On a thread now unrelated to the topic of NATs,
At 9:42 AM +0100 3/1/07, Eliot Lear wrote:
With IPv4 the impetus for NAT was a combination of address
exhaustion concerns and routing issues.
It is far deeper than that for many IT departments and network users.
NATs are seen as an easy-to-administer firewall that prevents outside
people from getting at hosts behind the NAT. To many of us, that is a
bug because it prevents session initiation from the outside; to many
users, it is a feature.
Nearly ever home *and SOHO* router today comes with NAT turned on by
default, and the setting to turn it off is difficult to find. In our
VPN testing, we have found that some of those routers have bugs that
prevent the NAT from being turned off. When we report this to the
vendors (because our tests do not use NATs), we are often literally
the first people to have noticed this. That's how ingrained NATs are
to the mentality of users.
State a different way: given the way that some popular operating
systems are configured out of the box to respond insecurely to
outsiders, it may be a good thing that NATs are on by default. Of
course, it would be better if the routers were firewalls with a
default "all incoming blocked" rule instead of a NAT, but that is not
how the world works, mostly due to the two issues Eliot brings up
above. But even if those two issues were magically resolved today, it
will take us years or decades to convince users that they don't want
the NATs they have now, and that they instead want to become firewall
administrators.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf