In message <20120404212135.0E09A18C092@xxxxxxxxxxxxxxxxxxx>, Noel Chiappa write s: > > From: Doug Barton <dougb@xxxxxxxxxxxxx> > > > My comments were directed towards those who still have the mindset, > > "NAT is the enemy, and must be slain at all costs!" > > In semi-defense of that attitude, NAT (architecturally) _is_ a crock - it put > s > 'brittle' (because it's hard to replicate, manage, etc) state in the middle o > f > the network. Having said that, I understand why people went down the NAT road > - when doing a real-world cost/benefit analysis, that path was, for all its > problems, the preferable one. > > Part of the real problem has been that the IETF failed to carefully study, an > d > take to heart, the operational capabilities which NAT provided (such as > avoidance of renumbering, etc, etc), and then _failed to exert every possible > effort_ to provide those same capabilities in an equally 'easy to use' way. > > Noel Most of the renumbering issues that remain are outside of the perview of the IETF. Hosts have had the ability to securely register themselves in the DNS for a decade now. Microsoft AD has hosts register themselves using these mechanisms. DHCP handles both static and dynamic addresses. Now we may want a way for a host to register itself securely with the firewall. That way when a host's IP address changes the firewall gets updated. Most of the renumber problem in people refusing to get out of the way of automation. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx