begin quoting Tracy R Reed as of Mon, Mar 27, 2006 at 10:28:39AM -0800: > Stewart Stremler wrote: > > The big complain people tend to throw around with NAT is "it breaks > > the inherent end-to-end connectivity of the Internet", which is exactly > > what a default-deny setup on a firewall will do. > > But with a default-deny firewall setup I can easily allow the things I > want to allow and preserve the end to end connectivity in places where > it is desireable. With NAT I cannot. I have to deal with the port > renumbering and ip changing and other nasty things that NAT does.
With NAT, I *can* and *do* set up back-links through the NAT device. The only problem is when I'm trying to run multiple machines with the same service, and the protocol/tools on the "outside" can't handle the changes in ports. It's no more "nasty" than that damn encryption we insist on putting everywhere, keeping me from using tcpdump to debug the on-the-wire protocol. > > We've been down this road before. And, frankly, I don't give a damn > > if the new gee-whiz P2P application of the month wants to open up > > random server sockets so that all of its bretheren can talk to it. I > > get to set network policy on my own little piece of the network, just > > because it's _my_ network, no $random_developer's. > > I don't so much care about the latest P2P app but VOIP is a very useful > thing which NAT is really hindering. Bad protocols. They should be fixed. Easier to change protocols than infrastructure. (It's not like the concept of _ports_ was new, or proven useless. Sheesh.) I see this as akin to the M$ desire to change the English language so they don't have to fix one of their parsers. (Not all of the VOIP protocols have this problem, I'm told, but when it's a problem, it's a doozy.) Design something so it breaks something else, and then petulantly demand that something else change. Obviously, the easy solution is to build NAT boxes that can be plumbed with multiple IPs, and then allow "forwarding" to be allowed on a per-IP as well as a per-port basis. (Presumably a soekris box could do this easily.) Once this is "common functionality", the desktop NAT boxen can do this as well. Of course, you're then up against the "not enough IPs" problem, so nothing's really been accomplished. So blaming NAT is just a red herring... the REAL whining is about how nobody wants to do IPv6. Aside from the IPv6 geeks. :) There may be some merit in designing protocols that force this change, as an underhanded social pressure mechanism... (something I'm not above) but that doesn't keep the no-concept-of-ports protocols from being broken. (I can see an IPv6 world using a unique IP for every service, and every ethernet device being plumbed with all those IPs... and ports would then be ignored (probably assumed to be '80'). And this touted as a Good Thing. I'd want to be convinced of this *before* I do anything to make this sort of madness fait accompli.) -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
