Breaking Stuff by Fixing NAT

Tue Nov 12 00:04:07 UTC 2002

We have some dial-up-like customers behind a device doing the dreaded
Network Address Translation (NAT). We are doing one-to-one
NAT. Customers get PPP connections with 10/8 addresses. The NAT is
done far down stream from our end of the point-to-point connnection at
the border with our ISP. Do not ask me why it was done that way. The
network engineers want to discontinue doing NAT. From our point of
view, NAT doesn't provide any benefits (it did take a while to get it
to sink in that it provides no security, and we do need to add some
BGP complexity since before packets could get NATed at any egress
point and find their way back). NAT only created continuous
headaches.

But there are still management reservations, the only reservation we
do not have a good answer for is the (arbitrary) claim that turning
off NAT may break stuff for customers who depend on it. Now we have
customers that do some pretty messed up stuff, and everybody knows
about various commercial apps that do really, really messed up stuff,
but none of us can think of anything that turning NAT off will
break. But perhaps all of our minds are just too cluttered with all of
the weird stuff that turning off NAT will allow to _work._

Has anyone here been in a similar situation? Did turning off NAT break
anything? Is anyone aware of or can think of anything that turning off
NAT might break? (Ignore the fact any customers connected during the
actual change may have service intrupted. I am only worried about
something that doesn't work next time they dial-up after the change.)

Thanks.
-- 
Crist J. Clark                     |     cjclark at alum.mit.edu
                                   |     cjclark at jhu.edu
http://people.freebsd.org/~cjc/    |     cjc at freebsd.org