quietly....

Thu Feb 3 19:00:57 UTC 2011

> In IPv6, the simpler solution is to allocate a /64 to groups of machines that serve such a function.
> If you need to move the group, you can simply move the entire prefix.

If we change the prefix, then I have to contact and deal with the bureaucracy of external corporate entities. This is a significant cost that is completely prevented by using NAT. Also, given that the prefix is a network address, now we have to contact a separate department with a separate bureaucracy to get routing changes approved. Again, how is this easier without nat? 

> You can break p2p just as quickly without NAT using policy. NAT doesn't provide policy, it just limits
> your ability to choose your own policy.

The goal is not to break p2p.  The goal is to use NAT for various reasons, and the fact that it breaks p2p is just a benefit. You keep pointing out that NAT should be eliminated so that p2p will work, to me, that is an good argument for the opposite. NAT, at least in a coroprate world, is never going away. There are two many good reasons for it to exist. For a ISP/CPE or University environment, I understand your argument, but not for a corporate network.

If there were a good NAT46 implementation on a cisco asa, juniper firewall, checkpoint and others, then most corporate networks could stay in ipv4 RFC1918 private IP addresses, get PA ipv6 global routable address space from their providers, and setup global NAT pools and have access to ipv4 and ipv6 with no internal changes. It may not be ideologically pure, but it would work, as least as well as it does now, and allow the migration to ipv6 to move forward easier.