Security gain from NAT
nonobvious at gmail.com
Wed Jun 6 08:19:27 UTC 2007
On 6/5/07, Roger Marquis <marquis at roble.com> wrote:
> Are you proposing that every company use publicly routable address
> space? How about the ones that don't qualify for a /19 and so are
> dependent on addresses owned by their upstream?
This discussion evolved from an IPv6 discussion, so there's plenty of
address space for everybody in the assumptions, and you can have a /48
even if a /64 is overkill.
> To change ISPs for example, would it be simpler to change the IP
> address of every node in the company or to run NAT on the gateways?
Unlike the security discussions, that's one area where NAT really does
make life easier for medium-large companies (either 1-1 NAT or PNAT
will do.) It lets you number your internal space as 10/8, regardless
of what ISP or ISPs you're using externally, so if you have to change
one of your ISPs, you don't have to renumber anything except possibly
a couple of externally-visible servers and gateways.
Of course, that only remains true until some merger or acquisition
mashes your 10/8 address space into another company's 10/8 address
space , at which point you've still got work to do unless you were
both careful about taking random subnets of 10/8, e.g. 10.x/16 for
randomly selected x>10.
Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.
More information about the NANOG