On Wed, Feb 2, 2011 at 10:34 PM, Jay Ashworth <jra@baylink.com> wrote: [snip]
I won't run an edge-network that *isn't* NATted; my internal machines have no business having publicly routable addresses. No one has *ever* provided me with a serviceable explanation as to why that's an invalid view.
If you want to provide an edge network IPv6 connectivity with no routable address space, then use a proxy server / application layer gateway for every allowed application. SOCKS5 can be used to forward any TCP based protocol, and most UDP protocols, other UDP protocols do not actually function correctly in NAT environments anyways (neither do protocols such as FTP which require client side to accept port bound connections). There's no reason for the internet community to re-design every protocol to allow and try to function in a NAT environment, for the benefit of a small number of edge networks, who want a private castle with hosts on their network not connected to the internet, for no reason that has been adequately justified. In IPv4, this had to be accepted, because with limited IP address space, it was not an option to have no NAT. Now with IPv6 it is not an option to have NAT. No one has ever provided me with a serviceable explanation of why a stateful firewall is an insufficient method for implementing any desired network policy, with regards to limiting accepted traffic to outbound connections for nodes on an edge network.
-- jra -- -JH