Hi Martin, The assumption that information is present only within the IP address is erroneous. This has been studied for mobile IPv6 users as well, and there is information leakage up and down the stack. We have local source address selection mechanisms in recent Windows versions that use randomized IIDs on outbound connections today. This doesn't prevent exposure of the information regarding the internal network structure, but nor do firewalls at publically addressed IPv4 institutions today. Putting NATs on the path just causes the device inside the network to be unaware of its presented addresses, which means that it will impede peer-to-peer communications, as it cannot even describe its available services without external information services. This is the awful situation in IPv4 today: Address scarcity is not the problem, addressability is the problem. Greg Daley > -----Original Message----- > From: ietf-bounces@xxxxxxxx [mailto:ietf-bounces@xxxxxxxx] On Behalf Of > Martin Rex > Sent: Tuesday, 6 December 2011 1:00 PM > To: mail-dated-1325290081.a3a4e0@xxxxxxxxxxxxxxxxxxxxxxxx > Cc: ietf@xxxxxxxx > Subject: Re: Netfilter (Linux) Does IPv6 NAT > > Sabahattin Gucukoglu wrote: > > > > In case you didn't see this: > > http://www.h-online.com/open/news/item/Netfilter-developers-working- > on > > -NAT-for-ip6tables-1385877.html > > > > It's a complete IPv6 NAT implementation with the functionality of the > > IPv4 one in the same stack. ALGs. Port translation. Connection > > tracking. You don't need me to tell you why I don't like this. > > > I fail to understand the issue that you have with this. > > Doing home gateways and *NOT* using dynamic temporary IPv6 addresses > for outbound connections by default (i.e. *NO* static network prefix > that can be linked to a single ISP customer) would be extremely > irresponsible with respect to data privacy protection. > > Without that, I consider IPv6 a complete no-go. > > And many DSL routers are based on Linux, so having an implementation of > such a NAT is a prerequisite before IPv6 can be reasonably offered to > home customers in Europe. > > I'm perfectly OK with folks getting static IPv6 network prefixes for > specific applications that desperately need it. But the default > definitely ought to be temporary dynamic IPv6 addresses, especially for > outbound connections. > > > -Martin > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf