|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Security gain from NAT: Top 5
Mark Smith wrote: For all those people who think IPv4 NAT is quite fine, I challenge them to submit RFCs to the IETF that resolve, without creating worse or more even more complicated problems, the list of problems here. All the IPv6 RFCs do ... <http://www.cs.utk.edu/~moore/what-nats-break.html>
Problem is that NAT will not go away or even become less common in IPv6 networks for a number of reasons. #1 NAT advantage: it protects consumers from vendor lock-in. Consider the advantage of globally unique public addressing to ISPs and telcos. Without NAT they have a very effective vendor lock-in. Want to change ISPs? It's only as easy as reconfiguring every device and/or DHCP server on your internal network. With NAT you only need to reconfigure a single device, sometimes not even that. #2 NAT advantage: it protects consumers from add-on fees for addresses space. Given the 100 to 10,000% mark-ups many telcos and ISPs already charge for more than a /29 it should come as no surprise they would be opposed to NAT. #3 NAT advantage: it prevents upstreams from limiting consumers' internal address space. Even after full implementation of IPv6 the trend of technology will continue to require more address space. Businesses will continue to grow and households will continue to acquire new IP-enabled devices. Without NAT consumers will be forced to request new netblocks from their upstream, often resulting in non-contiguous networks. Not surprisingly, often incurring additional fees as well. Follow the money and you'll end up with these three reasons why the technical arguments being made against NAT in opinion pieces like Keith Moore's (URL above) are so one sided and overtly biased. But there are still more reasons NAT will continue to increase in popularity regardless of IPv6. #4 NAT advantage: it requires new protocols to adhere to the ISO seven layer model. H.323, SIP and other badly designed protocols imbed the local address in the data portion of IP packets. This trend is somewhat discouraged by the layer-isolation requirements of NAT. #5 NAT advantage: it does not require replacement security measures to protect against netscans, portscans, broadcasts (particularly microsoft's netbios), and other malicious inbound traffic. The vendors of non-NAT devices would love to have you believe that their stateful inspection and filtering is a good substitute for the inspection and filtering required by NAT devices. Problem is the non-NAT devices all cost more, many are less secure in their default configurations, and the larger rulesets they are almost always configured with are less security than the equivalent NAT device. These are just some of the reasons why NAT is, and will continue to be, an increasingly popular technology for much more than address conservation. -- Roger Marquis Roble Systems Consulting http://www.roble.com/
|