Re: myth of the great transition (was US Defense Department forma lly adopts IPv6)

[Melinda Shore <mshore at cisco.com>]

> What applications that people want to run--and the IT managers would
> want to enable--are actually inhibited by NAT? It seems to me that
> most of the applications inconvenienced by NAT are ones that IT
> managers would want to screen off anyway.

Not really.  For example, ftp as originally defined doesn't
work through NATs, and no standard VoIP or multimedia
conferencing protocol works through NAT.  

What I think is a huge problem that people tend to be pretty
hand-wavy about is that many of the mechanisms that are
introduced to help complex applications work through NATs
introduce new security exposures, whether it's the
"pseudo-NAT attack" described by Dupont and that we've run
into with STUN, or external relays allowing internal users
to run unauthorized servers, or stateful inspection/rewrite
forcing application users not to use encryption or integrity
protection, or ...  NAT has a surprisingly wide ripple
effect that's almost completely negative.

Melinda