ietf
[Top] [All Lists]

Re: Number of Firewall/NAT Users

2001-01-21 00:30:03
Technically, a NAT box  is used to interconnect two (or more) independent
networks so that hosts in the networks can communicate with one another
*without any change* to the respective networks, 

except that in reality this is completely false. 

- the two networks can only "communicate" in a crippled sense
  (in that the joined network only supports a subset of the applications
  supported by either of the original networks)

- in a great many cases, the networks *do* end up being changed -
  at least in the sense that more components need to be added and
  more special configuration done just to keep the network running.
  the network also becomes more fragile.

This is benefitial not only to provide Internet routing to
near unlimited addresses in private networks but also for address hidding,
privacy and flexibility.

The oft-touted privacy benefits of NATs are largely an illusion.  Sometimes
you want to hide an address for the sake of privacy, sometimes you want
a stable address so that you can be reached.  The needs will differ between 
applications on a single host.  NATs hinder, rather than help, your ability 
to give each application what it needs.

So, maybe this is what the market really wants -- a multiple-protocol 
Internet where tools such as NAT boxes for firewalling, privacy, 
address extension and IPv4/IPv6 interoperation will be needed ... 
and valued.  

The market doesn't necessarily want NATs per se, but it does want some 
of the things that NATs either bring or purport to bring.  for example:

- the ability to add networks (not just hosts) at arbitrary points
  in the Internet, without getting permission from upstream to do so.
- the ability to easily renumber networks
- the ability to connect a small network to the Internet without 
  having to explicitly configure it  (plug-and-ping)
- limits to the ability to associate a source address with a particular
  user or host.

the
Internet does not have to be a homogenous network, it can be a heteregenous
network with IPv4/NAT/IPv6. 

certainly the Internet *can* be such a network; that does not mean that
it is desirable that it be such a network.  I remember when the email 
network was a heterogeneous network consisting of UUCP, BITNET, DECnet, 
SMTP, X.400, and a few other things thrown in.  It "worked", sort of, 
but we had all kinds of problems with the translations at the boundaries,
with addresses from one network leaking past the gateways into another
network, with addresses being "translated" in such a way that they
were no longer usable in the destination network.  NATs create the same
set of problems for the whole Internet that we used to just have for
email.  Fortunately, the vast majority of email users came to their 
senses and settled on Internet protocols and the Internet email address
format.   I can only hope that NAT users will also come to their senses.

Since a heterogeneous network can use local
solutions for local problems, I believe Internet users will continue to 
prefer local flexibility.

if that's really the case, they'll get rid of NATs as soon as alternative
means of solving the problems that NATs were meant to address become 
available.  our task is to come up with those alternatives.

Keith



<Prev in Thread] Current Thread [Next in Thread>