In several large orgs I've worked with, IPv6 deployment plans included the elimination of NAT as a gain. NAT is not security. Security tools work better without NAT just from a clarity and configuration simplicity perspective. So does concise, solid network configuration that's easier to review. Then again, I've worked in large orgs that aren't using NAT for v4 at all, just direct globally routable IPv4. NAT was a *huge* discussion and pain point when they went to sell off that space. It caused a lot of engineering effort and hardware capacity upgrades to implement with minimal disruption. Was a sad day when my IP address on that laptop started with 10.x instead of one of the allocated Y.Y.x ranges... So having lived in NAT-less IPv4 land even as recently as this decade has also spoiled me to the pure simplicity of things and shown me a lot of what pain 1:many PAT causes. -----Original Message----- From: William Herrin via NANOG <nanog@lists.nanog.org> Sent: Friday, June 19, 2026 3:05 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: William Herrin <bill@herrin.us> Subject: Re: IPv4 flag day On Fri, Jun 19, 2026 at 10:47 AM sronan--- via NANOG <nanog@lists.nanog.org> wrote:
The SMB use case is absolutely PAT. They aren’t going to 1:1 NAT all of their internal hosts to both providers provided IPv6 space.
SMB generally buys a box and whatever that box does by default, that's their network configuration. They pick that box mainly by reputation. They don't have a network security guy. They don't have a network guy. They have a couple IT guys whose main areas of expertise are troubleshooting PC hardware and Windows Domain Controllers. Enterprise, on the other hand, is definitely going NAT. Renumbering is painful even with IPv6. And they're very leery of 1:1 NAT -- they've made security configuration mistakes before and trust 1:many NAT to offer a layer of protection while those mistakes are detected and fixed. They take arguments against NAT to mean that IPv6 is not yet ripe for deployment with the sort of robust security frameworks they enjoy in IPv4. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/NXMXULZ3...