Home page logo
/

nanog logo nanog mailing list archives

Re: Where NAT disenfranchises the end-user ...
From: Daniel Senie <dts () senie com>
Date: Sun, 09 Sep 2001 18:11:51 -0400


At 05:48 PM 9/9/01, Jared Mauch wrote:

On Sun, Sep 09, 2001 at 05:38:30PM -0400, Bob K wrote:
>
> On Sun, 9 Sep 2001, Jared Mauch wrote:
>
> >     I think you are obviously missing the point that people
> > use nat to prevent inbound connections as part of their security
> > measures.
>
> Every firewall I've ever seen allows you to do the exact same thing
> without NAT.

        I was speaking to the fact that the only use for nat is
lack of v4 space.  I'm not saying that other products don't provide
the security features that some people use NAT for.

NAPT (IETF terminology, PAT in Cisco-speak) requires a stateful packet inpection. Most firewalls also are stateful inspection packet devices. Not surprisingly, it's quite straightforward when implementing one, to implement the other. Thus most firewall appliances offer (though don't require) the use of NAT along with their other features.


        Let me reprhase my inital statement, "In most cases i've seen
where someone is using NAT it's part of a security policy and not due
to lack of available address space".

By far the biggest-selling class of NAT boxes (in terms of units sold) appears to be the LinkSys and similar ~ $100 dual-ethernet boxes for home users. These boxes sit between the household network and the DSL or Cable modem. They do DHCP Client (and PPPoE where required) toward the provider, and act as DHCP server and NAT toward the home network. These are used PRIMARILY to get around address space issues. DSL and Cable vendors either don't provide more than one address, or provide limited numbers, available only via DHCP (a method incompatible with most firewall appliances anyway). So, I disagree with your statement that most are not used for address space reasons.

To be sure, there are DSL and Cable providers who actually understand how to route a subnet of real addresses to their customers. There are also a great many who don't or won't. These NAT/NAPT boxes are quite pervasive. Applications vendors wind up having to take notice if they're interested in the home user marketplace.

-----------------------------------------------------------------
Daniel Senie                                        dts () senie com
Amaranth Networks Inc.                    http://www.amaranth.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault