Firewall Wizards mailing list archives
Re: Free NAT
From: Robert Graham <robert_david_graham () yahoo com>
Date: Wed, 8 Sep 1999 18:55:16 -0700 (PDT)
Ooh, now you've done it, triggering my pet-peeve. Time for you to suffer: <counterrant> While I don't particularly like NATs, most the disadvantages listed in http://www.ietf.org/internet-drafts/draft-iab-nat-implications-04.txt I would describe as advantages, starting with "NATs break the flexible End-to-End model of the Internet". I remember fondly an IETF meeting back in the early 1990s where the dire fate of the Internet address space depletion was discussed. This was the same meeting that SNMPv2 was introduced. I say "fondly" because I was really amused by the whole thing, namely that engineers really couldn't see the forest for the trees. In SNMPv2, authentication required a fixed network-layer address in the agent. SNMPv2 was designed to include AppleTalk, which refuses to give fixed network-layer addresses to end-nodes (it enforces the use of something similar to DHCP). QED: SNMPv2 only works on AppleTalk in theory, not practice (and it failed on TCP/IP in practice too, but that's a different story). Likewise, the discussion of address-space depletion assumed that we never be able to renumber IP addresses. One of the reasons was that too many protocols (like SNMPv2) relied too heavily on fixed IP address, and that it would be impossible to reassign all existing addresses. The thing is, engineers get a thought into their head and assume that this is the way the world works. In that case, it was that every device had to have a fixed, unchanging, manually set IP address. Any proposed solutions that broke that rule were quickly discarded for much the same reason that engineers hate NAT/proxies today: it breaks people's fundamental assumptions of how the net should work. However, the concept of a fixed IP address WAS broken. For example, most websites use "non-portable" IP addresses, and in fact change their IP address rather regularly. DHCP, private addresses, and even NAT have likewise altered the model. The problem is not that NAT breaks authentication schemes based on IP addresses, the problem is that authentication schemes based themselves on IP addresses in the first place. Similarly, end-nodes have no real need to be "raw" on the Internet: they really should be behind a NAT/proxy/firewall. Anybody that has put BlackICE Defender (the personal intrusion detection product from my company) on their cable-modem @Home sees that they get scanned by hackers 10 times per day (Trojan probes, IMAP probes, web-server /cgi-bin scans, etc.) There is a similar document (I don't have the link off hand) that criticizes the aweful new trend of using HTTP as the "transport" for application (example: it breaks the ability of firewalls to filter them). Likewise, this document is only valid if you stick to the "old-school" of thought. In particular, the old-school of firewalls filtering by ports has already become obsolete. IPv6 is a great solution for the old-school, but merely a good solution for the new-school. The "network address" of "http://www.example.com/foo/bar" has long ago supplanted addresses like 192.0.2.154, and IPv6 won't substantially change that fact. </counterrant> Rob. --- Carl Brewer <carl () bl echidna id au> wrote:
I'm not coming down on Robert here! <rant> It's a shame that M$ are providing NAT, which even they know is a bad technology (it was a M$ employee that wrote the IETF case against NAT), and not IPv6. Please don't lose focus! NAT is a short-term ugly broken hack, push your vendor(s) for IPv6 support! http://www.ietf.org/internet-drafts/draft-iab-nat-implications-04.txt http://www.ietf.org/internet-drafts-ietf-iab-case-for-ipv6-04.txt If you're using, or worse, planning to use, NAT and you haven't read the above two documents, read them :) </rant> Carl
=== Robert Graham "Anxiously awaiting the millenium so I can start programming dates with 2-digits again." __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com
Current thread:
- Re: Free NAT Robert Graham (Sep 08)
- Cable/DSL (Was Re: Free NAT) Siglite (Sep 09)
- <Possible follow-ups>
- RE: Free NAT Brock, Todd A (Sep 09)
- RE: Free NAT sean . kelly (Sep 09)
- RE: Free NAT sean . kelly (Sep 10)
- RE: Free NAT Ryan Russell (Sep 11)