[arin-ppml] IPv6 Non-connected networks

Roger Marquis marquis at roble.com
Fri Mar 26 14:35:05 EDT 2010

> STUN, SNAT, UPNP, and a myriad of other often poorly implemented
> incompatible and unreliable NAT traversal mechnisms, Application
> layer Gateways, etc.

Sounds like you're asserting that any application wishing to embed the
remote IP in the data portion of an IP packet (SIP/STUN/...) or requiring
a "hole" in the firewall (UPNP) are valid reasons to get rid of NAT?  I
don't think you'll find much support for those assertions in
security-related groups (like firewall-wizards).

> However, at the far end when I'm trying to figure out why something didn't
> work, any of the following behaviors related to NAT make things more
> difficult to debug:

This is an issue with logging, not with NAT or even stateful inspection.

> There are many many others, but, I think these three that come
> to me off the top of my head from my own experience are
> enough to make the point.

I don't know who might be persuaded to dump NAT from these examples but
from a security perspective they're simply not convincing.  That's just
my opinion of course, but I encourage you to post them to a computer or
network security mailing list and see if they hold water.

Roger Marquis

More information about the ARIN-PPML mailing list