On Thu, 3 Feb 2011, Brian Johnson wrote:
3) To give all your outbound sessions a mutual appearance, so as to confound those attempting to build a profile of your activity.
So this goes back to security through obscurity. OK.
There's an awful lot of inertia in the "NAPT/firewall keeps our hosts safe from the internet" mentality. Sure, a stateful firewall can be configured allow all outbound traffic and only connected/related inbound. When someone breaks or shuts off that filter, traffic through the NAPT firewall stops working. On the stateful firewall with public IPs on both sides, everything works...including the traffic you didn't want. People are going to want NAT66...and not providing it may slow down IPv6 adoption. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________