Please see comments inline.
On 7/22/10 10:13 PM, "Owen DeLong" <o...@delong.com> wrote: > In all reality: > > 1. NAT has nothing to do with security. Stateful inspection provides > security, NAT just mangles addresses. Of course, the problem is that there are millions of customers that believe that NAT == security. This needs to change. > > 2. In the places where NAT works, it does so at a terrible cost. It > breaks a number of things, and, applications like Skype are > incredibly more complex pieces of code in order to solve NAT > traversal. I look at this as water under the bridge. Yep, it was complicated code and now it works. I can run bittorrent just fine beyond an Apple wireless router and I did nothing to make that work. Micro-torrent just communicates with the router to make the port available. > The elimination of NAT is one of the greatest features of IPv6. > > Most customers don't know or care what NAT is and wouldn't know the > difference between a NAT firewall and a stateful inspection firewall. > > I do think that people will get rid of the NAT box by and large, or, at least > in IPv6, the box won't be NATing. > > Whether or not they NAT it, it's still better to give the customer enough > addresses that they don't HAVE to NAT. > > Owen > Of course, no disagreement there. The real challenge is going to be education of customers so that they can actually configure a firewall policy to protect their now-suddenly-addressable-on-the-Internet home network. I would love to see how SOHO vendors are going to address this.
