Keith, >> Michel Py wrote: >> IMHO, here is the deal: IPv4 NAT does suck, but there is >> nothing we can do to remove it; so the only worthy >> efforts are 1) maybe try to make it less worse (I will >> not go as far as saying better) and 2) let's not make >> the same mistake with IPv6. > Keith Moore wrote: > that's it in a nutshell. I'm glad we could find something to agree on. > I believe the primary purpose of firewalls should be to > protect the network, not the hosts, from abusive or > unauthorized usage. I do not agree with this. The primary purpose of firewalls is to protect BOTH the network and the hosts. > the firewall without the NAT would be even more useful. No argument here, but the way it is going to happen is not by bashing at NAT but by developing the missing piece, namely a scalable solution for portable identifiers. > an intermediary MUST NOT alter the source or destination > field in an IP header. There is nothing wrong with this if another intermediary puts it back the way it was originally, preserving end-to-end traffic. Michel.