> Keith, > > A complete comparison would include that, if you have a NAT66, having it > stateful provides *more* privacy to users, and provides topology hiding.
true, but there are better ways than NAT of discouraging address tracking. a stateless NAT can still hide topology. nothing says that a stateless mapping has to be one where the prefix bits in the internal address have to be a fixed offset from those in the external address. you could generate an invertable/stateless mapping by encrypting/decrypting those bits with a constant key and symmetric cipher. the mapping would still be stateless, but the externally visible addresses would have an apparently random relationship with the internal addresses. > Besides, until a convincing scenario showing that, where IPv6 FWs are > available, the pros of any NAT66 outweighs the cons, I keep doubts that > deploying NAT66 is a good choice. I share those doubts. But it's hard for every email message about the topic to encompass the entire range of concerns that necessarily weigh into this discussion. > Yet, if some *users* have firm plans to deploy NAT66 anyway, some with > stateful NATs, some with stateless NATs, that's up to them. > Under this assumption, their wish to standardize theses NATs is obviously > legitimate. strongly disagree. the desire to standardize mechanisms that are known to do harm to applications is not legitimate. nor is this consistent with long-established IETF standardization criteria. Keith _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
