North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Security gain from NAT: Top 5
#1 NAT advantage: it protects consumers from vendor lock-in.
Speaking of FUD... NAT does nothing here that is not also accomplished through the use of PI addressing.
More FUD. The correct solution to this problem is to make it possible for end users to get reasonable addresses directly from RIRs for reasonable fees.
Regardless of the amount of growth, do you really see the likelihood of any household _EVER_ needing more than 65,536 subnets? I don't even know the exact result of multiplying out 16*1024^6, but, I'm betting you can't fill 65,536 subnets that big ever no matter how hard you try. So, again, I say FUD.
#4 NAT advantage: it requires new protocols to adhere to the ISO seven layer model.
Quite the contrary... NAT has encouraged the development of hack upon hack to accommodate these protocols. Please explain to me how you would engineer a call setup-tear-down protocol for an independent audio stream that didn't require you to embed addresses in the payload. Until you can solve this problem, we will have to have protocols that break this model. Other than from some sort of ISO purity model (notice how popular OSI networking is today, compared to IP?), SIP is actually a pretty clean solution to a surprisingly hard problem. Unless you have a better alternative for the same capabilities, I'm not buying it. We shouldn't have to give up useful features for architectural purity. If the architecture can't accommodate real world requirements, it is not the requirements that are broken.
That's sort of like saying that OSPF and BGP break the ISO layer model because they talk about layer three addresses in layer 4-7 payload. Heck, even ISIS is broken by that definition. Again, I cry FUD.
#5 NAT advantage: it does not require replacement security measures to protect against netscans, portscans, broadcasts (particularly microsoft's netbios), and other malicious inbound traffic.
??? This is pure FUD and patently untrue. Example: About the cheapest NAT capable firewall you can buy is a Linksys WRT-54G. If you put real addresses on both sides of it and change a single checkbox in the configuration GUI, you end up with a Stateful Inspection firewall that gives you all the same security you had with the NAT, but, without the penalties imposed by NAT.
Until you can show me a box that is more than USD 40 cheaper than a WRT-54G that cannot have NAT turned off, again, I cry FUD. Oh, btw, a WRT-54G sells for about USD 40 last time I bought one brand new at Best Buy, so, that's a pretty hard metric to meet.
Since each and every one of them is FUD, that is certainly the pot callingThese are just some of the reasons why NAT is, and will continue to be, an increasingly popular technology for much more than address conservation.
the kettle black. Unfortunately, time and again, american politics has
proven that FUD is a successful marketing tactic, so, you are probably
right, there will probably be a sufficient critical mass of ignorant consumers
and vendors that will buy into said FUD and avoid the real solution
in favor of continuing the abomination that is NAT and all the baggage
of STUN, difficult debugging, header mangling, address conflicts,
and the rest that tends to come with it.