> From: Bob Braden <braden(_at_)ISI(_dot_)EDU>
> Today, one must unfortunately question whether universal connectivity
> can be sustained (or is even the right goal) in a networking
> environment without universal trust. Maybe NATs are, in fact, a result
> of a very deep problem with our architecture.
My take is that NAT's respond to several flaws in the IPv4 architecture:
- 1) Not enough addresses - this being the one that brought them into
- 1a) Local allocation of addresses - a variant of the preceeding one, but
subtly different; NAT's do allow you to allocate more addresses
locally without going back to a central number allocation authority,
which is very convenient.
- 2) Easy renumbering when switching ISP's - a benefit that only was realized
later in time, but a significant one all the same - especially for
those people who reckon that switching addresses is a really painful
I don't really believe the rationale that they are useful as a firewall. For
one thing, most NAT boxes includes a real firewall (i.e. packet filtering
separate from the NAT functionality). I think that even if we had plenty of
addresses, people would still install boxes with firewall functionality at
the edges of their networks.
Which gets to your original point - "whether universal connectivity .. is
even the right goal .. in a networking environment without universal trust".
Which is an interesting and complex point, but I think one we can put off to
a separate discussion, because I think it's unrelated to the reasons that NAT
boxes have been a success. (It's also good to put if off because including it
will muddy the discussion water.)
> If you accept that, then there is no point in attacking NATs until you
> can propose a better architectural solution to the trust problem
> (hopefully, there will be one!)
Well, not so much the trust problem, because I don't think that's what drove
NAT. But your basic point is a good one.
I think that if you look at the points I listed above, the market has clearly
decided that IPv4+NAT (for all its problems, with which people are I'm sure
reasonably familiar, given the many years NAT has been in service widely) is
the most cost-effective solution to providing them. The IETF really needs to
sit and ponder the implications of that.