Noel Chiappa write
> From: Doug Barton <dougb(_at_)dougbarton(_dot_)us>
> My comments were directed towards those who still have the mindset,
> "NAT is the enemy, and must be slain at all costs!"
In semi-defense of that attitude, NAT (architecturally) _is_ a crock - it put
'brittle' (because it's hard to replicate, manage, etc) state in the middle o
the network. Having said that, I understand why people went down the NAT road
- when doing a real-world cost/benefit analysis, that path was, for all its
problems, the preferable one.
Part of the real problem has been that the IETF failed to carefully study, an
take to heart, the operational capabilities which NAT provided (such as
avoidance of renumbering, etc, etc), and then _failed to exert every possible
effort_ to provide those same capabilities in an equally 'easy to use' way.
Most of the renumbering issues that remain are outside of the perview
of the IETF. Hosts have had the ability to securely register
themselves in the DNS for a decade now. Microsoft AD has hosts
register themselves using these mechanisms. DHCP handles both
static and dynamic addresses. Now we may want a way for a host to
register itself securely with the firewall. That way when a host's
IP address changes the firewall gets updated.
Most of the renumber problem in people refusing to get out of the
way of automation.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org