From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?B?S3J6eXN6dG9mIE9sxJlkemtp?= Subject: Re: [RFC PATCH 00/18] netfilter: IPv6 NAT Date: Wed, 30 Nov 2011 01:30:54 +0100 Message-ID: <4ED5793E.1090003@ans.pl> References: <4ED4A399.6090709@sophos.com> <4ED550E7.1090609@ans.pl> <1322611509.2684.52.camel@bwh-desktop> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: Jan Engelhardt , Ulrich Weber , Amos Jeffries , "sclark46@earthlink.net" , "kaber@trash.net" , "netfilter-devel@vger.kernel.org" , "netdev@vger.kernel.org" To: Ben Hutchings Return-path: Received: from bizon.gios.gov.pl ([195.187.34.71]:51869 "EHLO bizon.gios.gov.pl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756851Ab1K3AbH (ORCPT ); Tue, 29 Nov 2011 19:31:07 -0500 In-Reply-To: <1322611509.2684.52.camel@bwh-desktop> Sender: netfilter-devel-owner@vger.kernel.org List-ID: On 2011-11-30 01:05, Ben Hutchings wrote: > On Tue, 2011-11-29 at 22:38 +0100, Krzysztof Ol=C4=99dzki wrote: >> On 2011-11-29 13:23, Jan Engelhardt wrote: >>> >>> On Tuesday 2011-11-29 10:19, Ulrich Weber wrote: >>>> On 28.11.2011 23:03, Amos Jeffries wrote: >>>>> I'm going to dare to call FUD on those statements... >>>>> * Load Balancing - what is preventing your routing rules or p= acket >>>>> marking using the same criteria as the NAT changer? nothing. L= oad >>>>> balancing works perfectly fine without NAT. >>> >>> Source address selection, having to occur on the source, would >>> require that the source has to know all the parameters that a {what >>> would have been your NAT GW} would need to know, which means you ha= ve >>> to (a) collect and/or (b) distribute this information. Given two >>> uplinks that only allow a certain source network address (different >>> for each uplink), combined with the desire to balance on utilizatio= n, >>> (a) a client is not in the position to easily obtain this data unle= ss >>> it is the router for all participants itself, (b) the clients needs >>> to cooperate, and one cannot always trust client devices, or hope f= or >>> their technical cooperation (firewalled themselves off). >>> >>> Yes, NAT is evil, but if you actually think about it, policies are >>> best applied where [the policy] originates from. After all, we also >>> don't do LSRR, instead, routers do the routing, because they just >>> know much better. >>> >>>> I fully agree. NAT can not replace your firewall rules. >>>> >>>> However with NAT you could get some kind of anonymity. >>> >>> Same network prefix, some cookies, or a login form. Blam, identifie= d, >>> or at least (Almost-)Uniquely Identified Visitor tagging. >> >> But without NAT you have pretty big chance to have the same IPv6 >> *suffix* everywhere, based on you MAC address. In your Home, your Wo= rk, >> in a Cafe or in a hotel during your vacations in Portugal. So yes, N= AT >> is not a perfect solution but it really helps you privacy. > > If you enable NAT on your own network, how does this help when you us= e > all those other networks that may not use NAT or may have a predictab= le > mapping from MAC address to public IPv6 address? Oh, I understand your point. But I'm looking at it from the other side=20 as I'm here to protect my users. ;) Best regards, Krzysztof Ol=C4=99dzki -- To unsubscribe from this list: send the line "unsubscribe netfilter-dev= el" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html