True, there's no additional security in NAT. In theory.
In practice, NAT completely changed the way most Windows machines are broken. Back in the
late 90s, Windows machines were usually taken out by smashing some part of the network stack.
Nowadays that pretty much never happens. Almost all attacks go in through the browser, Flash,
or just as trojans via email.
Why? NAT. True, MS did spend a fair amount of time cleaning up their network stack but
that's moot since it's all hidden behind NAT anyway.
I agree, NAT is a horrible horrible thing to do. But it's real-world benefits are
unassailable. It's a non-negotiable one-button firewall deployable worldwide. It
single-handedly cleaned up broken firewalls all over the country, from mountain shacks to
multi-thousand-node office networks. Buy a box, plug it in, and you're safer. Period. No
other network security innovation has brought about such a profound positive change for so
many people, not even SSH.
So, when you say NAT should die (and I'm all for it), you're actually saying that NAT should
be replaced by something even better right? Something that carefully studies the networking
lessons from the last ten years and improves on it? Because simply abandoning NAT would be a
big step backward for most people and would reopen a lot of attack vectors which are currently
The IPv6 team doesn't seem to understand this. Yes, I'm worried.