Security gain from NAT: Top 5
Matthew Palmer
mpalmer at hezmatt.org
Thu Jun 7 04:34:01 UTC 2007
On Wed, Jun 06, 2007 at 08:49:21PM -0700, Roger Marquis wrote:
> Problem is that NAT will not go away or even become less common in
> IPv6 networks for a number of reasons.
>
> #1 NAT advantage: it protects consumers from vendor
> lock-in.
>
> Consider the advantage of globally unique public addressing to ISPs
> and telcos. Without NAT they have a very effective vendor lock-in.
> Want to change ISPs? It's only as easy as reconfiguring every device
> and/or DHCP server on your internal network. With NAT you only need
> to reconfigure a single device, sometimes not even that.
Isn't this the problem that router advertisements are meant to solve? Do
you have operational experience which suggests that they aren't a sufficient
solution?
> #2 NAT advantage: it protects consumers from add-on
> fees for addresses space.
>
> Given the 100 to 10,000% mark-ups many telcos and ISPs already charge
> for more than a /29 it should come as no surprise they would be
> opposed to NAT.
I was under the impression that each end-user of an IPv6 ISP got a /64
assigned to them when they connected.
> #3 NAT advantage: it prevents upstreams from limiting
> consumers' internal address space.
>
> Even after full implementation of IPv6 the trend of technology will
> continue to require more address space. Businesses will continue to
> grow and households will continue to acquire new IP-enabled devices.
> Without NAT consumers will be forced to request new netblocks from
> their upstream, often resulting in non-contiguous networks. Not
> surprisingly, often incurring additional fees as well.
By my calculations, the /64 of address space given to each connection will
provide about 18446744073709551616 addresses. Is that an insufficient
quantity for the average user of an ISP?
> #4 NAT advantage: it requires new protocols to adhere to
> the ISO seven layer model.
>
> H.323, SIP and other badly designed protocols imbed the local address
> in the data portion of IP packets. This trend is somewhat discouraged
> by the layer-isolation requirements of NAT.
NAT doesn't seem to have stopped the designers of these protocols from
actually deploying their designs, though.
> #5 NAT advantage: it does not require replacement security
> measures to protect against netscans, portscans, broadcasts
> (particularly microsoft's netbios), and other malicious
> inbound traffic.
>
> The vendors of non-NAT devices would love to have you believe that
> their stateful inspection and filtering is a good substitute for the
> inspection and filtering required by NAT devices. Problem is the
> non-NAT devices all cost more, many are less secure in their default
> configurations, and the larger rulesets they are almost always
> configured with are less security than the equivalent NAT device.
Haven't we already had this thread killed by the mailing list team today?
- Matt
--
If only more employers realized that people join companies, but leave
bosses. A boss should be an insulator, not a conductor or an amplifier.
-- Geoff Kinnel, in the Monastery
More information about the NANOG
mailing list