> In the enterprise space, if you mention globally reachable address space, the discussion tends to end pretty fast because “its not secure”.

Topic drift, but for younger people who didn't live it, that's how it used to be!

For most of the 90s my workstation in the office (at several employers) was directly on the Internet. There were no firewalls, no filtering of any kind. I ran my email server on my desktop workstation to receive all emails, both from "internal" (but there was no "internal" really, since every host was on the Internet) people and anyone in the world. I ran my web server on that same workstation, accessible to the whole Internet.

That was the norm, the Internet was completely peer to peer. Good times.

The SLAAC/DHCPv6 combo seems really strange to me.

Either IP/DNS/gateway discovery with one or the other could be tolerable. But allowing combinations such as SLAAC for addressing and DHCP for DNS discovery is lunacy.

It’s as if one said, let’s take the most basic and critical step and make it as complicated as possible and explore the combinatorial explosion…

The nice thing about NAT is it makes the security model easier to reason about.

By this, I don’t mean it’s more secure, because I know it isn’t. But it is a lot easier to see and to explain what has access to what. And the problem with enterprise is that 80% of the work is explaining to other people, usually non-technical or pseudo-technical decision makers, why your design is safe.

I really do think IPv6 missed a trick by not offering that.

>In the enterprise space, if you mention globally reachable address space, the discussion tends to end pretty fast because “its not secure”. Those people love their NAT.

Was also designed in the early 90s before security was taken seriously.