--On Monday, 02 July, 2007 13:06 -0400 Jeffrey Hutzelman
<jhutz@xxxxxxx> wrote:
>...
> That is _not_ because NAT makes the network more secure - it
> doesn't.
> It's because most of the people buying those boxes "need" NAT
> because their ISP's won't give them more than one address, or
> at least won't do so for a reasonable price. Fix _that_
> problem, and you'll start seeing boxes that provide security
> and flexibility without needing NAT.
Jeff,
I completely agree with your basic comment, and with your
comment above FUD. However, the problem is not _only_ "one
address only" policies as I and others have pointed out. In
particular...
(1) For the ISP selling a low-end service, having all user LANs
with the same configuration (or being able to tell users with
different configurations that they are on their own)
considerably reduces support costs. Since, at the low [pricing]
end, a single call can cancel out several months of profits,
minimizing customer support costs and calls can be very
significant.
(2) While DHCP could, in principle, be used to deliver an
address range to a router for use on the LAN behind it, I know
of no devices, especially low-end devices, that support such a
service.
(3) If a user is given a small pool of public addresses (say the
/28 that is fairly typical for SOHO "business" services), and
has to use that pool for both the external (WAN-side) address on
the router and for the LAN-side, setting up the router suddenly
becomes a job for experts, with some very specific routing
requirements. For devices costing under $200 (much less $50), I
know of no vendors or ISPs who are willing to offer support and
walk users through this process. Maybe I just haven't looked
hard enough, of course.
Of course, almost none of the issues above are likely to go
away, or even get better, with IPv6... unless we make some
improvements elsewhere. And none of them make NAT a good idea,
just a "solution" that won't easily go away unless we have
plausible alternatives for _all_ of its purported advantages,
not just the address space one.
john
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf