Breaking Stuff by Fixing NAT

Crist J. Clark crist.clark at
Tue Nov 12 06:55:35 UTC 2002

On Mon, Nov 11, 2002 at 10:26:23PM -0500, Valdis.Kletnieks at wrote:
> On Mon, 11 Nov 2002 16:04:07 PST, "Crist J. Clark" <crist.clark at>  said:
> > Has anyone here been in a similar situation? Did turning off NAT break
> > anything? Is anyone aware of or can think of anything that turning off
> > NAT might break? (Ignore the fact any customers connected during the
> If the users have been getting a static address in the 10/8 range, they may
> have it hardcoded someplace.  If they've been getting their address/netmask/
> DNS/etc via DHCP, then they'd already have discovered it breaks when they
> hardcode it since the next time they connect they'll be up a creek.

As I stated in the original mail this is a dial-up-type service. The
connections are serial using PPP. The addresses are assigned within
PPP and are dynamic. They could get a different one within the block
every time they connect. Due to the nature of the service, we know for
sure that customers do not maintain always-on or almost always-on

Maybe a little diagram is in order,

 [Customer]-----["Modem"]---{OurNet}---[NATing Router]---{Internet}
          ^ PPP                                      ^
          |                                          |
          |                                          |                            AAA.BBB.CCC.0/24

The NATing Router does one-to-one NAT. It is _not_ a firewall. Once an
association between, say, <-> AAA.BBB.CCC.10 is
established by an outgoing packet, you _can_ send arbitrary datagrams
back to AAA.BBB.CCC.10 and they get to (The last octet
does not necessarily match up like that, however). There is _really_
no security benefit to the NAT.

This is what we are moving to,

          ^ PPP

(In actuality it's a little more complicated with multiple "modem"
banks and multiple egress points to the Internet.) So as far as the
_outside_ world is concerned, the addresses look the same. So, say
someone has firewall rules allowing our customers some special access
as they come across the Internet. This will _not_ break. The customers
still will have the same source address.

The thing we just know is that if we stand up in front of the upper
management and say, "There is no way this can possibly break
_anything,_" there will have been some brilliant idiot out there who
found a way to set up some unmanned site with a configuration that
gets broken and some customer raises holy hell when they have to fly a
helicopter out to some remote location to get in a tech to fix it.
Crist J. Clark                     |     cjclark at
                                   |     cjclark at    |     cjc at

More information about the NANOG mailing list