Firewall Wizards mailing list archives
NAT!!
From: Russ <Russ.Cooper () rc on ca>
Date: Fri, 19 Sep 1997 04:14:25 -0400
Might as well get this one out of the way...;-] NAT (Network Address Translation) and the use of Private Address space (see RFC1918 for more detail at ftp://ds.internic.net/rfc/rfc1918.txt) sure seems to be the addressing method of choice by a number of folks here. Its surprising considering the array of ramifications. Now considering that the authors seemed more intent on preventing the depletion of the Internet routable address pool by providing those that didn't need Internet connectivity a way to use IP, rather than promoting the use of these address spaces with NAT (translation isn't mentioned once in the RFC), I'd suggest that the long term and prolific use of NAT may be counter to the Internet as a whole. The RFC states three categories of hosts, the second of which were designated as going through "application layer gateways". This is not NAT, but proxies, and is, imo, quite different. Hosts behind NAT devices are being used for their category 3 hosts, namely "hosts that need network layer access outside the enterprise". In this category, the RFC explicitly states that category 3 hosts should "require IP addresses that are globally unambiguous". This fact applies to both hosts which require access to the Internet and hosts which require access to other networks. Any host which participates, ***or has the potential to participate*** in network layer communications with a disparate network (i.e. the newly purchased division which has recently joined the internal WAN) should "require IP addresses that are globally unambiguous". As Extranets proliferate this issue will become larger and larger (i.e. the issue of hosts behind NAT devices). Imagine any Firewall implementation that uses tunneling. My Tunnel server assigns addresses to remote clients based on my internal addressing. I use 10.0.1.x for my Tunnel Server's subnet to serve up. The client whom I'm trying to enable tunneling for also uses 10.0.1.x on their local network. Client connects to the Tunnel Server o.k. (thanks to NAT), but then gets assigned an address within their own internal address space (behind their Firewall). Now what??? Besides, is sure as heck isn't NAT (in and of itself) that keeps your addresses private. I dare anyone to suggest that NAT provides security...;-] We should at least be able to agree on that point!! If NAT's in a Firewall, then its the Firewall that keeps your addresses private, the NAT component merely does the translation while the Firewall ensures there's no leakage or source-routing permitted, right?? So my point is that if you are suggesting the use of RFC1918, you need to clearly understand both the present, and future, network requirements of the hosts who may use said addresses. If you're behind a Proxy Firewall, and definitely will not open a plug-gw type conduit, and do not use tunneling, then you might be fine...otherwise, I'd say get yourself official addresses... Comments?? Cheers, Russ
Current thread:
- NAT!! Russ (Sep 19)
- Re: NAT!! Benoit Dicaire (Sep 22)