the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Apr 27 20:31:05 UTC 2010


On Tue, 27 Apr 2010 14:54:07 EDT, Jon Lewis said:

> I think you forget where most networking is done.  Monitoring?  You mean 
> something beyond walking down the hall to the network closet and seeing 
> all the blinking lights are flashing really fast?

That site will manage to chucklehead their config whether or not it's NAT'ed.

> How about the typical home DSL/Cable modem user?

And they won't manage to chucklehead their config, even if it's not NAT'ed.
 
>                                                  Do you think they even 
> know what SNMP is?  Do you think they have host based firewalls on all 
> their PCs?

Hmm... Linux has a firewall.  MacOS has a firewall. Windows XP SP2 or later
has a perfectly functional firewall out of the box, and earlier Windows had
a firewall but it didn't do 'default deny inbound' out of the box.

Those people with XBoxes and Playstations and so on can take it up with their
vendors - they were certainly *marketed* as "plug it in and network", and at
least my PS/2 and PS/3 didn't come with a "Warning: Do Not Use Without a NAT"
sticker on them.

So who doesn't have a host-based firewall in 2010? The idea is old enough
that it's *really* time to play name-and-blame.

>             Do you want mom and dad's PCs exposed on the internet, or 
> neatly hidden behind a NAT device they don't even realize is built into 
> their cable/DSL router?

Be careful here - I know that at least in my neck of Comcast cable, you can go
to Best Buy, get a cablemodem, plug the cable in one side, plug an ethernet and
one machine in the other side, and be handed a live on-the-network DHCP address
that works just fine except for outbound port 25 being blocked.  For the past
month or so, my laptop has gotten 71.63.92.124 every night when I get home,
which certainly doesn't look very NAT'ed.

Are you *really* trying to suggest that a PC is not fit-for-purpose
for that usage, and *requires* a NAT and other hand-holding?

And for the record - I don't worry about my mother's PC being exposed on the
Internet, because she's running Vista, which has a sane firewall by default.
What *does* worry me is that she's discovered Facebook, and anything she clicks
on there will not have the *slightest* bit of trouble whomping her machine
through a NAT.

Let's be realistic - what was the last time we had a *real* threat that a
NAT would have stopped but the XP SP2 firewall would not have stopped? And
how many current threats do we have that are totally NAT-agnostic?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100427/e1a95b8a/attachment.sig>


More information about the NANOG mailing list