Re: Rate of growth on IPv6 not fast enough?

[Clue Store <cluestore () gmail com>]

> But none of this does what NAT does for a big enterprise, which is
> to *hide internal topology*. Yes, addressing the privacy concerns
> that come from using lower-64-bits-derived-from-MAC-address is
> required, but it is also necessary (for some organizations) to
> make it impossible to tell that this host is on the same subnet as
> that other host, as that would expose information like which host
> you might want to attack in order to get access to the financial
> or medical records, as well as whether or not the executive floor
> is where these interesting website hits came from.
>
> Matthew Kaufman

> Yeh that information leak is one reason I can think of for supporting
> NAT for IPv6.  One of the inherent security issues with unique
> addresses I suppose.
<flame-suit-on>

What makes you think that not using NAT exposes internal topology?? I have
many cases where either filtering at layer-2 or NAT'ing a /48 for itself (or
proxy-arp for those that do not have kits that can NAT IP blocks as itself)
does NOT expose internal topology. Get your filtering correctly setup, and
there is no use for NAT/PAT in v6.

NAT was designed with one puropose in mind ..... extending the life of v4...
period! The so called security that most think NAT gives them is a side
effect. NAT/PAT also breaks several protocols (PASV FTP, H.323, etc) and I
for one will be happy to see it go. I think it's a mistake to include NAT in
v6 because there are other methodologies of accomplishing all of the side
effects that everyone is use to seeing NAT provide without having to
actually translate IP's or ports.

I for one (as well as alot of other folks I know) am not/will not be using
any kind of NAT moving forward.

</flame-suit-on>