Security gain from NAT

Bill Stewart nonobvious at
Wed Jun 6 08:19:27 UTC 2007

On 6/5/07, Roger Marquis <marquis at> wrote:
> Are you proposing that every company use publicly routable address
> space?  How about the ones that don't qualify for a /19 and so are
> dependent on addresses owned by their upstream?

This discussion evolved from an IPv6 discussion, so there's plenty of
address space for everybody in the assumptions, and you can have a /48
even if a /64 is overkill.

> To change ISPs for example, would it be simpler to change the IP
> address of every node in the company or to run NAT on the gateways?

Unlike the security discussions, that's one area where NAT really does
make life easier for medium-large companies (either 1-1 NAT or PNAT
will do.)  It lets you number your internal space as 10/8, regardless
of what ISP or ISPs you're using externally, so if you have to change
one of your ISPs, you don't have to renumber anything except possibly
a couple of externally-visible servers and gateways.
Of course, that only remains true until some merger or acquisition
mashes your 10/8 address space into another company's 10/8 address
space , at which point you've still got work to do unless you were
both careful about taking random subnets of 10/8, e.g. 10.x/16 for
randomly selected x>10.

             Thanks;     Bill

Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.

More information about the NANOG mailing list