On Wed, 29 Oct 2003, Scott McGrath wrote:
Life would be much simpler without NAT howver there are non-computer devices which use the internet to get updates for their firmware that most of us would prefer not to be globally reachable due to the human error factor i.e. "Oops forgot a rule to protect X". <snip> A good example of this is building control systems which get firmware updates via FTP!!!! from their maker. Usually there is no manual system for updating them offline and allowing them to be disconnected from the internet as in my opinion they _should_ be.
NAT is certianly not the only way to restrict this sort of access. For your ship example (snipped) an isolated network is best. For your building control systems a firewall preventing inbound access, instead of a NAT device, should be your control of choice.
This class of devices should not have a globally routable address because in many cases security on them is less than an afterthought (short fixed passwords no support for secure protocols, etc)
routable =! reachable. Restrict inbound access to your networks as needed, with or without NAT, IPv4 or IPv6. For legacy IPv4 networks that haven't been renumbered to IPv6, use a 4to6 gateway. You seem to be arguing that NAT is the only way to prevent inbound access. While it's true that most commercial IPv4 firewalls bundle NAT with packet filtering, the NAT is not required..and less-so with IPv6. ...david --- david raistrick drais@atlasta.net http://www.expita.com/nomime.html