RE: Free NAT for NT?

["Garman, Christopher" <GarmanCh () asa org>]

I'll join the pummeling.

The funniest part of the anti-NAT paper is "it requires the insertion of a
stateful inspection box into the middle of the end-to-end data stream.  Only
end systems should have state info."

Current industry practice is to insert a firewall between you and the
internet.  A firewall (a good one, anyway) is a stateful inspection box.
People are already committing the hardware/software/grayware to the
implementation of a stateful inspection box in the middle of the end-to-end
data stream so making the jump to NAT is not nearly a big a deal as the
anti-NAT paper makes out.  There are numerous other weaknesses in their
arguments but who's got the time?  People are using NAT, its working, get
over it.

> -----Original Message-----
> From: LeGrow, Matt [SMTP:Matt_LeGrow () NAI com]
> Sent: Wednesday, September 08, 1999 10:30 AM
> To:   'Carl Brewer'; firewall-wizards () nfr net
> Subject:      RE: Free NAT for NT?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Carl,
>
> The IETF draft on the architectural implications of NAT sounds like a
> lot of Chicken Little-type rhetoric to me.  The author's arguments
> against NAT, such as 
>
> - - "inhibiting security at the IP layer" (a solution that has been
> debated due to questions of efficiency and router workload from the
> very inception of the IPng protocol - after all, the streamlined
> header design is supposed to DECREASE router load)
> - - "encouraging casual use of private addresses can cause namespace
> collisions with VPNs that have to traverse multiple NATs" (can be
> overcome with a reasonable degree of overall architecture and design,
> such as two VPN endpoints subnetting their private namespace)
> - - "breaking the end-to-end flexibility of the Internet model"
> (between individual corporate networks, sure - thats the IDEA - noone
> is suggesting we stick a big PIX box between a couple major NAPs) 
>
> seem to have resonable answers once you stop waving your hands over
> your head.
>
> Personally the first time I brought my house LAN onto the internet
> securely and in less than five minutes with a spare 486 and Linux IP
> Masquerading I was thanking the gods for NAT, and wondering why NT
> didn't have the same.
>
> Matt LeGrow
> Network Associates, Inc.
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Note : Opinions expressed herein are most certainly NOT that of my
> employer :-)
>
>
> - -----Original Message-----
> From: Carl Brewer [mailto:carl () bl echidna id au]
> Sent: Tuesday, September 07, 1999 6:42 PM
> To: firewall-wizards () nfr net
> Subject: Re: Free NAT for NT?
>
>
> I'm not coming down on Robert here!
>
> <rant>
> It's a shame that M$ are providing NAT, which even they know
> is a bad technology (it was a M$ employee that wrote the IETF
> case against NAT), and not IPv6.  Please don't lose focus!  NAT
> is a short-term ugly broken hack, push your vendor(s) for IPv6
> support!
>
> http://www.ietf.org/internet-drafts/draft-iab-nat-implications-04.txt
> http://www.ietf.org/internet-drafts-ietf-iab-case-for-ipv6-04.txt
>
> If you're using, or worse, planning to use, NAT and you haven't 
> read the above two documents, read them :)
> </rant>
>
> Carl
>
> > From owner-firewall-wizards () lists nfr net Wed Sep  8 08:32 EST 1999
> > Date: Mon, 6 Sep 1999 14:20:07 -0700 (PDT)
> > From: Robert Graham <robert_david_graham () yahoo com>
> > Subject: Re: Free NAT for NT?
> > To: Ryan Russell <Ryan.Russell () sybase com>,
> > firewall-wizards () nfr net MIME-Version: 1.0  
> >
> > The new "Connection Sharing" feature in Win98 SE and Windows 2000
> > is based upon NAT (created by a company called Nevod that was
> > bought by M$, used to be called NAT1000). In essence, this means
> > that every Win98/Win2K is/will-be shipping with a NAT.  
> >
> > Check out these links:
> > http://www.uq.net.au/~zzdmacka/the-nat-page/nat_windows.html
> > http://www.alumni.caltech.edu/~dank/peer-nat.html
> >
> > Recently, I setup a Win2k "connection sharing" NAT and was able to
> > port scan the one machine behind it. Doesn't seem right. Anybody
> > have experience with this?  
> >
> > Rob.
> >
> > --- Ryan Russell <Ryan.Russell () sybase com> wrote:
> > > Anyone aware of any free Network Address Translation (NAT)
> > > software for Windows NT?
> > >
> > > I'm writing a chapter on NAT, and the publisher is calling for
> > > examples in Linux, Cisco IOS, and NT.  The first two are easy,
> > > but I'm only aware of commercial solutions for NT.  (No, I'm not
> > > under the impression that the Cisco implementation is free, but
> > > since there is only one choice, it's a bit of a moot point.)  
> > >
> > > I prefer free solutions, so that readers can obtain and play with
> > > the technology more easily.  Barring that, I'll go after
> > > low-cost, or possibly higher-cost but with downloadable demo.  
> > >
> > >                          Ryan
> >
> > ===
> > Robert Graham
> > "Anxiously awaiting the millenium so I can start programming
> > dates with 2-digits again."
> > __________________________________________________
> > Do You Yahoo!?
> > Bid and sell for free at http://auctions.yahoo.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.1
> Comment: Crypto Provided by Network Associates <http://www.nai.com>
>
> iQA/AwUBN9aO9hzV4nRUHFtQEQL14wCcCm0xMyGhSAgCkBOGKwacxuJ51zoAn2Uq
> IRwB0ipz9o6yaMb7nJtUl1Ba
> =dr4w
> -----END PGP SIGNATURE-----