Re: address and port translation (NAT) no longer required in IPv6 -- but...

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

Rick Thomas a écrit :
> 
> It eliminates the need for masquerading and port translation, but it  
> does not eliminate the need for a proper firewall.

Unfortunately the plenty of public IPv6 space does not totally eliminate
the need for NAT in some situations. Otherwise there would not be that
RFC 5902 about IPv6 NAT... Situations where NAT may help which come to
mind are multi-homing with ISP-specific prefixes, prefix renumbering...

> An (IPv4) router/NAT-box has the unavoidable side-effect of not  
> allowing any incoming (Internet -> LAN) connections unless they have  
> been explicitly programmed by the user. Most people consider this to  
> be a "good thing".

Actually this is primarily a side effect of the use of private addresses
which are (supposedly) unreachable from the public internet, not NAT.
Some NAT implementations may act as a firewall, but this is
implementation-dependent. Remember that the netfilter IPv4 NAT
implementation in the Linux kernel does not do any filtering.