On 2003-10-21 at 14:15, Todd T. Fries wrote: > I'm sorry to reply late to this, but I can't help but realize that > NAT+IPv4 vs IPv6+firewall can be equivalent in `isolation'. Simply > `block in all' and `pass out on $ext_if keep state' (in the pf terms of > OpenBSD) and in two rules you have the same isolation of a NAT+IPv4 as > you do with IPv6+firewall.
Imagine that two internal hosts are communicating in your scenario. They have a TCP connection running for weeks. Then the outside connection to the Internet breaks and is brought back up, but assigned a different address. In the IPv4+NAT case hosts that only contact other hosts on the internal network do not notice the failure at all. In the IPv6+firewall case the new addresses are provided to the hosts and eventually the old addresses time out -- and the internal TCP connection breaks. Ouch. /Benny -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------