On Thu, 22 Jul 2010 19:53:48 -0700 "Akyol, Bora A" <bora@pnl.gov> wrote:
As long as customers believe that having a NAT router/"firewall" in place is a security feature, I don't think anyone is going to get rid of the NAT box.
You need to separate the NAT function (or more specifically, Network Address Port Translation (NAPT)), and the side effect of that operation being a deny all for uninitiated inbound traffic. It is not a unique property to NAPT, and in fact, stateful firewalling using public addresses has been around as long as NAT (at least since 1995 IIRC).
In all reality, NAT boxes do work for 99% of customers out there.
So would a firewall with public addressing. It's worked for me for 10+ years with IPv4, and 4+ years with IPv6. Of course, it didn't protect me when I ran an email attachment that contained malware, or when I clicked on one of those "PC check" popups that installed an application. (well, not actually me, but a large number of people do this, helping the attacker completely bypass any "NAT security". Inviting the attacker in as though they were a trusted guest makes the best locks in the world on the door a waste of time.) It seems you haven't done much with NAT to have encountered it's limitations, or experienced the benefits of end-to-end connectivity (ever had to stuff around with port forwarding, TURN, STUN etc. to get VoIP working at home? I haven't, and I got to spend that time on something else much more useful than fiddling with NAT work arounds.)
Bora
On 7/22/10 7:34 PM, "Owen DeLong" <owen@delong.com> wrote:
Well, wouldn't it be better if the provider simply issued enough space to make NAT66 unnecessary?
Owen