My posting wasn't concerning what I think, it was concerning what is commonly done today in industry. I also didn't intend to imply that the NAT was being used as a firewall, rather that the NAT is commonly used today as an element within firewalls. My own thoughts (which is off-topic) is that traditional firewalls have had their day and remain valuable. However, I am actively pursuing alternatives which perform the same functions without impacting the end-to-end performance of the protocols. Research into several approaches like this have excited me. But then, I've wandered far off topic. -----Original Message----- From: James Seng [mailto:jseng@pobox.org.sg] Sent: Wednesday, June 18, 2003 10:38 PM To: Fleischman, Eric Cc: EKR; Keith Moore; pbaker@verisign.com; Ronald.vanderPol@rvdp.org; aarsenau@bbn.com; ietf@ietf.org Subject: Re: myth of the great transition (was US Defense Department forma lly adopts IPv6) If you need a secure zone, and you want a firewall, then should install a firewall. You should not put an NAT thinking that it is also a firewall. But I agree with you that NAT is here to stay. -James Seng Fleischman, Eric wrote: > Eric Rescorla [mailto:ekr@rtfm.com] wrote: > > >>>similarly, people who install NAT usually don't realize how much this >>>costs them in lost functionality and reliability. > > >>Really? You have evidence of this? > > >>I don't either, but my intuition is that you're wrong. Once you have >>decided to have a firewall in place (which you may think is evil, but >>I consider pretty much a necessary evil), I suspect that most people >>suffer almost not at all from having a NAT. > > > I believe that Eric is pointing out an important point: many deployments of NATs have nothing to do with IPv4 address conservation. Rather, they are firewall adjuncts implemented to hide internal networks from outside scrutiny and direct access. > > One point where I disagree with my IPv6-advocating friends is that I expect firewall-related NATs to continue to be deployed within Internet (including IPv6) environments until such a time as real-time-protocol and peer-to-peer-protocol friendly "distributed firewall" (policy zones) variants become the preferable "due diligence" alternative for CIOs. > > > >