RE: RFC1918 addresses to permit in for VPN?

So the picture that emerges is that Randy is very definitely
speaking of NAT as Bi-directional or Two-Way NAT (in the terminology
of RFC 2663), where no address conservation is practiced, and
machines with private addresses are directly reachable via public
addresses, through a fixed incoming mapping applied by the NAT

umm, fixed is not a requirement here. you can go two way through
allocated out of a pool easily enough. yes, the hacker won't have
over what is in the pool that he is trying to hack into, and the
visible addresses of systems may change, but as long as the NAT is being
and is two way, there are things which are subject to attack.

the combination of RFC 1918 space and NAT is a sorry excuse for
you need some sort of packet filtering or access control on the path,
in the box doing the NAT, possibly in some other box, but you _must_
have it.

if a network is completely isolated from the public internet, then the
issue is irrelevant, as the network is inaccessible regardless of what
addresses are being used.