner. I do think there wiill be a
market for a 'firewall' that is really a shim6 box that 'nat's the
internal network behind a single prefix, this is going to be 'fun' (but
not in the good way).

Oh, not just stateful firewalls... How are you planning on dealing with
LEO requests for CALEA when the addr changes mid-stream to some newly
arbitrary prefix? What about log correlation on web/content servers? what
about loadbalancers that balance on 'flows' ? this is quite the
rabbit-hole dorothy jumped down :(

• Previous message: Edward B. DREGER: "Re: shim6 @ NANOG"
• Maybe in reply to: Stephen Sprunk: "Re: shim6 @ NANOG"
• Next in thread: Owen DeLong: "Re: shim6 @ NANOG"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]