North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security gain from NAT

  • From: Roger Marquis
  • Date: Tue Jun 05 22:54:45 2007

So now the cruft extends and embraces, and you have to play DNS
view games based on whether it's on company A's legacy net,
company B's legacy net, or the DMZ in between them, and start
poking around in the middle of DNS packets to tweak the replies
(which sort of guarantees you can't deploy DNSSEC).

Are you proposing that every company use publicly routable address space? How about the ones that don't qualify for a /19 and so are dependent on addresses owned by their upstream?

To change ISPs for example, would it be simpler to change the IP
address of every node in the company or to run NAT on the gateways?

How about multi-homing?  Can you even do it without NAT on a network
too small assign an AS?

In the mid-90s I was CSO at a company whose internal networks were
publicly routable thanks to a /16 they owned (though they really only
needed a few /24s).  In my experience, for every example of how
complex NAT is there are at least 10 counter-examples of how an
equivalent non-NATed network is more complex, less flexible, less
reliable, and less secure.

Roger Marquis
Roble Systems Consulting