But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from.
Matthew Kaufman
Yeh that information leak is one reason I can think of for supporting NAT for IPv6. One of the inherent security issues with unique addresses I suppose. <flame-suit-on>
What makes you think that not using NAT exposes internal topology?? I have many cases where either filtering at layer-2 or NAT'ing a /48 for itself (or proxy-arp for those that do not have kits that can NAT IP blocks as itself) does NOT expose internal topology. Get your filtering correctly setup, and there is no use for NAT/PAT in v6. NAT was designed with one puropose in mind ..... extending the life of v4... period! The so called security that most think NAT gives them is a side effect. NAT/PAT also breaks several protocols (PASV FTP, H.323, etc) and I for one will be happy to see it go. I think it's a mistake to include NAT in v6 because there are other methodologies of accomplishing all of the side effects that everyone is use to seeing NAT provide without having to actually translate IP's or ports. I for one (as well as alot of other folks I know) am not/will not be using any kind of NAT moving forward. </flame-suit-on>