quietly....

Jay Ashworth jra at baylink.com
Thu Feb 3 05:18:43 UTC 2011


----- Original Message -----
> From: "Jimmy Hess" <mysidia at gmail.com>

> There's no reason for the internet community to re-design every
> protocol to allow and
> try to function in a NAT environment, for the benefit of a small
> number of edge networks,
> who want a private castle with hosts on their network not connected
> to the internet,
> for no reason that has been adequately justified.

Justify, yourself in turn, "small number".  My personal estimate of the
number of NATted edge networks is well north of 75%, on a network count
basis.

> No one has ever provided me with a serviceable explanation of why a
> stateful firewall
> is an insufficient method for implementing any desired network policy,
> with
> regards to limiting accepted traffic to outbound connections for nodes
> on an edge network.

Complexity of the configuration vastly increases the size of the
attack surface: in a NATted edge network, *no packets can come in
unless I explicitly configure for them*; there are any number of
reasons why an equivalently simply assertion cannot be made concerning
the configuration of firewalls, of whatever type or construction.

In a firewall, you are *fighting* the default "route this packet"
design; in a NATgate, you have to consciously throw the packets
over the moat.

I've never been clear why this isn't intiutively obvious to the people
with whom I have to have this argument.

Cheers,
-- jra




More information about the NANOG mailing list