[citation][nom]ojas[/nom]Getting hard to know who knows what in the comments section, guess i'll have to read up on it myself...However i do know from a book (Computer Networks, Andrew S. Tanenbaum) that NAT was against the openness of the internet and made it easier for ISPs to control and organize their networks. It also lowered the redundancy of the Internet, since now there were these few main nodes, which, if taken out, would cut of lower hierarchical branches.Having said that, i agree that it makes sense on the security front.[/citation]
Don't know who told you that but they lied.
NAT was created as a mechanism for someone to hide a private network behind a public one, it was designed to obsfucate on purpose. What most people don't realize is that ISP's charge you by connection not IP address, read the fine print in your internet service agreement. One "unlimited" connection to a single device, anything more and you have to pay per-device. Back when NAT software started to become commonly available, the ISP intallers would refuse to connect your DSL / Cable line if they saw you had a NATed setup, I know this because I used to have to hide my gateway whenever I had internet troubles. Because NAT on IPv4 makes it effectivly impossible for them to meter individual connection usage they've mostly given up trying for force you to pay per connection. This will change the moment they can meter individual connections, just look at what the wireless ISP's are doing and what Comcast did with P2P connections and you should get an idea of what they can do.
Now ... when the task group responsible for IPv6 designed it, they went to extraordinary measures to ensure NAT wasn't supported. From their perspective NAT breaks something called the "end to end" model, which is just a saying that means a cell phone in china can directly connect to and communicate with a PC in South America. It's purpose is to make the transportation layer invisible to you as user. NAT breaks this by imposing both a physical and a virtual barrier between your connections. The cell phone in china simply can not address the PC in south america if the south american PC is behind a NAT device. The cell phone must first address the NAT device, and the NAT device must be trusted to relay the communication properly to the PC. This by itself isn't a security measure as IP masquerading (the technical name for NAPT) will just forward everything. But when you combine it with connection tracking and enforce a firewall like ruleset, you get an amazingly powerful, effective and cheap consumer secure gateway device. Break any of those pieces (NAT, SPI, ConnTrack) and the security as a whole starts to fail. Now if you have high paid security experts, they can easily monitor, configure and maintain that firewall such that NAT isn't neccessary. Otherwise, SPI (the kinds found in home routers) + ConnTrack only protects you from limited attacks that are well documented, it doesn't protect you from undocumented attacks nor probing. If anything IPv6 is actually less secure then IPv4, the *mandated* IPSEC suport does nothing as home users don't use IPSEC and setting it up isn't easy. It places the entire security burdon on a *knowledgable user*.
Anyhow, IPv6 was designed with a pure and ideaistic view of the internet. It imaged this big great cloud with every device on the planet able to freely communicate to each other in one big cyberspace world. Of course the idea that many of those devices are untrusted, and some of then are downright dangerous didn't cross their minds until later. The internet is less like Star Trek and more like Babylon 5.
/en.wikipedia.org/wiki/Andrew_S._Tanenbaum
Facebook
Twitter