What I am really objecting to here is the normative aspect of the discussion.
NAT may be good or it may be the work of Satan. Either way we have to deal with
the issue more constructively than simply telling people 'please do not'.
I don't like NAT workarounds either. In fact I would like to suggest that we
return to an old principle of layered network architecture in which no layer
knows or cares as to what is going on in any other layer it does not interface
So instead of saying NAT is good or bad lets instead frame the debate in terms
of 'A NAT box operates at layer 3 and should not therefore make assuptions
about application interactions at layer 7'.
It is equally a layer violation for FTP to communicate IP addresses and port
numbers in the protocol. An application should not know if the transport is
IPv4, IPv6 or SNA. Get rid of FTP type layer violations and the need for NAT
workarrounds is also eliminated.
And at the same time let us ask 'how can we share an IPv4 connection on an IPv4
network without causing layer violations?' or 'how can Alice log into her
corporate VPN from a hotel?'
From: Melinda Shore [mailto:mshore(_at_)cisco(_dot_)com]
Sent: Monday, July 02, 2007 12:51 PM
To: Hallam-Baker, Phillip; itojun(_at_)itojun(_dot_)org
Subject: Re: Domain Centric Administration, RE:
On 7/2/07 12:40 PM, "Hallam-Baker, Phillip"
The $50 includes the cost of administration. I get the NAT
free when I plug the box in. Turning it off on the other
rather a lot of thinking for the average user.
There's no reason that a default firewall configuration need
be any more complicated than a NAT. Somewhat less, actually.
But anyway, I think you're muddying the discussion somewhat
by framing it in terms of NAT. You're talking about network
policy and NAT is not a policy function.
NAT workarounds tend to introduce security problems while a
decent, usable policy infrastructure would not, or would at
least localize them. I think we probably both see the same
outcome as desirable but I do think that it's a big mistake
to frame the problem as "NAT is good" rather than "default
deny is good."
Ietf mailing list