Security gain from NAT

Roger Marquis marquis at
Wed Jun 6 02:53:26 UTC 2007

> So now the cruft extends and embraces, and you have to play DNS
> view games based on whether it's on company A's legacy net,
> company B's legacy net, or the DMZ in between them, and start
> poking around in the middle of DNS packets to tweak the replies
> (which sort of guarantees you can't deploy DNSSEC).

Are you proposing that every company use publicly routable address
space?  How about the ones that don't qualify for a /19 and so are
dependent on addresses owned by their upstream?

To change ISPs for example, would it be simpler to change the IP
address of every node in the company or to run NAT on the gateways?

How about multi-homing?  Can you even do it without NAT on a network
too small assign an AS?

In the mid-90s I was CSO at a company whose internal networks were
publicly routable thanks to a /16 they owned (though they really only
needed a few /24s).  In my experience, for every example of how
complex NAT is there are at least 10 counter-examples of how an
equivalent non-NATed network is more complex, less flexible, less
reliable, and less secure.

Roger Marquis
Roble Systems Consulting

More information about the NANOG mailing list