Joe Greco wrote:
Everyone knows a NAT gateway isn't really a firewall, except more or less
accidentally. There's no good way to provide a hardware firewall in an
average residential environment that is not a disaster waiting to happen.
Gotta love it. A proven technology, successfully implemented on millions
of residential firewalls "isn't really a firewall, but rather "a disaster
waiting to happen". Make you wonder what disaster and when exactly it's
going to happen?
Simon Perreault wrote:
We have thus come to the conclusion that there shouldn't be a
NAT-like firewall in IPv6 home routers.
And that, in a nutshell, is why IPv6 is not going to become widely
feasible any time soon.
Whether or not there should be NAT in IPv6 is a purely rhetorical
argument. The markets have spoken, and they demand NAT.
Is there a natophobe in the house who thinks there shouldn't be stateful
inspection in IPv6? If not then could you explain what overhead NAT
requires that stateful inspection hasn't already taken care of?
Far from the issue some try to make it out to be, NAT is really just a
component of stateful inspection. If you're going to implement
statefulness there is no technical downside to implementing NAT as well.
No downside, plenty of upsides, no brainer...
Nobodoy thinks that statefull firewall is not necessary for IPv6. If you want to particiapte the discussion then comment the IETF v6ops document:
I handwave past all that by pointing out (as you have) that
stateful inspection is just a subset of NAT, where the inside
address and the outside address happen to be the same.
(in the same way that the SHIM6 middleware boxes which were
proposed but never built were /also/ just subsets of NAT, with
the translation rules controlled by the SHIM6 protocol layers
on the hosts... but we weren't allowed to call them NAT gateways,
because IPv6 isn't supposed to have any NAT in it
Of course there are downsides to implementing NAT - adding any feature
to a device increases its complexity and affects its expense, time to
market, MTBF etc. And there is certainly a downside to *deploying* NAT:
NAT removes end-to-end transparency.
Gotta keep those SOHO users in their cages, don't want them becoming
independent producers of digital value, no sir!
Seriously - by all means keep NAT as a technology for those who want to
deploy it; we can't uninvent it anyway. It just shouldn't be imposed on
I would argue that an ISP requiring of a customer that they use a NATted
solution with IPv6 *is* imposing it on others.