NAT!!

[Russ <Russ.Cooper () rc on ca>]

Might as well get this one out of the way...;-]

NAT (Network Address Translation) and the use of Private Address space
(see RFC1918 for more detail at ftp://ds.internic.net/rfc/rfc1918.txt)
sure seems to be the addressing method of choice by a number of folks
here. Its surprising considering the array of ramifications.

Now considering that the authors seemed more intent on preventing the
depletion of the Internet routable address pool by providing those that
didn't need Internet connectivity a way to use IP, rather than promoting
the use of these address spaces with NAT (translation isn't mentioned
once in the RFC), I'd suggest that the long term and prolific use of NAT
may be counter to the Internet as a whole.

The RFC states three categories of hosts, the second of which were
designated as going through "application layer gateways". This is not
NAT, but proxies, and is, imo, quite different. Hosts behind NAT devices
are being used for their category 3 hosts, namely "hosts that need
network layer access outside the enterprise". In this category, the RFC
explicitly states that category 3 hosts should "require IP addresses
that are globally unambiguous".

This fact applies to both hosts which require access to the Internet and
hosts which require access to other networks. Any host which
participates, ***or has the potential to participate*** in network layer
communications with a disparate network (i.e. the newly purchased
division which has recently joined the internal WAN) should "require IP
addresses that are globally unambiguous". As Extranets proliferate this
issue will become larger and larger (i.e. the issue of hosts behind NAT
devices).

Imagine any Firewall implementation that uses tunneling. My Tunnel
server assigns addresses to remote clients based on my internal
addressing. I use 10.0.1.x for my Tunnel Server's subnet to serve up.
The client whom I'm trying to enable tunneling for also uses 10.0.1.x on
their local network. Client connects to the Tunnel Server o.k. (thanks
to NAT), but then gets assigned an address within their own internal
address space (behind their Firewall). Now what???

Besides, is sure as heck isn't NAT (in and of itself) that keeps your
addresses private. I dare anyone to suggest that NAT provides
security...;-] We should at least be able to agree on that point!! If
NAT's in a Firewall, then its the Firewall that keeps your addresses
private, the NAT component merely does the translation while the
Firewall ensures there's no leakage or source-routing permitted, right??

So my point is that if you are suggesting the use of RFC1918, you need
to clearly understand both the present, and future, network requirements
of the hosts who may use said addresses. If you're behind a Proxy
Firewall, and definitely will not open a plug-gw type conduit, and do
not use tunneling, then you might be fine...otherwise, I'd say get
yourself official addresses...

Comments??

Cheers,
Russ