quietly....

Thu Feb 3 18:17:14 UTC 2011

On Feb 3, 2011, at 8:29 AM, Jay Ashworth wrote:

> ----- Original Message -----
>> From: "Jon Lewis" <jlewis at lewis.org>
> 
>> There's an awful lot of inertia in the "NAPT/firewall keeps our hosts
>> safe from the internet" mentality. Sure, a stateful firewall can be
>> configured allow all outbound traffic and only connected/related
>> inbound.
> 
>> When someone breaks or shuts off that filter, traffic through the NAPT
>> firewall stops working. On the stateful firewall with public IPs on
>> both sides, everything works...including the traffic you didn't want.
> 
> Precisely.
> 
> This is the crux of the argument I've been trying, rather ineptly,
> to make: when it breaks, *which way does it fail*.  NAT fails safe,
> generally.
> 
So does any decent stateful inspection firewall. That's why your argument
doesn't hold water.

The only thing NAT brings to the equation over a properly constructed
stateful firewall is the mutilation of the IP header.

>> People are going to want NAT66...and not providing it may slow down
>> IPv6 adoption.
> 
> You're using the future tense there, Jon; are you sure you didn't mean
> to use the present?  Or the past...?
> 
If the lack of NAT66 slows down IPv6 adoption, even though I am a big
IPv6 cheerleader, I am willing to accept that particular tradeoff.

Overloaded NAT is too costly to the community to be allowed to promulgate
into IPv6. It is detrimental to:
	Application development
	Innovation
	Security
	Auditing
	Cost:
		Cost of application development
		Cost of devices
		Cost of administration
		Cost of operations

People that hold steadfast to the idea of not implementing IPv6 without
NAT will eventually become IPv4 islands. The rest of the internet will
continue to innovate without them and they will eventually come along
or they will be left behind.

Owen