On Wed, 18 Jun 2003 21:30:35 PDT, Eric Rescorla said: > This seems to me like a false dichotomy. If I were deploying a NAT > (which I didn't) there would be certain things I would care about > and others I didn't. If I'm already firewalling off these services, > why should I care if NAT blocks them? So it's OK for NAT to break any application that *you* don't want to let through *your* firewall anyhow. What's wrong with this picture? Well.. Sure, if you currently only allow 3 ports through your firewall anyhow, and those 3 applications happen to be NAT-tolerant, it's probably no impact on YOUR site. Of course, if you *ever* encounter an application that your site wants to allow through the firewall, but you discover that you STILL can't deploy it because NAT breaks it, you'll be wanting some mayonnaise to make that crow sandwich go down more easily. You're missing the point that when a firewall breaks things, it's doing its job. When a NAT breaks things, it's failing to do its job. Now let's say a firewall is a pair of suspenders, and a NAT is a belt. This makes your position: "I don't care that my belt unzips my trousers every time I go through a revolving door, because I'm never in a situation where failure of my suspenders would be an embarassment". As Randy Bush says: "I invite my competitors to design their networks this way". >> Or is the only reason you have NAT at all because you bought some vendor's >> "connection appliance in a box" that proceeded to NAT you regardless of your >> desires? > Why is it so hard for people here to believe that customers might > actually know what they want, even if you don't happen to think > it's a good idea? Tell you what - you round up all the big domains that actually have a clue about what they want, and who understand the distinction between a firewall and a NAT (even if they are in the same box), and I'll round up all the users who are scratching their heads because they have a cablemodem or an ADSL modem (either ISP-provided or off the shelf at Walmart) that is an all-in-one modem/ router/firewall/NAT, and some stuff Just Does Not Work. And unfortunately, a lot of the Just Does Not Work stuff are applications like H.323 and VOIP that Joe Sixpack actually *might* be interested in.
Attachment:
pgp00273.pgp
Description: PGP signature