Dear Tony,   
      
   26 Jan 19 20:29, you wrote to me:   
      
    VS>> With the proliferation of IPv6 I hear more and more often that   
    VS>> NAT is a great security mechanism because it hides your intranet   
    VS>> infrastructure from outsiders, and how unfit IPv6 is for   
    VS>> enterprise networks because it lacks the notion of NAT which   
    VS>> makes IPv6 networks so very very much insecure.   
      
    VS>> Do you have good conter-arguments?   
      
    TL> NAT was never intended as a security mechanism,   
      
   It was not intended as a security mechanism initially, but over time, it   
   became one, and is required by many security guidelines. Ask some computer   
   security specialist you trust, if you don't believe me.   
      
    TL> and it does nothing   
    TL> more than a goof packet filter could do.   
      
   Of course it does more! No packet filter *hides* *src* *addresses* of your   
   internal hosts, and that is exactly what security people love NAT for.   
      
    VS>> Indeed, in some corporate networks I've seen, the use of the   
    VS>> RFC1918 address space is written into security guidelines as a   
    VS>> requirement.   
      
    VS>> Then again, as I come to think of it, even if your IPv6 intranet   
    VS>> has a good firewall on the border, your internal network   
    VS>> addresses are still exposed to the Internet. Is that a problem?   
      
    TL> If your firewall is blocking traffic, you can hardly say you're   
    TL> exposed.   
      
   Sorry you are mistaken. Very few attacks nowdays are based on injecting   
   malicious traffic into your network, those times are long gone. Information   
   gathering about your intranet could be much more important than the ability to   
   send traffic into it from outside.   
      
    TL> NAT still creates a lot of problems, ask anyone who'd wrestled with   
    TL> port forwarding, to try and get services opened to the Internet.   
      
   That's a different story, I myself have wrestled enough with IPv4 NAT. So I   
   would be happy to advocate NAT-less IPv6 to anyone, but I need arguments. Have   
   not heard anything new so far.   
      
   Victor Sudakov, VAS4-RIPE, VAS47-RIPN   
   --- GoldED+/BSD 1.1.5-b20160322-b20160322   
    * Origin: Ulthar (2:5005/49)