On Tue, 2007-10-16 at 15:19 -0600, Michael L Torrie wrote: > Kenneth Burgener wrote: > > Out of curiosity why do you claim NAT is an evil scourge? > > Because it breaks the idea of peer-to-peer connections and requires all > kinds of hacks and workarounds to really get functionality.
And it's not just peer-to-peer in the sense of file sharing either. FTP was probably the first victim of this, but more recently SIP has an especially hard time due to NAT. You could argue that SIP isn't designed very well if it doesn't handle NAT properly, but there are some good design reasons for the way it works and without NAT they would work beautifully. Instead we have to kludge and hack to work around it. > > The only downside I could see for NAT is slightly more configuration for > > the network administrator (and possible port mapping exhaustion on a > > large network). > > > > The benefits of NAT all seem to be benefits: > > -Provides a basic firewall mechanism by it's very nature > > NAT is not a firewall and should not be considered to be such. NAT is > simply network translation. That is all. What we really have in these consumer devices is NAT + stateful packet inspection (SPI) firewall. You can do NAT without SPI for a one-to-one mapping. With a many-to-one the SPI is necessary, but SPI can be deployed independently. Novell ran their network that way (may still, I dunno) and it worked as well as any other NAT firewall I've seen. I've heard arguments that NAT prevents somebody from knowing your internal architecture, ie. they can't tell one IP from another and they won't know how many subnets you might have. Well, that's true, but I don't see that the benefit outweighs the cost of NAT. > > -Easy to setup by most home users, as it is now build into all DSL/Cable > > modem routers Consumer grade routers could just as easily be set up with an SPI firewall without the NAT. It would take one additional step to set up the LAN subnet, but I don't see that as overly burdensome. > > I haven't found many articles for or against NAT, but I may be looking > > in the wrong place. One article I found said NAT is not so bad: "Why > > NAT Isn’t As Bad As You Thought" [1]. He makes the point that NAT gives you encapsulation. When he compares it to C++, I don't think he's exactly helping the cause. This is the same argument about hiding your internal network and I really just don't see the benefit of it. He also dismisses the fact that we will eventually run out of IP addresses. This is the first time I've ever heard anyone deny it outright. Some claim that ipv4 could last another 10-15 years, and that may be true. Others say just a few years and I'm not so convinced of that, but it is a fact that the Internet is growing faster every year. And if we had not implemented NAT, we definitely would have run out of addresses. He concludes by saying that your evil ISP may opt not to give you an ipv6 subnet, but instead just give you a single address. Maybe, but that sort of company needs to be put to sleep. Hopefully the growth of the Internet will drive more competition and we can avoid that sort of nastiness. I think I recall from the ipv6 RFCs that the smallest subnet you can delegate is a /48 (65,000 addresses) because the host address takes up the last 16 bits. I just don't see the sense in an ISP going out of its way to break the Internet like that. Then again, a lot of things that don't make sense get done. Corey /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
