Stephen Sprunk wrote :
-> What about application protocols like ftp that specify network addresses in
-> the protocol session? Do you propose the NAT gateway alter FTP packets in
-> transit?
->
Yes, that is exactly what NAT does - it has a pool (or a static
list, or both) of "Externally facing" IP addresses, and it alters the
IP packets in realtime (in both directions, obviously) between
"Externally facing" IP and "Internally facing" IP address, on a
per-conversation basis. It then keeps a "cache" of what addresses
have been dynamically mapped to what.
The aggro used to be that for things like DNS/Mail/News etc. (almost
any service machine) you have to keep the IP address the same and not
dynamically change it. However, NAT boxes allow you to use dynamic
mapping for your users and static for your other services. They also
provide extremely good security - check out Cisco's PIX at :
Networking, Cloud, and Cybersecurity Solutions - Cisco
which is basically a low spec PC in a rack-mountable box, that can
happily perform NAT at 100Mb/sec. CPU-wise, NAT is not a hard thing
to do, although you might end up needing a fair whack of memory on a
box with *lots* of flows per second.
The security features of the PIX are not a feature of NAT - they are
a feature of the PIX, so you don't (I presume 
get them on standard
NAT boxes.
-> Also, I don't believe it will be possible to use host or user-based AH/ESP
-> with NAT, since they protect the source address.
->
Good point - TBH, I don't know how NATs deal/don't deal with ESP.
Although the last time I looked, ESP had only been implemented with
DES, and was therefore fatally flawed (there was a draft by Bellovin
about this somewhere...)
This is not an insurmountable problem - it can be solved either at
the initial key exchange, or by the NAT in realtime, and will
hopefully be / have been solved by one of the ipsec groups - I'll go
and check out ESP again and see if NAT breaks it or not - I don't
know much about it at the mo'
-> Stephen Sprunk
->
Cheers,
Lyndon Levesley
Xara Networks