> Keith Moore wrote:
> >
> > > NAT can be used for a variety of things. Perhaps we can agree that it's
> > > a good hammer when the nail is a home network, and concentrate on what
> > > to do about the large corporation issue.
> >
> > NAT is a good hammer for a home network if and only if the only
> > purpose of a home network is to allow multiple web clients at home
> > to talk to servers in the outside world.
> >
> > If you want to use a home network to be able to access your devices
> > at home *from* the outside world - e.g. IP telephony, IP fax,
> > instant messaging to your home, IP printing to your home printer
> > from elsewhere, setting your vcr, setting your thermostat so that the
> > house will be warm when you get there, checking the house temperature to
> > see if the air conditioner has died again, taking a peek at the kid
> > you've left home with the babysitter (or by himself) to see that
> > he's okay, investigating the alert you got from your intrusion
> > detection system, personal web server for home or home office -
> > NATs start to look like a pretty poor hammer even for home use.
> > (unless, of course, you think the purpose of hammers is to break things)
>
> Sounds to me like at best I'd trade a NAT box with firewalling for a
> serious firewall. I have ZERO interest in allowing the kinds of things
> you describe to occur from outside. While you may not mind someone
> hacking into the microphone on your PC and using it as a bug I am a
> little less trusting.
obviously you have to have some security measures in place
before you open up such things to the outside world. but
that's an argument for better authentication technology, not for NAT.
without the NAT in place I could use IPSEC to authenticate myself
and punch a hole through my home firewall; with NAT in place that's
just not possible.
> > OTOH, if you combine NAT with 6to4 for home networks, the
> > picture starts to look a bit better. Think of 6to4 as the
> > generic ALG that rids you of the need to have separate ALGs
> > for most of the applications that NAT happens to break.
>
> So, will any of our ISP readers go on the record as saying they'll
> provide users of dialup and DSL/Cable lines to have a large block of
> addresses each, instead of just a single host address? The way I read
> the ARIN IPv6 allocation policy, they're going to manage the new space
> about the same as IPv4 space. Which is to say I don't expect space to be
> readily available.
1. if IPv6 allocation policies aren't a fair amount more liberal
than IPv4 ones in how much address space is doled out, they're
broken. there's still a need to aggregate addresses for routing
purposes, but there's no need to be stingy about doling them out.
2. at any rate, 6to4 doesn't need IPv6 blocks allocated by ARIN
or anybody else; it just needs a single IPv4 address for each
customer. i.e. there's already a block of IPv6 addresses
allocated for every v4 address and a well defined way to
route to such v6 addresses over the v4 Internet.
see draft-ietf-ngtrans-6to4-*
Keith
