NAT evil scourge?

Corey Edwards tensai at zmonkey.org
Tue Oct 16 16:43:23 MDT 2007


On Tue, 2007-10-16 at 15:19 -0600, Michael L Torrie wrote:
> Kenneth Burgener wrote:
> > Out of curiosity why do you claim NAT is an evil scourge?
> 
> Because it breaks the idea of peer-to-peer connections and requires all
> kinds of hacks and workarounds to really get functionality.

And it's not just peer-to-peer in the sense of file sharing either. FTP
was probably the first victim of this, but more recently SIP has an
especially hard time due to NAT. You could argue that SIP isn't designed
very well if it doesn't handle NAT properly, but there are some good
design reasons for the way it works and without NAT they would work
beautifully. Instead we have to kludge and hack to work around it.
 
> > The only downside I could see for NAT is slightly more configuration for
> > the network administrator (and possible port mapping exhaustion on a
> > large network).
> > 
> > The benefits of NAT all seem to be benefits:
> > -Provides a basic firewall mechanism by it's very nature
> 
> NAT is not a firewall and should not be considered to be such.  NAT is
> simply network translation.  That is all.

What we really have in these consumer devices is NAT + stateful packet
inspection (SPI) firewall. You can do NAT without SPI for a one-to-one
mapping. With a many-to-one the SPI is necessary, but SPI can be
deployed independently. Novell ran their network that way (may still, I
dunno) and it worked as well as any other NAT firewall I've seen.

I've heard arguments that NAT prevents somebody from knowing your
internal architecture, ie. they can't tell one IP from another and they
won't know how many subnets you might have. Well, that's true, but I
don't see that the benefit outweighs the cost of NAT.

> > -Easy to setup by most home users, as it is now build into all DSL/Cable
> >  modem routers

Consumer grade routers could just as easily be set up with an SPI
firewall without the NAT. It would take one additional step to set up
the LAN subnet, but I don't see that as overly burdensome.

> > I haven't found many articles for or against NAT, but I may be looking
> > in the wrong place.  One article I found said NAT is not so bad: "Why
> > NAT Isn’t As Bad As You Thought" [1].

He makes the point that NAT gives you encapsulation. When he compares it
to C++, I don't think he's exactly helping the cause. This is the same
argument about hiding your internal network and I really just don't see
the benefit of it.

He also dismisses the fact that we will eventually run out of IP
addresses. This is the first time I've ever heard anyone deny it
outright. Some claim that ipv4 could last another 10-15 years, and that
may be true. Others say just a few years and I'm not so convinced of
that, but it is a fact that the Internet is growing faster every year.
And if we had not implemented NAT, we definitely would have run out of
addresses.

He concludes by saying that your evil ISP may opt not to give you an
ipv6 subnet, but instead just give you a single address. Maybe, but that
sort of company needs to be put to sleep. Hopefully the growth of the
Internet will drive more competition and we can avoid that sort of
nastiness. I think I recall from the ipv6 RFCs that the smallest subnet
you can delegate is a /48 (65,000 addresses) because the host address
takes up the last 16 bits. I just don't see the sense in an ISP going
out of its way to break the Internet like that. Then again, a lot of
things that don't make sense get done.

Corey





More information about the PLUG mailing list