IPv6 and Firewall traversal
Richard Pieri
Richard.Pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed Mar 30 15:14:03 EDT 2011
On Mar 30, 2011, at 11:06 AM, Bill Bogstad wrote:
>
> Source IP spoofing is only possible when people don't put in
> appropriate filters to disallow
> packets coming from the outside with the wrong IP address. In a
This is a packet filtering firewall and has exactly zero to do with NAT.
> I'm not sure that I would define SPI as including automatic (or
> automatable) hole punching,
Pardon? SPI is not about making holes. It is about permitting inbound packets in response specifically and exclusively to outbound packets over TCP (stateful) connections. Many NAT "routers" incorporate SPI firewalls and it is these firewalls that provide network security. The only security that NAT alone provides is a false sense of it.
--Rich P.
More information about the Discuss
mailing list