On Jul 16, 2012, at 6:55 PM, Lee wrote:
On 7/16/12, Owen DeLong <owen@delong.com> wrote:
Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being able to eliminate NAT. NAT was a necessary evil for IPv4 address conservation. It has no good use in IPv6.
NAT is good for getting the return traffic to the right firewall. How else do you deal with multiple firewalls & asymmetric routing?
1. Share state across the firewalls or go with stateless firewalls. 2. Move the firewalls close enough to the end hosts to avoid this problem, Keep the asymmetric routing outside the perimeter. 3. Very creative source address selection mechanisms. 4. LISP (if you must).
Yes, it's possible to get traffic back to the right place without NAT. But is it as easy as just NATing the outbound traffic at the firewall?
That depends on whose life you are trying to make easy. If you asked the application developers or the people that have to build all the problematic ALGs that creates a need for, I'd bet they would have a different opinion than the guy configuring the firewall. In terms of overall problems created, cost to the community, increased insecurity, and the other costs associated with a NAT-based solution, I'd say that it is a net loss to use NAT and a net gain to avoid it. From the perspective of the firewall administrator alone without a broader view of the total consequences, toxic pollution of the internet seems like a good idea. Owen