North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security gain from NAT: Top 5

  • From: Matthew Palmer
  • Date: Thu Jun 07 00:38:21 2007

On Wed, Jun 06, 2007 at 08:49:21PM -0700, Roger Marquis wrote:
> Problem is that NAT will not go away or even become less common in
> IPv6 networks for a number of reasons.
> 
>   #1 NAT advantage: it protects consumers from vendor
>   lock-in.
> 
> Consider the advantage of globally unique public addressing to ISPs
> and telcos.  Without NAT they have a very effective vendor lock-in.
> Want to change ISPs?  It's only as easy as reconfiguring every device
> and/or DHCP server on your internal network.  With NAT you only need
> to reconfigure a single device, sometimes not even that.

Isn't this the problem that router advertisements are meant to solve?  Do
you have operational experience which suggests that they aren't a sufficient
solution?

>   #2  NAT advantage: it protects consumers from add-on
>   fees for addresses space.
> 
> Given the 100 to 10,000% mark-ups many telcos and ISPs already charge
> for more than a /29 it should come as no surprise they would be
> opposed to NAT.

I was under the impression that each end-user of an IPv6 ISP got a /64
assigned to them when they connected.

>   #3  NAT advantage: it prevents upstreams from limiting
>   consumers' internal address space.
> 
> Even after full implementation of IPv6 the trend of technology will
> continue to require more address space.  Businesses will continue to
> grow and households will continue to acquire new IP-enabled devices.
> Without NAT consumers will be forced to request new netblocks from
> their upstream, often resulting in non-contiguous networks. Not
> surprisingly, often incurring additional fees as well.

By my calculations, the /64 of address space given to each connection will
provide about 18446744073709551616 addresses.  Is that an insufficient
quantity for the average user of an ISP?

>   #4  NAT advantage: it requires new protocols to adhere to
>   the ISO seven layer model.
> 
> H.323, SIP and other badly designed protocols imbed the local address
> in the data portion of IP packets.  This trend is somewhat discouraged
> by the layer-isolation requirements of NAT.

NAT doesn't seem to have stopped the designers of these protocols from
actually deploying their designs, though.

>   #5  NAT advantage: it does not require replacement security
>   measures to protect against netscans, portscans, broadcasts
>   (particularly microsoft's netbios), and other malicious
>   inbound traffic.
> 
> The vendors of non-NAT devices would love to have you believe that
> their stateful inspection and filtering is a good substitute for the
> inspection and filtering required by NAT devices. Problem is the
> non-NAT devices all cost more, many are less secure in their default
> configurations, and the larger rulesets they are almost always
> configured with are less security than the equivalent NAT device.

Haven't we already had this thread killed by the mailing list team today?

- Matt

-- 
If only more employers realized that people join companies, but leave
bosses. A boss should be an insulator, not a conductor or an amplifier.
		-- Geoff Kinnel, in the Monastery