Security gain from NAT: Top 5
mpalmer at hezmatt.org
Thu Jun 7 04:34:01 UTC 2007
On Wed, Jun 06, 2007 at 08:49:21PM -0700, Roger Marquis wrote:
> Problem is that NAT will not go away or even become less common in
> IPv6 networks for a number of reasons.
> #1 NAT advantage: it protects consumers from vendor
> Consider the advantage of globally unique public addressing to ISPs
> and telcos. Without NAT they have a very effective vendor lock-in.
> Want to change ISPs? It's only as easy as reconfiguring every device
> and/or DHCP server on your internal network. With NAT you only need
> to reconfigure a single device, sometimes not even that.
Isn't this the problem that router advertisements are meant to solve? Do
you have operational experience which suggests that they aren't a sufficient
> #2 NAT advantage: it protects consumers from add-on
> fees for addresses space.
> Given the 100 to 10,000% mark-ups many telcos and ISPs already charge
> for more than a /29 it should come as no surprise they would be
> opposed to NAT.
I was under the impression that each end-user of an IPv6 ISP got a /64
assigned to them when they connected.
> #3 NAT advantage: it prevents upstreams from limiting
> consumers' internal address space.
> Even after full implementation of IPv6 the trend of technology will
> continue to require more address space. Businesses will continue to
> grow and households will continue to acquire new IP-enabled devices.
> Without NAT consumers will be forced to request new netblocks from
> their upstream, often resulting in non-contiguous networks. Not
> surprisingly, often incurring additional fees as well.
By my calculations, the /64 of address space given to each connection will
provide about 18446744073709551616 addresses. Is that an insufficient
quantity for the average user of an ISP?
> #4 NAT advantage: it requires new protocols to adhere to
> the ISO seven layer model.
> H.323, SIP and other badly designed protocols imbed the local address
> in the data portion of IP packets. This trend is somewhat discouraged
> by the layer-isolation requirements of NAT.
NAT doesn't seem to have stopped the designers of these protocols from
actually deploying their designs, though.
> #5 NAT advantage: it does not require replacement security
> measures to protect against netscans, portscans, broadcasts
> (particularly microsoft's netbios), and other malicious
> inbound traffic.
> The vendors of non-NAT devices would love to have you believe that
> their stateful inspection and filtering is a good substitute for the
> inspection and filtering required by NAT devices. Problem is the
> non-NAT devices all cost more, many are less secure in their default
> configurations, and the larger rulesets they are almost always
> configured with are less security than the equivalent NAT device.
Haven't we already had this thread killed by the mailing list team today?
If only more employers realized that people join companies, but leave
bosses. A boss should be an insulator, not a conductor or an amplifier.
-- Geoff Kinnel, in the Monastery
More information about the NANOG