Re: Large edu's doing NAT campus wide?

[Brian Paige <paige () OAKLAND EDU>]

Joe,

We're a moderately large university (Approx. 17,000) and have been using
campus-wide NAT for a number of years.  The initial driver for this was
to accommodate a multi-year address restructuring program -- we had to
subnet our flat /16 address space and needed an intermediate addressing
scheme in order to do so.  Internal private addresses were assigned
using DCHP, and then DHCP addresses are allocated NAT addresses from
pre-defined NAT pools in their appropriate public address ranges.  This
has worked very well for us, and, although some address may move back to
public IP space, there is no rush to do so (the relationship between our
inside DHCP and NAT makes  this very easy in both directions).

I would assert that besides this, NAT has two additional advantages for
us.  First, as discussed in earlier posts, since our NAT addresses are
only nailed up for a short period of time (variable depending on the
pool) we have found it has some secondary security advantages ... did
someone refer to it as a "security bump" in a previous post.  I don't
think NAT should be considered exclusively for security purposes, but if
you have a need to use NAT, this is a margin benefit.  Second, I would
agree with several of the folks who posted concerning address
portability ... in the event that external addresses change, a network
that utilizes NAT in its architecture may be less impacted.

Someone mentioned NAT+VPN and we're doing some of that here.  Systems
with non-NAT'd private address space are reachable only via VPN access.

I agree with the upsides and downsides discussed in all the previous
responses: it does require careful planning, good logging, isn't a
be-all-end-all to security, is best utilized where there are addressing
issues, and can "break" some services, but we have been able to
accommodate all of these issues here at Oakland and found NAT to be
quite useful.  Long story short ... we're not a formal case study, but a
pragmatically, it works here.

We're fortunate that we can do 1:1 NAT.  Makes the identification
portion easier than PAT or NAT overload.  Good luck on your presentation.

Regards,

Brian Paige
Lead Network Engineer
Oakland University


Joe St Sauver wrote:

> Hi,
>
> Is anyone aware of a study of large edu's who are doing NAT
> campus wide?
>
> I know the universal answer machine (aka Google) probably knows,
> but my Google-foo is failing me on this one.
>
> Assuming the problem is actually that no one has done a study
> of this so far, I'd also be delighted to hear about any noteworthy
> individual campus examples which folks may happen to know about.
>
> Thanks,
>
> Joe St Sauver (joe () oregon uoregon edu)
> http://www.uoregon.edu/~joe/