Valdis.Kletnieks@vt.edu writes:
> On Wed, 18 Jun 2003 21:30:35 PDT, Eric Rescorla said:
>
> > This seems to me like a false dichotomy. If I were deploying a NAT
> > (which I didn't) there would be certain things I would care about
> > and others I didn't. If I'm already firewalling off these services,
> > why should I care if NAT blocks them?
>
> So it's OK for NAT to break any application that *you* don't want to
> let through *your* firewall anyhow.
Yes, it's ok for *my* NAT to do so.
> What's wrong with this picture? Well.. Sure, if you currently only allow
> 3 ports through your firewall anyhow, and those 3 applications happen to
> be NAT-tolerant, it's probably no impact on YOUR site.
>
> Of course, if you *ever* encounter an application that your site wants to
> allow through the firewall, but you discover that you STILL can't deploy it
> because NAT breaks it, you'll be wanting some mayonnaise to make that crow
> sandwich go down more easily.
>
> You're missing the point that when a firewall breaks things, it's doing
> its job. When a NAT breaks things, it's failing to do its job.
Obviously, I disagree.
> Now let's say a firewall is a pair of suspenders, and a NAT is a belt. This
> makes your position:
>
> "I don't care that my belt unzips my trousers every time I go through a
> revolving door, because I'm never in a situation where failure of my
> suspenders would be an embarassment".
You've got it absolutely backwards. The fact that the NAT breaks applications
that I don't want to run anyway is a FEATURE, not a bug.
> Tell you what - you round up all the big domains that actually have a clue
> about what they want, and who understand the distinction between a firewall and
> a NAT (even if they are in the same box), and I'll round up all the users who
> are scratching their heads because they have a cablemodem or an ADSL modem
> (either ISP-provided or off the shelf at Walmart) that is an all-in-one modem/
> router/firewall/NAT, and some stuff Just Does Not Work.
>
> And unfortunately, a lot of the Just Does Not Work stuff are applications
> like H.323 and VOIP that Joe Sixpack actually *might* be interested in.
Ah, the eternal lament of the technocrat who can't understand why the
customers don't want what he knows is so obviously good for them.
If this were actually a real problem, I'd expect that someone would
be making good money offering service which didn't have this
problem. Strangely, however, people still seem to buy these products
of which you so obviously disapprove. I guess they don't think the
downside is so terrible.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
Web Log: http://www.rtfm.com/movabletype