Hi. I'd like to speak in favor of maintaining endpoint independent filtering as the default and maintaining requirement 11 D. I think requirement 11 D is important for avoiding some hard to analyze but potentially very dangerous security problems. If I can trick a NAT into replacing an existing mapping by causing resource exhaustion then I could probably attack that. Unfortunately such attacks tend to appear minor or hard to exploit until someone puts together what turns out to be a fairly reliable exploit against some equipment, then you have a real mess. I believe the stability of application argument argues for endpoint independent filtering.