North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Where NAT disenfranchises the end-user ...

  • From: Roeland Meyer
  • Date: Mon Sep 10 14:35:27 2001

|> From: Scott Gifford [mailto:[email protected]]
|> Sent: Monday, September 10, 2001 10:30 AM
|> 
|> Roeland Meyer <[email protected]> writes:

|> > Any current protection is strictly the
|> > result of a side-effect. The side-effect that breaks the internet
|> > connection. It's a result of the connection being broken. 
|> > A properly built
|> > firewall is much more effective and definitely more 
|> > deterministic. Neither is it vulnerable to a "fix patch".
|> 
|> I don't understand what kind of "fix patch" you're talking about
|> here...NAT uses the same techniques that a stateful firewall uses; if
|> you can find some kind of "fix patch" to bypass NAT, chances are
|> excellent it will work on a stateful firewally, too.

Mot so. What is needed to truely fix NAT is to propogate the translated
addresses, both ways. This would give you an address product like <Inet
addr>:<NAT addr>. The problem is that almost no stack, that I know of, can
deal with such a form. The reason NAT works is that you only lose one side
and the other side doesn't know that you've lost it.

|> I've actually seen the question of how NAT breaks the Internet more
|> than a good stateful firewall come up more than once, and haven't
|> really seen a satisfactory answer.  Where does a stateful firewall
|> configured to only allow outgoing connections work that NAT doesn't?

The difference is determinism. You control, to very fine detail, how a
firewall works. Things that don't work are intended to not work. Firewalls
aren't accidents. NAT address propogation failures are, they are not
consistent, and can't be relied upon to continue. Who knows, some genius,
somewhere, may fix it tomorrow. Lord knows, there is sufficient incentive to
do so. If that happens, your security is toast, if all you are relying on is
NAT, rather than putting up a real firewall.