On Thu, 22 Jul 2010 19:53:48 -0700 "Akyol, Bora A" <b...@pnl.gov> wrote:
> As long as customers believe that having a NAT router/"firewall" in place is > a security feature, > I don't think anyone is going to get rid of the NAT box. > You need to separate the NAT function (or more specifically, Network Address Port Translation (NAPT)), and the side effect of that operation being a deny all for uninitiated inbound traffic. It is not a unique property to NAPT, and in fact, stateful firewalling using public addresses has been around as long as NAT (at least since 1995 IIRC). > In all reality, NAT boxes do work for 99% of customers out there. > So would a firewall with public addressing. It's worked for me for 10+ years with IPv4, and 4+ years with IPv6. Of course, it didn't protect me when I ran an email attachment that contained malware, or when I clicked on one of those "PC check" popups that installed an application. (well, not actually me, but a large number of people do this, helping the attacker completely bypass any "NAT security". Inviting the attacker in as though they were a trusted guest makes the best locks in the world on the door a waste of time.) It seems you haven't done much with NAT to have encountered it's limitations, or experienced the benefits of end-to-end connectivity (ever had to stuff around with port forwarding, TURN, STUN etc. to get VoIP working at home? I haven't, and I got to spend that time on something else much more useful than fiddling with NAT work arounds.) > > Bora > > > On 7/22/10 7:34 PM, "Owen DeLong" <o...@delong.com> wrote: > > > Well, wouldn't it be better if the provider simply issued enough space to > make NAT66 unnecessary? > > Owen > > > >