On Feb 3, 2011, at 8:29 AM, Jay Ashworth wrote:
----- Original Message -----
From: "Jon Lewis" <jlewis@lewis.org>
There's an awful lot of inertia in the "NAPT/firewall keeps our hosts safe from the internet" mentality. Sure, a stateful firewall can be configured allow all outbound traffic and only connected/related inbound.
When someone breaks or shuts off that filter, traffic through the NAPT firewall stops working. On the stateful firewall with public IPs on both sides, everything works...including the traffic you didn't want.
Precisely.
This is the crux of the argument I've been trying, rather ineptly, to make: when it breaks, *which way does it fail*. NAT fails safe, generally.
So does any decent stateful inspection firewall. That's why your argument doesn't hold water. The only thing NAT brings to the equation over a properly constructed stateful firewall is the mutilation of the IP header.
People are going to want NAT66...and not providing it may slow down IPv6 adoption.
You're using the future tense there, Jon; are you sure you didn't mean to use the present? Or the past...?
If the lack of NAT66 slows down IPv6 adoption, even though I am a big IPv6 cheerleader, I am willing to accept that particular tradeoff. Overloaded NAT is too costly to the community to be allowed to promulgate into IPv6. It is detrimental to: Application development Innovation Security Auditing Cost: Cost of application development Cost of devices Cost of administration Cost of operations People that hold steadfast to the idea of not implementing IPv6 without NAT will eventually become IPv4 islands. The rest of the internet will continue to innovate without them and they will eventually come along or they will be left behind. Owen