On Thu, 22 Apr 2010, William Herrin wrote:
On Wed, Apr 21, 2010 at 11:31 PM, Owen DeLong <owen@delong.com> wrote:
On Apr 21, 2010, at 3:26 PM, Roger Marquis wrote:
William Herrin wrote:
Not to take issue with either statement in particular, but I think there needs to be some consideration of what "fail" means.
Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed.
In addition to fail-closed NAT also means:
* search engines and and connectivity providers cannot (easily) differentiate and/or monitor your internal hosts, and
Right, because nobody has figured out Javascript and Cookies.
Having worked for comScore, I can tell you that having a fixed address in the lower 64 bits would make their jobs oh so much easier. Cookies and javascript are of very limited utility.
On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. Even if there is no such draft, it wouldn't exactly be hard to implement. It won't take NAT to anonymize the PCs on a LAN with IPv6.
See RFC 4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6. Regards, Janos Mohacsi