Security gain from NAT
marquis at roble.com
Wed Jun 6 00:44:40 UTC 2007
>> Sure, very easily, by using NAT between the subnets.
> Have at it. Nothing like trying to reach 10.10.10.10 nad having
> to put in a dns entry pointing to 172.29.10.10
End-users prefer hostnames to IPs. DNS hostnames are valid on both
sides due to either local zone files or a DNS protocol-NAT. It's a
no-brainer to implement and a lot easier than using public address
space given the relatively complex firewalling and filtering that
> NAT'ing the address on your side to their side and from their
> side back to your side, and adding the rules. That's definitely
> simpler than allow a -> b for service c.
Not simpler than running something like "fixup protocol dns" on a
> I, for one, give up. No matter what you say I will never
> implement NAT, and you may or may not implement it if people
> make boxes that support it.
Most of the rest of us will continue to listen to both sides and
continue to prefer NAT, in no small part because of the absurd
examples and inconsistent terminology NATophobes seem to feel is
necessary to make their case.
Roble Systems Consulting
More information about the NANOG