> Actually, this seems like what IPv6 Privacy Addresses were made for. IPv6 privacy addresses have to be managed by the application and/or the OS, and to achieve the same result as NAPT would need to be changed _much_ more often than every 24 hours (24 hours is the Windows 7 default for changing the host's privacy address, per my understanding). Changing them more often, without coordination with the application, is *very difficult* without breaking the application. For example, if the OS decides to change the IPv6 privacy address during a long-lived FTP session transferring thousands of files, new FTP data connections have to continue using the old address until the FTP control connection is closed (reference http://cr.yp.to/ftp/security.html). This is an awkward case, but solvable (OS can determine if a process has other sockets already open) but gets worse with multi-process applications and gets impossible if the application has a signaling channel to a server that isn't the endpoint while also creating/destroying data channels to a remote peer (as is common with SIP, XMPP, and perhaps things like BitTorrent).
In short: IPv6 privacy addresses need more fleshing out before they are equivilent substitutes for today's NAPT44. -d _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
