VS>> With the proliferation of IPv6 I hear more and more often that VS>> NAT is a great security mechanism because it hides your intranet VS>> infrastructure from outsiders, and how unfit IPv6 is for VS>> enterprise networks because it lacks the notion of NAT which VS>> makes IPv6 networks so very very much insecure.
VS>> Do you have good conter-arguments?
TL> NAT was never intended as a security mechanism,
It was not intended as a security mechanism initially, but over time, it became one, and is required by many security guidelines. Ask some computer security specialist you trust, if you don't believe me.
TL> and it does nothing TL> more than a goof packet filter could do.
Of course it does more! No packet filter *hides* *src* *addresses* of your internal hosts, and that is exactly what security people love NAT for.
VS>> Indeed, in some corporate networks I've seen, the use of the VS>> RFC1918 address space is written into security guidelines as a VS>> requirement.
VS>> Then again, as I come to think of it, even if your IPv6 intranet VS>> has a good firewall on the border, your internal network VS>> addresses are still exposed to the Internet. Is that a problem?
TL> If your firewall is blocking traffic, you can hardly say you're TL> exposed.
Sorry you are mistaken. Very few attacks nowdays are based on injecting malicious traffic into your network, those times are long gone. Information gathering about your intranet could be much more important than the ability to send traffic into it from outside.
TL> NAT still creates a lot of problems, ask anyone who'd wrestled with TL> port forwarding, to try and get services opened to the Internet.
That's a different story, I myself have wrestled enough with IPv4 NAT. So I would be happy to advocate NAT-less IPv6 to anyone, but I need arguments. Have not heard anything new so far.