North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Security gain from NAT
Thus spake "Roger Marquis" <[email protected]>
I, for one, give up. No matter what you say I will never implement NAT, and you may or may not implement it if people make boxes that support it.
The thing is, with IPv6 there's no need to do NAT. What vendors have (so far) failed to deliver is a consumer-grade firewall that does SI with the same rules on by default that v4 NAT devices have. Throw in DHCP PD and addressing (and renumbering) are automatic. This is simpler than NAT because no "fixup" is required; a v6 firewall with SI and public addresses on both sides just needs to inspect packets, not modify them.
The same device will probably be a v4 NAT device; nobody is trying to take that away because it's a necessary evil. However, NAT in v6 is not necessary, and it's still evil.
Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov