I think this probably wraps things up: Comparing IPv4 and IPv6, there are many things changed in IPv6. Some are obviously improvements. Some are improvements that most people won't care about. And some are no improvement, just different. When you boil it all down, the one thing that is likely to add any value people care about is the ability to establish p2p connections, which necessitates no NAT (or at least, no many-to-one NAT) and necessitates eliminating the "block all unknown inbound traffic" rule which has become standard on perimeter firewalls.
Regardless of people's opinions at IETF or anywhere else, if you want to use NAT, they will never be able to stop you. If you build the perimeter firewall/router, and if you happen to implement IPv6 NAT on it, there is no technique to detect or prevent that. It's not even possible to develop a technique except inside the actual endpoint client application, which seems unlikely to care. The only way you might be prevented from using NAT in IPv6 if you want it: is if there's insufficient consumer demand and hence insufficient product availability. No, NAT will not be necessary or useful anymore in IPv6 for the sake of creating address space. Yes, NAT could be useful to mask your internal network topology from the wild world web. If you do implement NAT to mask your internal network topology, you can use an external IP for every internal IP, and therefore p2p will not be broken in IPv6 NAT, as it is in IPv4 NAT. As for security, exposing all devices directly to the Internet: There are many possible outcomes. Fundamentally, the only security that IPv4 NAT provides is to automatically block inbound unknown traffic (not established or related to an outbound connection.) (1) It's possible that some firewalls might have a similar firewall rule created for IPv6 by default, and you have to disable it if you want unknown traffic to reach your endpoint. (2) It's possible the firewalls might ship without that rule by default, and increase the reliance on your endpoint software firewall. (Somebody should tell Apple to create a firewall that works on OSX.) ;-) heheh (3) It's possible that devices such as your laser-printer-toaster or automated beer brewing system might just enable a simple checkbox or switch of some kind, so by default they don't take a world routable IP address, and by default they're only accessible using the link-local address, on the local LAN. (4) There's no reason IPv4 needs to die. In all likelihood, devices which have no benefit from worldwide accessibility will simply use IPv4 for outbound connections. They may implement IPv6, but hopefully then, they're secured by one of the above methods. There may be some more options as well, but that's all I can think of. _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
