|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: mh (RE: OMB: IPv6 by June 2008)
At 03:51 PM 7/7/2005, David Andersen wrote: Indeed, the fact that most NAT implementations combine the address translation with stateful inspection (given it's the simplest way to implement NAPT, IMO), this is the case.On Jul 7, 2005, at 3:41 PM, Andre Oppermann wrote:Yes, but keep in mind that this benefit is completely unrelated to NAT's purpose as an address space extender. A stateful firewall with a very simple rule (permit anything originated from the inside, deny anything from outside except a few pesky protocols) would accomplish exactly the same goal.Fergie (Paul Ferguson) wrote: >I'd have to counter with "the assumption that NATs are going away with v6 is a rather risky assumption." Or perhaps I misunderstood your point...There is one thing often overlooked with regard to NAT. That is, it has prevented many network based worms for millions of home users behind NAT devices. Unfortunatly this fact is overlooked all the time. NAT has its downsides but also upsides sometimes. No, it's the same. With a stateful inspection firewall operating as a transparent bridge or as a router, you still need to specify which protocols, ports and addresses to permit. It's exactly the same.And it would be much easier to punch holes through when you needed to. From my perspective, the biggest benefit from home NAT devices is that they were a vehicle for delivering such a firewall to millions of windows boxes. Unfortunately, this drug comes with a number of harmful side effects, including nausea, blurred vision, and the inability to deploy a number of new protocols.The inability to deploy new protocols is exactly the same in many cases for a stateful inspection box on public addresses vs. a stateful inspection box doing NAT. The firewall must be aware of the protocol to permit it at all, and if there's going to be any hope of protecting the less secure equipment behind, those firewall devices must understand the details of the protocol. That still requires the vendor to do work. Yes, the address translations still add another layer of trouble in that passing endpoint identifiers (which unfortunately are the same as IP addresses, given a lack of a host identification mechanism other than IP address) creates problems for protocol developers. However in most cases a good protocol design can be arrived at which does not run into these difficulties. Such ideas were documented some time ago by the IETF NAT WG as information to protocol designers.
|