North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BGP announcements and small providers

  • From: Lyndon Levesley
  • Date: Wed Feb 26 15:18:03 1997

Stephen Sprunk wrote :
|-> What about application protocols like ftp that specify network addresses in
|-> the protocol session?  Do you propose the NAT gateway alter FTP packets in
|-> transit?

 Yes, that is exactly what NAT does - it has a pool (or a static 
list, or both) of "Externally facing" IP addresses, and it alters the 
IP packets in realtime (in both directions, obviously) between 
"Externally facing" IP and "Internally facing" IP address, on a
per-conversation basis. It then keeps a "cache" of what addresses 
have been dynamically mapped to what.

 The aggro used to be that for things like DNS/Mail/News etc. (almost 
any service machine) you have to keep the IP address the same and not 
dynamically change it. However, NAT boxes allow you to use dynamic 
mapping for your users and static for your other services. They also 
provide extremely good security - check out Cisco's PIX at :

 which is basically a low spec PC in a rack-mountable box, that can 
happily perform NAT at 100Mb/sec. CPU-wise, NAT is not a hard thing 
to do, although you might end up needing a fair whack of memory on a 
box with *lots* of flows per second.

 The security features of the PIX are not a feature of NAT - they are 
a feature of the PIX, so you don't (I presume ;) get them on standard
NAT boxes.

|-> Also, I don't believe it will be possible to use host or user-based AH/ESP
|-> with NAT, since they protect the source address.

 Good point - TBH, I don't know how NATs deal/don't deal with ESP. 
Although the last time I looked, ESP had only been implemented with 
DES, and was therefore fatally flawed (there was a draft by Bellovin
about this somewhere...)

 This is not an insurmountable problem - it can be solved either at 
the initial key exchange, or by the NAT in realtime, and will 
hopefully be / have been solved by one of the ipsec groups - I'll go 
and check out ESP again and see if NAT breaks it or not  - I don't 
know much about it at the mo'

|-> Stephen Sprunk


Lyndon Levesley
Xara Networks

|-> At 17:34 26 02 97 +0000, Lyndon Levesley wrote:
|-> > There's always the nice 'n' easy system of using 10/8 and NAT as a 
|-> >provider, making renumbering about 5 minutes work.
|-> >
|-> > Even taken to the extreme, it wouldn't take long to change your BGP 
|-> >announcements / have your provider change their BGP announcements / 
|-> >whatever.
|-> >
|-> > Nameservers are a bit harder to renumber, but that's not too bad.
|-> >
|-> > Wonder how long it'll be before ISPs rather than corporates start to 
|-> >use NAT for most of their network.

I've had a wonderful time...
...but this wasn't it.

- - - - - - - - - - - - - - - - -