On 4-jun-2007, at 17:37, Donald Stahl wrote:
I want NAT to die but I think it won't.
Far too many "security" folks are dictating actual implementation details and that's fundamentally wrong.
A security policy should read "no external access to the network" and it should be up to the network/firewall folks to determine how best to make that happen. Unfortunately many security policies go so far as to explicitly require NAT.
Don't forget that the reason NAT works to the degree that it does today is because of all the workarounds in applications or protocol- specific workarounds in the NATs (ALGs). In IPv6, you don't have any of this stuff, so IPv6 NAT gets you nowhere fast with any protocol that does more than something HTTP-like. (Yes, I've tried it.) If people want to have their boxes on unroutable IPv6 space, my advice would be to forget NAT and do proxying instead. Proxying also has the advantage that doesn't care about the difference between IPv4 and IPv6, a dual stack proxy gives you access to both. Obviously proxying doesn't work for certain classes of applications, but I should hope that's the point. If you want to be on private address space and still enjoy a good deal of (peer-to-peer) connectivity (= NAT), PLEASE do yourself and the people you want to communicate with a favor and stay in IPv4.