On May 17, 2011, at 8:55 AM, Matthew Kaufman wrote:
On 5/17/2011 5:25 AM, Owen DeLong wrote:
My point was that at least in IPv6, you can reach your boxes whereas with IPv4, you couldn't reach them at all (unless you used a rendezvous service and preconfigured stuff).
Actually almost everyone will *still* need a rendezvous service as even if there isn't NAT66 (which I strongly suspect there will be, as nobody has magically solved the rest of the renumbering problems) there will still be default firewall filters that the average end-user won't know how or why to change (and in some cases won't even have access to the CPE).
PI solves the majority of the renumbering problems quite nicely and is readily available for most orgs. now. Beyond that, I think you will see firewalls become much easier for the average person to manage and it will become a simple matter of making an http (hopefully https) connection to the home gateway and telling it which service (by name, such as VNC, HTTP, HTTPs, etc. from a pull-down) and which host (ideally by name, but, may have other requirements here) to permit. Some firewalls already come pretty close to that. There is also talk (for better or worse) of having something like UPNP, but, without the NAT for enabling such services. No rendezvous server required.
For the former we can only hope that NAT66 box builders can get guidance from IETF rather than having IETF stick its collective head in the sand... for the latter the firewall traversal has a chance of being more reliable than having to traversal both filtering and address translation.
I'm still hoping that we just don't have NAT66 box builders. So far, it's working out that way. Owen