nanog mailing list archives

RE: quietly....

From: Matthew Huff <mhuff () ox com>
Date: Thu, 3 Feb 2011 11:46:11 -0500

There is also another reason for NAT44 or NAT66 in the corporate world that has been missed in these conversations. It 
is very common to NAT44 when connected via extranets to another company via an b2b provider such as TNS or BTRadianz. 
Not everything goes over the net. NAT44 (especially "twice-nat") is used for a number of reasons including limiting of 
exchange of routing information, routing of different services in different directions via NAT, or to prevent having to 
contact the other side when a server changes. For example if we are natting one of our FIX servers then the internal 
machine can change as long as the NAT is updated. This is far simpler than having to get the changes externally 
especially at some big bank. Also some companies bring internet routes into their core (I still don't know why). In 
order to route web/email to them via the internet and protocols such as FIX via an extranet, twice-nat is required.

Within similar function in Ipv6, there are a lot of companies, especially in the financial realm, that won't migrate 
off of ipv4.

NAT is used for a reason, not just because "we don't know better". Yes, we know it breaks certain apps, especially p2p 
ones. In a corporate view, that is a feature, not a bug. We neither want, nor will allow individual desktops to become 
peers. Only a limited number of dedicated servers have external visibility, and that's the way it's going to stay 
regardless of ipv6 ideology.

-----Original Message-----
From: Jay Ashworth [mailto:jra () baylink com]
Sent: Thursday, February 03, 2011 11:29 AM
To: NANOG
Subject: Re: quietly....

----- Original Message -----

From: "Jon Lewis" <jlewis () lewis org>

There's an awful lot of inertia in the "NAPT/firewall keeps our hosts
safe from the internet" mentality. Sure, a stateful firewall can be
configured allow all outbound traffic and only connected/related
inbound.

When someone breaks or shuts off that filter, traffic through the NAPT
firewall stops working. On the stateful firewall with public IPs on
both sides, everything works...including the traffic you didn't want.


Precisely.

This is the crux of the argument I've been trying, rather ineptly,
to make: when it breaks, *which way does it fail*.  NAT fails safe,
generally.

People are going to want NAT66...and not providing it may slow down
IPv6 adoption.


You're using the future tense there, Jon; are you sure you didn't mean
to use the present?  Or the past...?

Cheers,
-- jra

Current thread:

Re: quietly...., (continued)
- - - Re: quietly.... Jack Bates (Feb 01)
    - Re: quietly.... Owen DeLong (Feb 02)
    - Re: quietly.... John Payne (Feb 02)
    - Re: quietly.... Owen DeLong (Feb 02)
    - Re: quietly.... John Payne (Feb 02)
    - Re: quietly.... Brian Johnson (Feb 02)
    - Re: quietly.... Dave Israel (Feb 02)
    - RE: quietly.... Brian Johnson (Feb 03)
    - RE: quietly.... Jon Lewis (Feb 03)
    - Re: quietly.... Jay Ashworth (Feb 03)
    - RE: quietly.... Matthew Huff (Feb 03)
    - Re: quietly.... Owen DeLong (Feb 03)
    - RE: quietly.... Matthew Huff (Feb 03)
    - Re: quietly.... Owen DeLong (Feb 03)
    - Re: quietly.... Jack Bates (Feb 03)
    - Re: quietly.... Lamar Owen (Feb 03)
    - Re: quietly.... Jack Bates (Feb 03)
    - Re: quietly.... Lamar Owen (Feb 03)
    - Re: quietly.... Simon Perreault (Feb 03)
    - Re: quietly.... Matthew Palmer (Feb 03)
    - RE: quietly.... Matthew Huff (Feb 03)

(Thread continues...)