> -----Original Message----- > From: netfilter-devel-owner@xxxxxxxxxxxxxxx [mailto:netfilter-devel- > owner@xxxxxxxxxxxxxxx] On Behalf Of David Miller > Sent: Thursday, July 14, 2011 4:17 PM > To: jengelh@xxxxxxxxxx > Cc: T.Moes@xxxxxxxxxxxxxxxxx; netfilter-devel@xxxxxxxxxxxxxxx > Subject: Re: NAT66 : A first implementation > > From: Jan Engelhardt <jengelh@xxxxxxxxxx> > Date: Fri, 15 Jul 2011 01:15:47 +0200 (CEST) > > > Of course yours is feature-richer. But the topic of IPv6 NAT has had > > come up a number of unrecollectable times, and the response has been > the > > same everytime - NAT is still an ugly undesired hack whose recurrence > > wants to be avoided. > > You can't avoid it. > > People want to hide the details of the topology of their > internal networks, therefore we will have NAT with ipv6 > no matter what we think or feel. > > Everyone needs to stop being in denial, now. People will use IPv6 NAT if they perceive its benefits outweigh its costs. Its costs will be significant. All that connection state tracking will translate to more hardware. Managing multiple, possibly overlapping, private network address spaces will mean more administrative headaches. The benefit, hiding IPv6 address of hosts and routers in internal networks, is I suspect less tangible. NAT in of itself doesn't provide enough security to be relied upon solely, so you need firewalls in any case. And unlike IPv4, you can't argue that you have to use NAT because of lack of address space. I think maybe we will get lucky. The bean counters may well keep the specter of IPv6 NAT at bay. 8^) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html