Eric Rescorla [mailto:ekr(_at_)rtfm(_dot_)com] wrote:
similarly, people who install NAT usually don't realize how much this
costs them in lost functionality and reliability.
Really? You have evidence of this?
I don't either, but my intuition is that you're wrong. Once you have
decided to have a firewall in place (which you may think is evil, but
I consider pretty much a necessary evil), I suspect that most people
suffer almost not at all from having a NAT.
I believe that Eric is pointing out an important point: many deployments of
NATs have nothing to do with IPv4 address conservation. Rather, they are
firewall adjuncts implemented to hide internal networks from outside scrutiny
and direct access.
One point where I disagree with my IPv6-advocating friends is that I expect
firewall-related NATs to continue to be deployed within Internet (including
IPv6) environments until such a time as real-time-protocol and
peer-to-peer-protocol friendly "distributed firewall" (policy zones) variants
become the preferable "due diligence" alternative for CIOs.