Security gain from NAT

Stephen Sprunk stephen at
Wed Jun 6 15:59:39 UTC 2007

Thus spake "Roger Marquis" <marquis at>
>> I, for one, give up. No matter what you say I will never
>> implement NAT, and you may or may not implement it if people
>> make boxes that support it.
> Most of the rest of us will continue to listen to both sides and
> continue to prefer NAT, in no small part because of the absurd
> examples and inconsistent terminology NATophobes seem to feel is
> necessary to make their case.

The thing is, with IPv6 there's no need to do NAT.  What vendors have (so 
far) failed to deliver is a consumer-grade firewall that does SI with the 
same rules on by default that v4 NAT devices have.  Throw in DHCP PD and 
addressing (and renumbering) are automatic.  This is simpler than NAT 
because no "fixup" is required; a v6 firewall with SI and public addresses 
on both sides just needs to inspect packets, not modify them.

The same device will probably be a v4 NAT device; nobody is trying to take 
that away because it's a necessary evil.  However, NAT in v6 is not 
necessary, and it's still evil.


Stephen Sprunk      "Those people who think they know everything
CCIE #3723         are a great annoyance to those of us who do."
K5SSS                                             --Isaac Asimov

More information about the NANOG mailing list