Ok; let's have the "Does DNAT contribute to Security" argument one more time...

[lyndon at orthanc.ca (Lyndon Nerenberg)]

> There really is no winner or "right way" on this thread. In IPv4 as a 
> security guy we have often implemented NAT as an extra layer of obfuscation.

It's worse than just obfuscation.  The 'security' side effect of NAT can 
typically be implemented by four or five rules in a traditional firewall.

But a NAT implementation adds thousands of lines of code to the path the 
packets take, and any time you introduce complexity you decrease the 
overall security of the system.  And the complexity extends beyond the NAT 
box.  Hacking on IPsec, SIP, and lord knows what else to work around 
address rewriting adds even more opportunities for something to screw up.

If you want security, you have to DEcrease the number of lines of code in 
the switching path, not add to it.

Complexity is evil.  It's a shame this is no longer taught in computing 
courses. And I mean taught as a philosophy, not as a function of line 
count or any other bean-counter metrics.

--lyndon