On 3/21/10 11:14 PM, Brian E Carpenter wrote:
Right, NAPTs were invented primarily for address amplification, but also brought simple security and address independence.As a co-author of 4864, let me agree violently. It's not a BCP. Even if it was, consensus could reverse it. What 4864 says is: NATs weren't designed as security devices but they provide simple security by blocking everything incoming by default. To implement simple security for v6 you should do it with a stateful firewall.
Address amplification is something that IPv6 currently does not need, and address independence is something that would be quite useful but we haven't been able to design and deploy it without breaking end-to-end.
The firewall function in simple-security explicitly damages end-to-end. If we go this route, we might as well toss in NAT too as we will have already paid the price in terms of end-to-end transparency; We might as well get the address independence benefit along with it.
I suspect this will be used as an argument in the future if stateful firewall operations become ubiquitous in CPEs: How is NAT *that much* worse than the firewall you already have?
- Mark
It doesn't say that CPEs MUST do this. It leaves that choice open, as an informational document.
Brian