Where NAT disenfranchises the end-user ...

Hello all,

In the recent multi-homing dicussions, many references were made, both
public and private, to encouraging NAT and NAT techniques, in implementing
local multi-homing.

To be honest, even though I've used NAT myself and have implemented NAT for
friends and clients, I would NEVER represent that a NAT'd address has the
full connectivity to the Internet that a static address does. I've had many
people ask me why. I've even gotten some hate-mail from members of this
forum over this. The attached message is one instance-proof of where NAT is
deficient.

If you are selling transit and you are going to NAT them, then you cannot
tell them that they have access to the full internet. There is a *lot* of
stuff that will not transition a NAT boundary. A business that requires
direct Internet access can't use NAT at the border. A business that delivers
services to the internet can't use NAT, for their application servers, at
all.

BTW, I apologize if the subject-line appears inflammatory.

To be honest, even though I've used NAT myself and have implemented NAT for
friends and clients, I would NEVER represent that a NAT'd address has the
full connectivity to the Internet that a static address does. I've had many
people ask me why. I've even gotten some hate-mail from members of this
forum over this. The attached message is one instance-proof of where NAT is
deficient.

You are correct in that one:many NAT isn't a "full" internet connection, and
I agree that it shouldn't be represented as such.

A business that requires direct Internet access can't use NAT at the border.

Not true. While I expect you will take this as nitpicking, one:one NAT is
very conveniently used for servers while one:many NAT can be used for
generic workstation access while preserving a consistent LAN numbering
scheme. Anything that a "full" internet connection gets you will also work
with one:one NAT.

A business that delivers services to the internet can't use NAT, for their
application servers, at all.

This is laughable. You're telling me that we can't use our Alteons or
Arrowpoints that use NAT to provide (redundant and load balanced!) internet
services? I guess we should just go back to the One Big Web Server days, and
put all our MS SQL database servers out in "full" view of the internet. Now
there's any idea.

--Doug

...except current implementations of IPSEC:

http://www.isp-planet.com/technology/2001/ipsec_nat.html

Luckily, the above article also mentions the fixes that are in the
works...

perhaps better to call them bandaids.

(the changes in IPSec are necessary for several reasons, but we don't have
to like them.)

richard

True... neither does a well-firewalled LAN.

NAT has it's place, and we have many happy customers that are quite
pleased with their NAT'd connections; some simple, some fancy.

What irks me more than NAT are crappy protocols like FTP and H.323 that
make too many assumptions about how much of my machine I am willing to
expose in order to communicate using these protocols. I particularly
detest any software that is not content to let the far end figure out
the source address of a packet.

NAT and firewalls have a way of showing you how poorly designed these
protocols are.

Charles

"Charles Sprickman" <spork@inch.com>

NAT has it's place, and we have many happy customers that are quite
pleased with their NAT'd connections; some simple, some fancy.

NATs are a band-aid.

What irks me more than NAT are crappy protocols like FTP and H.323 that
make too many assumptions about how much of my machine I am willing to
expose in order to communicate using these protocols.

FTP was designed for ARPANET, H.323 was designed to work over ANY packet
network. Neither of them were designed for TCP/IP in particular.

They don't break the end-to-end design principles though. Neither do network
games, chat tools, and other peer-to-peer protocols that run in elected-server
or server-to-server modes.

The fact is that I can write an Internet-compliant application in about two
minutes that will break every NAT ever sold, simply because they don't have a
proxy for the protocol. NATs violate fundamental Internet principles. They
were broken from the start.