Re: IPv6 fc00::/7 - Unique local addresses

[Owen DeLong <owen () delong com>]

> > They *will* fight you, and tell you to your face that if you want to
> > take NAT away from them it will be from their cold dead hands.
>
> And it isn't NAT in and of itself that is attractive.  Those people
> aren't talking about static NAT where you are just translating the
> network prefix.  They are talking dynamic port-based PAT so that the
> translation doesn't exist until the first packet goes in the outbound
> direction.  Like it or not, that DOES provide some barrier of entry to
> someone outside wishing to initiate a connection from the outside.  You
> cannot predict in advance what outside address/port will be associated
> with which inside address/port or if any such association even exists
> and a lot of people have already made up their minds that the breakage
> that causes for various things is offset by the perceived benefit of
> that barrier and worth the price of dealing with that breakage.
Ah... You've actually just pointed out that it is _NOT_ the NAT that does
that, but, the stateful inspection that happens before the NAT.

Stateful inspection can occur and require a matching state table entry
to permit inbound packets with or without the header-mangling that
we call NAT, NPAT, NAPT, PAT, etc.

True, overloaded NAT cannot exist without stateful inspection, but,
that's largely irrelevant to security. What is relevant is the need for
a good stateful inspection engine with a default-deny-inbound policy.

Owen