Noel,
You are getting too cerebral. We can look at the marketing info on the box of
a NAT product to see what people think they are getting:
1) Instant Internet Sharing for cable and DSL ....
2) Firewall Security against ... USING NAT technology.
3) Simultaneous Internet Access for up to NNN PCs
4) 4 port 10/100 switch
5) Built in print server ...
It really doesn't matter what you think wrt the firewall security of NATs.
People think they are getting additional security. Here is a common sequence
we see: 1) person puts on a software firewall solution on their PC, 2) their
solution then continually inundates the user with warnings due to all the
scanning going on, 3) they get a NAT based on security recommendations from PC
magazines, CNET, ZD, etc., it is a trivial install of a now < $50 devicce, 4)
the warnings are significantly reduced, 5) customer feels they have done
something about their vulnerability, probably akin to installing a deadbolt
lock into a wooden door frame (sure, a crowbar will go right through it like
butter).
regards, peterf
P.S. NATng - it's time has come!
________________________________
From: owner-ietf(_at_)ietf(_dot_)org on behalf of J. Noel Chiappa
Sent: Thu 6/19/2003 4:49 AM
To: ietf(_at_)ietf(_dot_)org
Cc: jnc(_at_)ginger(_dot_)lcs(_dot_)mit(_dot_)edu
Subject: Re: myth of the great transition (was US Defense Department forma lly
adopts IPv6)
> From: Bob Braden <braden(_at_)ISI(_dot_)EDU>
> Today, one must unfortunately question whether universal connectivity
> can be sustained (or is even the right goal) in a networking
> environment without universal trust. Maybe NATs are, in fact, a result
> of a very deep problem with our architecture.
My take is that NAT's respond to several flaws in the IPv4 architecture:
- 1) Not enough addresses - this being the one that brought them into
existence.
- 1a) Local allocation of addresses - a variant of the preceeding one, but
subtly different; NAT's do allow you to allocate more addresses
locally without going back to a central number allocation authority,
which is very convenient.
- 2) Easy renumbering when switching ISP's - a benefit that only was realized
later in time, but a significant one all the same - especially for
those people who reckon that switching addresses is a really painful
undertaking.
I don't really believe the rationale that they are useful as a firewall. For
one thing, most NAT boxes includes a real firewall (i.e. packet filtering
separate from the NAT functionality). I think that even if we had plenty of
addresses, people would still install boxes with firewall functionality at
the edges of their networks.
Which gets to your original point - "whether universal connectivity .. is
even the right goal .. in a networking environment without universal trust".
Which is an interesting and complex point, but I think one we can put off to
a separate discussion, because I think it's unrelated to the reasons that NAT
boxes have been a success. (It's also good to put if off because including it
will muddy the discussion water.)
> If you accept that, then there is no point in attacking NATs until you
> can propose a better architectural solution to the trust problem
> (hopefully, there will be one!)
Well, not so much the trust problem, because I don't think that's what drove
NAT. But your basic point is a good one.
I think that if you look at the points I listed above, the market has clearly
decided that IPv4+NAT (for all its problems, with which people are I'm sure
reasonably familiar, given the many years NAT has been in service widely) is
the most cost-effective solution to providing them. The IETF really needs to
sit and ponder the implications of that.
Noel