Life would be much simpler without NAT howver there are non-computer devices which use the internet to get updates for their firmware that most of us would prefer not to be globally reachable due to the human error factor i.e. "Oops forgot a rule to protect X". The radar on your cruise ship uses an IP network to communicate with the chartplotter, GPS, depthsounder do you really want _this_ gear globally reachable via the internet?. Remember if it's globally reachable it is subject to compromise. A good example of this is building control systems which get firmware updates via FTP!!!! from their maker. Usually there is no manual system for updating them offline and allowing them to be disconnected from the internet as in my opinion they _should_ be. NAT is not security just look what you can do with sFlow to identify machines behind a NAT. NAT is useful for machines which need to periodically make a connection to perform some function involving the network. This class of devices should not have a globally routable address because in many cases security on them is less than an afterthought (short fixed passwords no support for secure protocols, etc) The other case as pointed out by another poster is overlapping networks which need NAT until a renumbering can be accomplished. Scott C. McGrath On Wed, 29 Oct 2003, Miquel van Smoorenburg wrote:
In article <cistron.Pine.LNX.4.44.0310291228200.29539-100000@login1.fas.harvard.edu>, Scott McGrath <mcgrath@fas.harvard.edu> wrote:
And sometimes you use NAT because you really do not want the NAT'ed device to be globally addressible but it needs to have a link to the outside to download updates. Instrument controllers et.al.
I don't understand. What is the difference between a /24 internal NATted network, and a /64 internal IPv6 network that is firewalled off: only paclets to the outside allowed, and packets destined for the inside need to have a traffic flow associated with it.
As I see it, NAT is just a stateful firewall of sorts. A broken one, so why not use a non-broken solution ?
We can only hope that IPv6 capable CPE devices have that sort of stateful firewalling turned on by default. Or start educating the vendors of these el-cheopo CPE devices so that they will all have that kind of firewalling enabled before IPv6 becomes mainstream.
Mike.