|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Breaking Stuff by Fixing NAT
On Mon, Nov 11, 2002 at 10:26:23PM -0500, [email protected] wrote: > On Mon, 11 Nov 2002 16:04:07 PST, "Crist J. Clark" <[email protected]> said: > > > Has anyone here been in a similar situation? Did turning off NAT break > > anything? Is anyone aware of or can think of anything that turning off > > NAT might break? (Ignore the fact any customers connected during the > > If the users have been getting a static address in the 10/8 range, they may > have it hardcoded someplace. If they've been getting their address/netmask/ > DNS/etc via DHCP, then they'd already have discovered it breaks when they > hardcode it since the next time they connect they'll be up a creek. As I stated in the original mail this is a dial-up-type service. The connections are serial using PPP. The addresses are assigned within PPP and are dynamic. They could get a different one within the block every time they connect. Due to the nature of the service, we know for sure that customers do not maintain always-on or almost always-on connections. Maybe a little diagram is in order, [Customer]-----["Modem"]---{OurNet}---[NATing Router]---{Internet} ^ PPP ^ | | | | 10.100.100.0/24 AAA.BBB.CCC.0/24 The NATing Router does one-to-one NAT. It is _not_ a firewall. Once an association between, say, 10.100.100.10 <-> AAA.BBB.CCC.10 is established by an outgoing packet, you _can_ send arbitrary datagrams back to AAA.BBB.CCC.10 and they get to 10.100.100.10. (The last octet does not necessarily match up like that, however). There is _really_ no security benefit to the NAT. This is what we are moving to, [Customer]-----["Modem"]---{OurNet}---[Router]---{Internet} ^ PPP | | AAA.BBB.CCC.0/24 (In actuality it's a little more complicated with multiple "modem" banks and multiple egress points to the Internet.) So as far as the _outside_ world is concerned, the addresses look the same. So, say someone has firewall rules allowing our customers some special access as they come across the Internet. This will _not_ break. The customers still will have the same source address. The thing we just know is that if we stand up in front of the upper management and say, "There is no way this can possibly break _anything,_" there will have been some brilliant idiot out there who found a way to set up some unmanned site with a configuration that gets broken and some customer raises holy hell when they have to fly a helicopter out to some remote location to get in a tech to fix it. -- Crist J. Clark | [email protected] | [email protected] http://people.freebsd.org/~cjc/ | [email protected]
|