On 06/25/2014 01:06 PM, Masataka Ohta wrote: >> Given that address translation needs things like >> CGN, STUN, uPnP and portforwarding to get the most basic of things >> working, > > Wrong. > > While uPnP involves end systems a little, they hide address > translation from the end systems, which is why they destroy > the end to end transparency (with uPnP, there can be the end > to end transparency for applications over TCP or UDP). > and upnp has been a security nightmare. It may hide your internal addresses but who cares about that if it creates an attack surface that can open up your entire network? Other NAT-workarounds include (sometimes unpredictable) third parties that should be unnecessary (stun, skype, and probably any number of game-related solutions). Or force people on a fixed internal address while they could be switching it around (portforwarding). >> I think the whole picture gives you less privacy and security >> than a completely untranslated end-to-end world does. > > The amount of privacy is same. It is merely that ISPs must have > more log, as long as they assign address/port dynamically on > demand. > > But, if ISPs assign one of their customer an address and a range > of port numbers, the amount of log is same. > > That is, assigning a customer 192.0.2.1 is not very different > from assigning the customer port 1024 to 1279 of 192.0.2.1. > yeah, from an ISP point of view it's the same. Jelte