To:
Keith Moore <moore@cs.utk.edu>
cc:
"Hallam-Baker, Phillip" <pbaker@verisign.com>, "'Randy Bush'" <randy@psg.com>, alh-ietf@tndh.net, ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date:
Thu, 09 Aug 2001 14:10:32 +0200
In-reply-to:
Your message of Wed, 08 Aug 2001 21:05:30 EDT. <200108090105.VAA18362@astro.cs.utk.edu>
Sender:
owner-dnsop@cafax.se
Subject:
Re: (ngtrans) Joint DNSEXT & NGTRANS summary
In your previous mail you wrote: But you make a good point about security. If people get the idea (correctly or not) that they're sacrificing security by supporting v6, they won't bother deploying it. We need to have v6 border routers that deliver the same degree of security as NATs do, without actually translating addresses. => this is easy for TCP (or any connected transport, cf the tcp established of Cisco routers) but I can't see a way to do this for UDP without keeping state... Of course this argument doesn't apply if a real firewall is used (stateless firewalls are out of the market or should be ASAP). Regards Francis.Dupont@enst-bretagne.fr