Keith Moore <moore@cs.utk.edu> writes:
> > > similarly, people who install NAT usually don't realize how much this
> > > costs them in lost functionality and reliability.
> > Really? You have evidence of this?
>
> the evidence I have is from reading vendor advertisements for NAT boxes,
> and from talking to people who run networks that use NAT. it's not
> a random sample, perhaps not a statistically significant one, but it's
> been enough to convince me personally that the delusion is widespread.
You can perhaps understand why I wouldn't consider this a particularly
convincing line of argument.
> > I don't either, but my intuition is that you're wrong. Once you have
> > decided to have a firewall in place (which you may think is evil, but
> > I consider pretty much a necessary evil), I suspect that most people
> > suffer almost not at all from having a NAT.
>
> depends on what you mean by "firewall" (which these days is a pretty
> vague term). but there are several primary effects of NAT - one being
> that addresses are not maintained end-to-end, another being that NATs
> cause address-to-host bindings to be ephemeral when they would otherwise
> not be, and another being that (for NAPTs anyway) attempts to initiate
> traffic across the NAPT are blocked in one direction. there is rarely
> a significant benefit in a firewall doing the first two of these. a good
> firewall has the capability to block traffic in either direction, or not, on a
> case-by-case basis, and can be adjusted according to the needs of its users.
Yes, but these are philosophical objections.
What applications that people want to run--and the IT managers would
want to enable--are actually inhibited by NAT? It seems to me that
most of the applications inconvenienced by NAT are ones that IT
managers would want to screen off anyway.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
Web Log: http://www.rtfm.com/movabletype