Is NAT can provide some kind of protection?
gbonser at seven.com
Wed Jan 12 11:21:39 CST 2011
> I'd eat a hat if a vendor didn't implement a PAT equivalent. It's
> demanded too much. There is money for it, so it will be there.
Yeah, I think you are right. But in really thinking about it, I wonder
why. The whole point of PAT was address conservation. You don't need
that with v6. All you need to do with v6 is basically have what amounts
to a firewall in transparent mode in the line and doesn't let a packet
in (except where explicitly configure to) unless it is associated with a
packet that went out.
PAT makes little sense to me for v6, but I suspect you are correct. In
addition, we are putting the "fire suit" on each host in addition to the
firewall. Kernel firewall rules on each host for the *nix boxen.
More information about the NANOG