Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu> writes:
similarly, people who install NAT usually don't realize how much this
costs them in lost functionality and reliability.
Really? You have evidence of this?
the evidence I have is from reading vendor advertisements for NAT boxes,
and from talking to people who run networks that use NAT. it's not
a random sample, perhaps not a statistically significant one, but it's
been enough to convince me personally that the delusion is widespread.
You can perhaps understand why I wouldn't consider this a particularly
convincing line of argument.
I don't either, but my intuition is that you're wrong. Once you have
decided to have a firewall in place (which you may think is evil, but
I consider pretty much a necessary evil), I suspect that most people
suffer almost not at all from having a NAT.
depends on what you mean by "firewall" (which these days is a pretty
vague term). but there are several primary effects of NAT - one being
that addresses are not maintained end-to-end, another being that NATs
cause address-to-host bindings to be ephemeral when they would otherwise
not be, and another being that (for NAPTs anyway) attempts to initiate
traffic across the NAPT are blocked in one direction. there is rarely
a significant benefit in a firewall doing the first two of these. a good
firewall has the capability to block traffic in either direction, or not, on a
case-by-case basis, and can be adjusted according to the needs of its users.
Yes, but these are philosophical objections.
What applications that people want to run--and the IT managers would
want to enable--are actually inhibited by NAT? It seems to me that
most of the applications inconvenienced by NAT are ones that IT
managers would want to screen off anyway.
-Ekr
--
[Eric Rescorla ekr(_at_)rtfm(_dot_)com]
Web Log: http://www.rtfm.com/movabletype