[ I removed Bill from the CC list so that he will only get one copy of this; it would have been very nice to have seen Bill remove me from the CC list of his earlier reply, so that I would only have seen one copy of THAT. ]
I think this is correct. However, this line of thinking when seen in the light of end2end IPSEC seems to indicate that NAT/Firewall technologies mandate a regenerated security "envelope" at the NAT/Firwall edge. This tends to be what corporations/governments want, while others tend toward the endpoints being indivdually oriented. I, for one, (and I expect I'm in the minority here) don't want to hand my keys over to BBSS, Sprint, GTE, WCOM, the FBI, the Governement of France... so they can decrypt the packets that I am sending to you.
I don't expect that France will ever move into private address space. I do expect WCOM and GTE and the FBI to each do so for their internal networks, and then I expect the NAT boxes between their private networks and the public network to unwrap all the security goo (checking it using keys which are all public inside the addressing domain they came out of) and regenerate it for the far side (again using keys which are meaningful and available in the addressing domain they are being sent into.) This means personal certificates can work, i.e., PGP and to some extent SSH. It means DNSSEC can work. I don't know what it means for IPsec but if IPsec can't be used this way then it will fail in the marketplace. As I kept telling the IETF when I used to attend their meetings, the market does what it feels like doing and the way to appear to lead it is to predict motion and then run out in front of the crowd in that direction. This goes back to the same old descriptive/prescriptive thing Padlipsky was talking about.
So, while I agree that NAT/Firewall techniques are an approch to dealing with heirarchy/scaling issues, I think that MJR was right. NAT/Firewalls are bandaids to be used until we have reasonable endsystem/endsystem IP security.
The key to understanding private addressing is that each addressing domain (which is any private one, or the public one), is an addressing universe unto itself. It has to have its own root name servers. It has to have its own DNS keys. User level certificates a la PGP and sort-of SSH can be shared between multiple addressing domains, but network level certificates like DNS cannot. This can be a bug or a feature depending on your point of view. More in a moment, Jay A. has asked a marvelous bracketing question about this.