On Monday, March 24, 2014 02:56:13 PM Timothy Morizot wrote:
NAT traversal is and has long been fairly trivial. NAT and RFC1918 provides no meaningful host protection whatsoever and never has. The only thing that limits direct access to internal networks is a stateful firewall. (Well, IPS can also drop packets.) That's true for IPv4 and for IPv6. So an enterprise relying n NAT44 and RFC1918 for internal host protection instead of a stateful firewall already has no meaningful security in place.
Don't disagree with you there. I'm saying many an enterprise (small and large) as well as homes operate this way. There is a lot of unlearning to do. The whole issue is that a number of enterprises "may" only feel safe if IPv6 comes with NAT66, probably on top (or not on top) of a stateful IPv6 firewall. We need to think about how to re-train the enterprise, if we don't want to repeat the erasure of the end-to-end model, second time around. Mark.