>NAT also has the advantage that if packets do leak >bogon filters at the border will drop them.
NAT is simply an algorithm which causes a firewall to drop all traffic which doesn't match an entry in a set of internal state tables. The NAT algorithm sets up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static NAT mappings. This algorithm can be implemented in a trivial piece of software that runs on cheap, low-power devices commonly used in things like DSL routers. The IPv6 folks are claiming that you can very easily implement the same type of algorithm on IPv6 routers to drop all traffic which doesn't match an entry in a set of internal state tables. The IPv6 algorithm would set up these state tables based on outgoing traffic and based on specific operator configurations, i.e. static enabled addresses. The only difference is that the IPv6 device never changes the packet contents, i.e. never replaces source or destination addresses in the headers. The IPv6 version can still drop traffic and can still dynamically enable certain incoming traffic based upon detection of an outgoing TCP session starting up. It could even do port redirection if that was still useful to people. It could also allow operator configuration to enable incoming traffic to specific addresses. The IPv6 version would be just as secure as an IPv4 NAT device but it would not interfere with protocol functioning. Now, I'm not claiming that every device capable of IPv4 NAT is currently able to function in this way, but there are no technical barriers to prevent manufacturers from making IPv6 devices that function in this way. The IPv6 vendor marketing folks can even invent terms like NAT (Network Authority Technology) to describe this simple IPv6 firewall function, i.e. IPv6 NAT. It wouldn't be the first time that acronyms have been reinvented, e.g. RED, GSM. --Michael Dillon
