mh (RE: OMB: IPv6 by June 2008)

Daniel Senie dts at senie.com
Sat Jul 9 13:40:16 UTC 2005


At 03:51 PM 7/7/2005, David Andersen wrote:

>On Jul 7, 2005, at 3:41 PM, Andre Oppermann wrote:
>
>>
>>Fergie (Paul Ferguson) wrote:
>> >
>>>I'd have to counter with "the assumption that NATs are going
>>>away with v6 is a rather risky assumption." Or perhaps I
>>>misunderstood your point...
>>
>>There is one thing often overlooked with regard to NAT.  That is,
>>it has prevented many network based worms for millions of home
>>users behind NAT devices.  Unfortunatly this fact is overlooked
>>all the time.  NAT has its downsides but also upsides sometimes.
>
>Yes, but keep in mind that this benefit is completely unrelated to 
>NAT's purpose as an address space extender.  A stateful firewall 
>with a very simple rule (permit anything originated from the inside, 
>deny anything from outside except a few pesky protocols) would 
>accomplish exactly the same goal.

Indeed, the fact that most NAT implementations combine the address 
translation with stateful inspection (given it's the simplest way to 
implement NAPT, IMO), this is the case.


>And it would be much easier to punch holes through when you needed to.

No, it's the same. With a stateful inspection firewall operating as a 
transparent bridge or as a router, you still need to specify which 
protocols, ports and addresses to permit. It's exactly the same.


> From my perspective, the biggest benefit from home NAT devices is 
> that they were a vehicle for delivering such a firewall to millions 
> of windows boxes.  Unfortunately, this drug comes with a number of 
> harmful side effects, including nausea, blurred vision, and the 
> inability to deploy a number of new protocols.

The inability to deploy new protocols is exactly the same in many 
cases for a stateful inspection box on public addresses vs. a 
stateful inspection box doing NAT. The firewall must be aware of the 
protocol to permit it at all, and if there's going to be any hope of 
protecting the less secure equipment behind, those firewall devices 
must understand the details of the protocol. That still requires the 
vendor to do work.

Yes, the address translations still add another layer of trouble in 
that passing endpoint identifiers (which unfortunately are the same 
as IP addresses, given a lack of a host identification mechanism 
other than IP address) creates problems for protocol developers. 
However in most cases a good protocol design can be arrived at which 
does not run into these difficulties. Such ideas were documented some 
time ago by the IETF NAT WG as information to protocol designers.





More information about the NANOG mailing list