Security gain from NAT: Top 5
owen at delong.com
Thu Jun 7 04:43:30 UTC 2007
> #1 NAT advantage: it protects consumers from vendor
Speaking of FUD... NAT does nothing here that is not also accomplished
through the use of PI addressing.
> #2 NAT advantage: it protects consumers from add-on
> fees for addresses space.
More FUD. The correct solution to this problem is to make it possible
for end users to get reasonable addresses directly from RIRs for
> #3 NAT advantage: it prevents upstreams from limiting
> consumers' internal address space.
Regardless of the amount of growth, do you really see the likelihood
of any household _EVER_ needing more than 65,536 subnets?
I don't even know the exact result of multiplying out 16*1024^6, but,
I'm betting you can't fill 65,536 subnets that big ever no matter how
hard you try. So, again, I say FUD.
> #4 NAT advantage: it requires new protocols to adhere to
> the ISO seven layer model.
Quite the contrary... NAT has encouraged the development of hack upon
hack to accommodate these protocols. Please explain to me how you
would engineer a call setup-tear-down protocol for an independent
audio stream that didn't require you to embed addresses in the payload.
Until you can solve this problem, we will have to have protocols that
break this model. Other than from some sort of ISO purity model
(notice how popular OSI networking is today, compared to IP?), SIP
is actually a pretty clean solution to a surprisingly hard problem.
Unless you have a better alternative for the same capabilities, I'm
not buying it. We shouldn't have to give up useful features for
architectural purity. If the architecture can't accommodate real world
requirements, it is not the requirements that are broken.
That's sort of like saying that OSPF and BGP break the ISO layer model
because they talk about layer three addresses in layer 4-7 payload.
Heck, even ISIS is broken by that definition. Again, I cry FUD.
> #5 NAT advantage: it does not require replacement security
> measures to protect against netscans, portscans, broadcasts
> (particularly microsoft's netbios), and other malicious
> inbound traffic.
??? This is pure FUD and patently untrue. Example: About the cheapest
NAT capable firewall you can buy is a Linksys WRT-54G. If you put
real addresses on both sides of it and change a single checkbox in the
configuration GUI, you end up with a Stateful Inspection firewall that
gives you all the same security you had with the NAT, but, without the
penalties imposed by NAT.
Until you can show me a box that is more than USD 40 cheaper than
a WRT-54G that cannot have NAT turned off, again, I cry FUD.
Oh, btw, a WRT-54G sells for about USD 40 last time I bought one
brand new at Best Buy, so, that's a pretty hard metric to meet.
> These are just some of the reasons why NAT is, and will continue to
> be, an increasingly popular technology for much more than address
Since each and every one of them is FUD, that is certainly the pot
the kettle black. Unfortunately, time and again, american politics has
proven that FUD is a successful marketing tactic, so, you are probably
right, there will probably be a sufficient critical mass of ignorant
and vendors that will buy into said FUD and avoid the real solution
in favor of continuing the abomination that is NAT and all the baggage
of STUN, difficult debugging, header mangling, address conflicts,
and the rest that tends to come with it.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2105 bytes
Desc: not available
More information about the NANOG