Hallam-Baker, Phillip wrote: > Its not exactly a surprise, folk seem to place a higher premium on shooting NAT than anything else. Meanwhile the vast majority of residential broadband access is behind NAT. > > And from a security point I want to see as much NAT as possible. Without NAT we would be in a much worse situation security wise than we are today. NAT is a blunt instrument but it shuts down inbound server connects. And that is such a good thing from the point of view of stopping propagation of network worms. > from a security point the thing to do is for everyone to disconnect from the Internet and go back to stone knives and bear skins. NAT hasn't done a thing to stop the propagation of network worms. The worms just interpreted the NATs as damage and routed around them by using email attachments and http until they could set up their own connections to tunnel through the NATs. misplaced confidence in NATs as a security measure did a lot to help make this possible. > Which brings me to domain centric administration. To support the security objectives we need a support infrastructure for network administration that gets us out of the machine code era. Today we don't administer networks, we administer individual hosts connected to the network. The days in which an IP network is a reasonable security domain are quickly disappearing. People have to stand on their heads to make this work. IP addresses never have been good security tokens. > Most residential systems don't need inbound service requests. So block them. > in other words, you want to effectively cripple residential users to only running applications that are supported by big media companies, and hamper the development of new applications on the internet. there are no polite words to describe how heinous an idea this is. Keith _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf