North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Security gain from NAT: Top 5
On Wed, Jun 06, 2007 at 08:49:21PM -0700, Roger Marquis wrote: > Problem is that NAT will not go away or even become less common in > IPv6 networks for a number of reasons. > > #1 NAT advantage: it protects consumers from vendor > lock-in. > > Consider the advantage of globally unique public addressing to ISPs > and telcos. Without NAT they have a very effective vendor lock-in. > Want to change ISPs? It's only as easy as reconfiguring every device > and/or DHCP server on your internal network. With NAT you only need > to reconfigure a single device, sometimes not even that. Isn't this the problem that router advertisements are meant to solve? Do you have operational experience which suggests that they aren't a sufficient solution? > #2 NAT advantage: it protects consumers from add-on > fees for addresses space. > > Given the 100 to 10,000% mark-ups many telcos and ISPs already charge > for more than a /29 it should come as no surprise they would be > opposed to NAT. I was under the impression that each end-user of an IPv6 ISP got a /64 assigned to them when they connected. > #3 NAT advantage: it prevents upstreams from limiting > consumers' internal address space. > > Even after full implementation of IPv6 the trend of technology will > continue to require more address space. Businesses will continue to > grow and households will continue to acquire new IP-enabled devices. > Without NAT consumers will be forced to request new netblocks from > their upstream, often resulting in non-contiguous networks. Not > surprisingly, often incurring additional fees as well. By my calculations, the /64 of address space given to each connection will provide about 18446744073709551616 addresses. Is that an insufficient quantity for the average user of an ISP? > #4 NAT advantage: it requires new protocols to adhere to > the ISO seven layer model. > > H.323, SIP and other badly designed protocols imbed the local address > in the data portion of IP packets. This trend is somewhat discouraged > by the layer-isolation requirements of NAT. NAT doesn't seem to have stopped the designers of these protocols from actually deploying their designs, though. > #5 NAT advantage: it does not require replacement security > measures to protect against netscans, portscans, broadcasts > (particularly microsoft's netbios), and other malicious > inbound traffic. > > The vendors of non-NAT devices would love to have you believe that > their stateful inspection and filtering is a good substitute for the > inspection and filtering required by NAT devices. Problem is the > non-NAT devices all cost more, many are less secure in their default > configurations, and the larger rulesets they are almost always > configured with are less security than the equivalent NAT device. Haven't we already had this thread killed by the mailing list team today? - Matt -- If only more employers realized that people join companies, but leave bosses. A boss should be an insulator, not a conductor or an amplifier. -- Geoff Kinnel, in the Monastery
|