[arin-ppml] IPv6 Non-connected networks
Roger Marquis
marquis at roble.com
Mon Mar 29 22:03:56 EDT 2010
>> Upgrading equipment in COs and in colos is no more difficult either.
>>
> True, but, the average residential customer couldn't care less about NAT.
> In fact, most of the residential customers I know long for the ability to choose
> their level of accessibility rather than being stuck in a NAT straightjacket.
NAT is easily disabled in every type of CPE I've seen over the past 15
years. Show me the stateful ACLs that replace NAT reliably and then
you'll at least have made a case WRT security. We haven't seen those
filters yet, much less an equally reliable replacement for NAT's topology
hiding, protection from (ILEC/ISP) vendor lock-in, or renumberless
multi-homing.
>> Citing the lack of CPE support for Torrent, SIP and other protocols as a
>> reason to leave NAT out of IPv6 is specious. The CPE will still need
>> stateful translation to provide the same security, and NAT is the
>> simplist way to do it.
>>
> No, it needs stateful inspection, not translation.
Right, translation is not needed, but translation is easily added to
stateful inspection. Even the cheapest CPE can get this right without
complexity. Stateful inspection is the hard part that is often mistaken
for NAT "brokenness".
Roger Marquis
More information about the ARIN-PPML
mailing list