[arin-ppml] inevitability of NAT?

[George Bonser]

> 
> wrong.  End users absolutely need inexpensive - and I'm talking $60
and
> under - stateful packet inspection hardware firewalls.

Doesn't even need to be a firewall.  A router that does NAT for v4 can
do the same for v6 except it doesn't do the NAT.  In other words, you
only allow an incoming packet if an outgoing packet has already been
seen.  So basically you "connect" a local address/port with a remote
address/port when you see the outgoing packet.  When you see an incoming
packet, unless there is an explicit "allow" for it, you drop it unless
the source address/port is "connected" to an inside address/port from an
earlier outgoing packet.

Basically it is tracking all the state that it tracks for NAT without
actually doing the NAT.  Note this isn't deep packet inspection, it
isn't really a "firewall" in that respect, but it shouldn't be too hard
to code an adaptive (or connection tracking) filter.

Any router doing overload NAT is doing more than that for v4 now.