Brian E Carpenter wrote: > > Martin Rex wrote: > > Sabahattin Gucukoglu wrote: > >> In case you didn't see this: > >> http://www.h-online.com/open/news/item/Netfilter-developers-working-on-NAT-for-ip6tables-1385877.html > >> > >> It's a complete IPv6 NAT implementation with the functionality of > >> the IPv4 one in the same stack. ALGs. Port translation. Connection > >> tracking. You don't need me to tell you why I don't like this. > > > > > > I fail to understand the issue that you have with this. > > > > Doing home gateways and *NOT* using dynamic temporary IPv6 addresses for > > outbound connections by default (i.e. *NO* static network prefix that > > can be linked to a single ISP customer) > > > I think you're confused. Whatever IPv6 source address is in the outgoing > packet from the CPE is bound 1:1 to the subscriber. You can't conceal > the address of the subscriber, if you ever want to get any packets back. The outgoing packet is bound 1:1 to the ISP of the subscriber, any only the ISP knows to which of his customers he is routing the datagrams during any specific point in time. The DHCP lease should be 24h at most and the ISP is bound by data protection laws to not make the mapping publicly accessible except under very specific legal exceptions. > > If you want to protect the privacy of individuals within the home (etc.) > behind the CPE, you can use IPv6 privacy addresses. But the traffic will > still be traceable back to the CPE, of course. The so-called "IPv6 privacy addresses" are terminology fud. > > I hope you aren't under the illusion that NAT44 in CPE provides any > privacy. For my ISP (and it seems to be the norm for german home customers), that is not an illusion, but rather a feature. -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf