Hi. I'd like to speak in favor of maintaining endpoint independent
filtering as the default and maintaining requirement 11 D. I think
requirement 11 D is important for avoiding some hard to analyze but
potentially very dangerous security problems. If I can trick a NAT into
replacing an existing mapping by causing resource exhaustion then I
could probably attack that. Unfortunately such attacks tend to appear
minor or hard to exploit until someone puts together what turns out to
be a fairly reliable exploit against some equipment, then you have a
real mess.
I believe the stability of application argument argues for endpoint
independent filtering.