On 07/02/2017 09:08 AM, Russell via talk wrote:
I came across this memo of general interest to this topic. Section 4 in particular.
https://tools.ietf.org/rfc/rfc4864.txt
4. Using IPv6 Technology to Provide the Market Perceived Benefits of NAT
The facilities in IPv6 described in Section 3 can be used to provide the protection perceived to be associated with IPv4 NAT. This section gives some examples of how IPv6 can be used securely.
Yep. While I haven't read that RFC, I knew that a long time ago. The sole reason NAT provides protection is the stateful nature of it. That's set up when an outgoing connection is made, allowing the reverse traffic. Beyond that, you have to have some means of specifically allowing incoming traffic. This is no different from a firewall that has default deny all and rules added to permit access. Of course, not using NAT means you can access the same service on multiple devices, without changing port numbers etc.. On top of this, NAT requires hacks, such as VTUN, to get around the problems it causes. This is even before we get to those who are behind carrier grade NAT and have no means of reaching their own network from the outside.