First, let's clarify things a bit. I don't think unintended routing is = what concerns your IT guys. Afterall, even with the NAT box today, there's routing from the outside to the inside. It's just = controlled by stateful inspection.
It might be better stated differently. With NAT, routing from the outside to the inside is controlled by stateful inspection and also by internal policy. In what we usually mean as IPv4 NAT in today's usage, there is not supposed to be a way for an outside attacker to target a particular inside destination, even if its address were known. 1918 space isn't globally routed and the "real" external IP address is the only thing your firewall has to go on; internal policy controls what happens to unsolicited traffic. With IPv6 and a stateful firewall, an outside attacker gains the ability to address devices within your network, even if he is unable to actually cause packets to arrive at that target thanks to your firewall. There's a fundamental difference here that scares some people. They fear an inadvertent dropping of their stateful firewall ruleset, for example, or maybe even bypassing of the firewall through misconfig or other perils at the network level. You won't make much progress on these fears because there's genuinely something to them. What we really need are killer IPv6 apps that can't easily be NAT'd. :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.