Thanks for all the work/time/effort/pain/sweat/patience/aggravation/laughs/insights/... and enjoy the changes!

Yes, I do indeed mean the setup where your internal(internet routable) IP addresses get exposed. I meant to point out that it lowers the attack surface of the security measure, in this case the firewall. NAT by itself (as a security measure) does not provide this, granted that one would not be especially smart to not run a firewall in front of a firewall which is one of the reasons I prefer to not run NAT and a firewall but just a firewall instead, to me that limits administration to the one function.
As for counting the amount of machines, this is possible behind a NAT as well, granted it takes more effort, more time and increases the amount of guess work. (2 random sources : http://www.antionline.com/archive/index.php/t-238181.html http://www.techspot.com/vb/topic5154.html [2003] ).

While usually a bug in the code indeed exposes the security measure to possible abuse, if you run transparent however, lacking a public IP address makes the chance those particular bugs get abused drop dramatically. After all you're not aiming communications directly at the firewall machine. One would first need to identify the fact that there's a transparent firewall by profiling, then either try the attack or run extensive profiling to try and identify the brand/version/implementation of the firewall and pick an attack based on that. Much like a NAT prevents direct contact to clients behind it on private ranges, a transparent firewall prevents direct contact to the firewall itself. It's nothing more then a packet filtering bridge like device after all. Intelligently crafted packets can still hurt it of course, but then I don't believe it can be 100% secure unless you unplug the cable.
I just trust transparent firewalls more then I trust NAT to keep my network safe based on the above, I don't find it a threat if someone is able to determine how many hosts are on my network, firewall, NAT or even both can't really prevent that anyway.
And let's not forget one can still control the exposure of hosts by other means like proxies for web/ftp/etc.

True, I agree the two effectively pose similar challenges to connectivity yet under the premise that NAT on it's own should always be fortified by a firewall I'd rather leave the NAT out if I had the choice. Save me the trouble of administrating both a firewall and port forwarding or public/private IP mapping on a NAT solution. IPv6, as you point out, makes NAT a choice rather then a given, I am sure that if the IPv6 NAT standard doesn't get drafted the 'big' vendors will step in to fill the void albeit with their own, not necessarily good/friendly/open, 'standard'.

/offtopic
One should definitely log in before posting :S , must be sleep deprivation that resulted in me being the anonymous coward(#36359892) above.

I agree tunneling now isn't as useful and certainly is not worth losing connection speed over.

There still seems to be rather a lot of discussion on NAT for IPv6 tho, mainly if there should be a standard drafted to prevent the plethora of IPv4 NAT types and implementations.

There's doubt about how wise it would be to define a standard for IPv6 NAT since it's likely to promote the use of NAT(partially due to familiarity with it), and thus maintaining connectivity issues existent in IPv4 today. (As well as application development challenges that come with the use of NAT)

What may have been a very good idea at the time to avoid the IPv4 depletion problem, might in the end stand in the way of proper connectivity as it was envisioned (and is possible with IPv6).

Some find NAT to be a security measure, or even worse(in my opinion at least) a best practice concerning internet connectivity for clients.

I myself for one appreciate the benefits IPv4 NAT offers today but despise the limitations it causes for connectivity and applications/developers. I'd much rather not use NAT at home, instead have only a decent firewall configuration to provide security and limit only the connectivity I choose to limit.

Granted:
IPv4 address space is 'close' to being depleted.
IPv6 is 'far' from being common.

Still:
Yes, you should consider the fact that IPv6 will give you decent end to end connectivity again(finally), or at least it can. (some seems to have a problem letting go of NAT)
No, you should not buy any soft or hardware anymore that doesn't support IPv6.

Yes, chances are your ISP is slow with implementing IPv6 and making it available natively on their network for you, most are. It's an investment they without an obvious profit or ROI for that matter.
Yes, chances are your hosting provider is slow with ... (see above, same thing applies)

No, your home network does not need IPv6 in itself, it's puny and has very few devices. Yes you should still aim for IPv6 on your home network if you're gonna change the network (equipment/configuration) anyway, it'll save you from having to fix it later on when you need that one IPv6 only program to run or that one IPv6 only service you wanted from the web. (or worse when you want to play that one awesome game that won't work behind a NAT)

No, IPv4 is not evil, it's just outdated.
Yes, IPv6 is good, the next step and the future etc. ...

So basically if you're a decent nerd, next time you mess up your network you might as well get the IPv6 configuration sorted and done. Then, when your ISP catches up you may only need to change the prefix and have connectivity.

Unless of course, you enjoy being limited in your internet access and connectivity (Might I suggest getting a hold of some coax and ARCnet NIC's in that case)

I'm not here to defend this court's ruling, however I do think that I can clarify a bit by helping out in the translation (I am Dutch).

The point the judge seems to make in the original dutch article is that he works with the premise that routers are not intended to store personal data, only to facilitate communication. However many arguments can be made for it either logging, hosting a printer spooler, SMB, FTP, HTTP, torrent client or otherwise personal/private service that involves storage of (implied personal/private) data.

They go on saying that while using somebodies internet connection is not an offense under criminal law, it is under civil law. Due to the claim that one's bandwidth might have been limited by efforts of the offender. The reason, as they claim, that it is not an offense under criminal law is that the internet connection(bandwidth) is a service rather then an commodity and therefor can not be stolen in the definition of criminal law.


Suffice to say that there's a lot more in that article then google translate will let you decipher, although in my personal opinion it's still fundamentally wrong to let someone get away with breaking a security mechanism (as weak as it may be) to gain access to (public) network services. Would the defendant have been at a venue that offers free WiFi network access for instance, and connect without breaking the encryption it would have been a different story I guess.

As for breaking into the router/AP, there's no claim that the router/AP was broken into. Granted the defendant hijacked the network wifi signal but this can be done without breaching the router/AP device security. True it gives access to the internal interface of the router and therefor in most cases the management software on it, however the article does not state a claim that router/AP management was breached. I find it weird tho that they do not address this since usually the lawyers nitpick at everything, they are clearly not burdend with any actual knowledge of what happened.

Just my 2 (euro) cents tho..

I'm in your mindz, controlling you with my purs!