Owen DeLong wrote:
...
It's really unfortunate that most people don't understand the distinction. If they did, it would help them to realize that NAT doesn't actually do anything for security, it just helps with address conservation (although it has some limits there, as well).
Actually nat does something for security, it decimates it. Any 'real' security system (physical, technology, ...) includes some form of audit trail. NAT explicitly breaks any form of audit trail, unless you are the one operating the header mangling device. Given that there is no limit to the number of nat devices along a path, there can be no limit to the number of people operating them. This means there is no audit trail, and therefore NO SECURITY.
IPv6 with SI is no less secure than IPv4 with SI+NAT. If you're worried about address and/or topological obfuscation, then, IPv6 offers you privacy addresses with rotating numbers. However, that's more a privacy issue than a security issue, unless you believe in the idea of security through obscurity which is pretty well proven false.
A different way to look at this is less about obscurity, and more about reducing your overall attack surface. A node using a temporal address is vulnerable while that address is live, but as soon as it is released that attack vector goes away. Attackers that harvest addresses through the variety of transactions that a node my conduct will have a limited period of time to try to exploit that. This is not to say that you don't want stateful controls, just that if something inside the stateful firewall has been compromised there will be a limited period of time to use the dated knowledge. Tony