Is NAT can provide some kind of protection?

George Bonser gbonser at
Wed Jan 12 11:21:39 CST 2011

> I'd eat a hat if a vendor didn't implement a PAT equivalent. It's
> demanded too much. There is money for it, so it will be there.
> Jack

Yeah, I think you are right.  But in really thinking about it, I wonder
why.  The whole point of PAT was address conservation.  You don't need
that with v6.  All you need to do with v6 is basically have what amounts
to a firewall in transparent mode in the line and doesn't let a packet
in (except where explicitly configure to) unless it is associated with a
packet that went out.

PAT makes little sense to me for v6, but I suspect you are correct.  In
addition, we are putting the "fire suit" on each host in addition to the
firewall. Kernel firewall rules on each host for the *nix boxen.  

More information about the NANOG mailing list