On Wed, 18 Jun 2003 21:30:35 PDT, Eric Rescorla said:
This seems to me like a false dichotomy. If I were deploying a NAT
(which I didn't) there would be certain things I would care about
and others I didn't. If I'm already firewalling off these services,
why should I care if NAT blocks them?
So it's OK for NAT to break any application that *you* don't want to
let through *your* firewall anyhow.
What's wrong with this picture? Well.. Sure, if you currently only allow
3 ports through your firewall anyhow, and those 3 applications happen to
be NAT-tolerant, it's probably no impact on YOUR site.
Of course, if you *ever* encounter an application that your site wants to
allow through the firewall, but you discover that you STILL can't deploy it
because NAT breaks it, you'll be wanting some mayonnaise to make that crow
sandwich go down more easily.
You're missing the point that when a firewall breaks things, it's doing
its job. When a NAT breaks things, it's failing to do its job.
Now let's say a firewall is a pair of suspenders, and a NAT is a belt. This
makes your position:
"I don't care that my belt unzips my trousers every time I go through a
revolving door, because I'm never in a situation where failure of my
suspenders would be an embarassment".
As Randy Bush says: "I invite my competitors to design their networks this way".
Or is the only reason you have NAT at all because you bought some vendor's
"connection appliance in a box" that proceeded to NAT you regardless of your
Why is it so hard for people here to believe that customers might
actually know what they want, even if you don't happen to think
it's a good idea?
Tell you what - you round up all the big domains that actually have a clue
about what they want, and who understand the distinction between a firewall and
a NAT (even if they are in the same box), and I'll round up all the users who
are scratching their heads because they have a cablemodem or an ADSL modem
(either ISP-provided or off the shelf at Walmart) that is an all-in-one modem/
router/firewall/NAT, and some stuff Just Does Not Work.
And unfortunately, a lot of the Just Does Not Work stuff are applications
like H.323 and VOIP that Joe Sixpack actually *might* be interested in.
Description: PGP signature