On Mon, 2003-10-06 at 05:36, bill davidsen wrote: > In article <1065035768.2548.8.camel@ranjeet-pc2.zultys.com>, > Ranjeet Shetye <ranjeet.shetye2@zultys.com> wrote: > > | Here's my take on it. > | > | NAT is not an elegant standard. Its a hack to provide a temporary fix > | for the IPv4 address space crunch. On the other hand, IPSec is a good > | standard and is also mandatory for IPv6. Hence the focus should be on > | IPSec much more than on NAT. > > I think you are starting from a totally incorrect premise. NAT is not a > solution to an address space crunch, it is a way to have many servers > behind a load balancing firewall, a way to have all outgoing mail come > from a single IP (that of the inbound mail cluster), and a way to make > all http clients have the same IP address (which doesn't accept any > incoming connections) as part of a total security approach, to name a > few uses. What you are describing is how people have adapted NAT from its original purpose. DNS-based load-balancing is the "correct" way to do load-balancing across publicly accessible servers that are protected using packet filtering, but people want to shortcut all that using NAT. Fine. I have no issues with that. Let people use whatever makes them happy. However NAT does not provide ANY security from the knowledgeable e.g. hping can work around NAT (using crafted RST responses) to give you an idea of what the private network looks like. You want network level security, do packet filtering (stateful preferably). You want VPN, use IPSec. And to clarify, here's why NAT was designed in the first place. RFC 1631 " Abstract The two most compelling problems facing the IP Internet are IP address depletion and scaling in routing. Long-term and short-term solutions to these problems are being developed. The short-term solution is CIDR (Classless InterDomain Routing). The long-term solutions consist of various proposals for new internet protocols with larger addresses. It is possible that CIDR will not be adequate to maintain the IP Internet until the long-term solutions are in place. This memo proposes another short-term solution, address reuse, that complements CIDR or even makes it unnecessary. The address reuse solution is to place Network Address Translators (NAT) at the borders of stub domains. Each NAT box has a table consisting of pairs of local IP addresses and globally unique addresses. The IP addresses inside the stub domain are not globally unique. They are reused in other domains, thus solving the address depletion problem. The globally unique IP addresses are assigned according to current CIDR address allocation schemes. CIDR solves the scaling problem. The main advantage of NAT is that it can be installed without changes to routers or hosts. This memo presents a preliminary design for NAT, and discusses its pros and cons. " This clearly tells you that 1. NAT was invented as an "address reuse" solution to solve the address space crunch. 2. NAT was a temporary solution that was to be discarded when IPv6 came into its own. > In short it's a general purpose tool, and you are looking at a subset of > a single capability (hiding internal addresses, routable or not) as if > it were the whole purpose of the tool. > > NAT is a valuable solution to many problems, and I don't think IPv6 is > going to reduce the usefulness of the tool. That's my read on NAT, it > needs to be a fully supported function of any network solution, which is > most easily done by planning for that from the early stages of any > implementation. -- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye2 at Zultys dot com http://www.zultys.com/ The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
