On 02/14/2011 11:17 AM, Florin Iucha wrote:
> On Mon, Feb 14, 2011 at 10:45:39AM -0600, Justin Krejci wrote:
>> Explain how NAT does this? NAT simply mangles the IP headers.
>> A stateful firewall can protect you from port scans and other baddies
>> without NAT.
> 
> If an attacker can't know your IP address, they can't connect to it.

 Is that a motive to postpone IPv6 deployment?  If so, see RFC 3041
(Privacy Extensions).  However, using security-by-obscurity as an
argument on this list is almost as pointless as Godwinning the thread... ;-)

>> It is bad because it has broken protocols, applications, and end-to-end
>> communications and caused much grief and likely loss of functionality in
>> various applications because of it, unseen loss of functionality.
> 
> Facebook?  Google?  Flickr?  Netflix?

 Actually, yes, possibly.  LSN/CGN (large-scale/carrier-grade NAT) has
the potential to wreak havoc on AJAX-happy implementations, simply due
to port exhaustion (as you later mentioned).  IIRC Google (particularly
Maps) and Facebook are pretty AJAX-heavy; I imagine the others might be.

>> I maintain NAT is evil. And even "extending the life of IPv4" is
>> debatable as a plus for the overall picture.
> 
> I do not maintain that NAT is beautiful for everybody all the time.
> But 'evil' is a loaded term that should be reserved for special occasions.

 I can agree with your position on the word "evil."  The word is tossed
around far too casually -- I'm guilty of that, too.

 The pro/anti NAT discussion has been played out many times before,
probably most frequently on the NANOG list.

     Jima