Leigh Porter wrote:
Additionally, NATing services on separate machines behind a single NATed address anonymises the services behind a single address.
Agreed. It can be very useful to not expose the internal topology through address assignment so as to not expose which subnets/desktops/users are accessing certain foreign addresses. This is an even bigger issue in v6 if your stack exposes the MAC address in its choice of stateless autoconfiguration address, as this then gives away not just your internal topology but the vendor of the machines (or at least the ethernet card maker). One can easily imagine attacks based on knowing that a vulnerable and hard-to-upgrade embedded system (an Internet-fax machine, say) was on a particular subnet. Matthew Kaufman matthew@eeph.com