This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature

IETF roiled over NAT

By Joab Jackson on January 26, 2004 (8:00:00 AM)

Share    Print    Comments   

If there is one topic that can get the members of the Internet Engineering Task Force worked up, such as they were once again last week, it is the topic of network address translation, or NAT. Here's a snapshot of the debates over the use of NAT as a hindrance to the implementation of IPv6, as evidenced by posts to the IETF discussion list.

David Putzolu asked, "I wonder if NAT is to [IETF] discussions as Nazis was to Usenet discussions. That is, will every heated IETF debate eventually lead to invoking the NAT bogyman?"

NAT allows administrators to set up a gateway between a local area network and the Internet. When packets go in and out the gateway, it is the NAT box that keeps tracks of which internal computer ordered which packets from the outside.

NAT critics claim that NAT as a kludge, a work-around. They say it is something that has never worked well, causes security problems, and breaks or complicates Internet applications. It grew in popularity only because of the growing scarcity of Internet addresses: a commodity which, at least back in 1995, when the Net appeared to be doubling in size every 12 months, seemed to be in short supply.

The shortage of new Internet numbers was the original driving need for IPv6, which the IETF is developing. The version of IP now widely in use across the Internet, version 4 uses a 32-bit addressing scheme, which can provide a total of about four billion addresses. In contrast, IPv6 has 128-bit addresses, which should provide about 35 trillion addresses enough to hand every person, place and thing in the world its own IP number.

In development since the mid-90s, IPv6 is almost ready ready for mass deployment. The U.S. Defense Department, for instance, indicated last June that it wishes to move to IPv6 for some of its networks by 2008.

But part of the problem the keepers of the Internet standards are now experiencing is getting software and hardware makers and Internet service providers, DoD aside, to adopt IPv6. Kludges that they may be, NATs may also be sapping the very need for these parties to use IPv6. "I'm a bit confused as to why enterprises would be interested in v6," wrote Soliman Hesham.

And NAT may also be providing an additional useful function to the Internet at large beyond just saving IP addresses. It also keeps security-oblivious users, those services by broadband providers and ISPs, tucked behind a gateway. Widespread NAT use by Internet service providers raise the question--does everybody actually need their own Internet address? Will Internet service providers even let Joe Sixpack have his own IP address?

Recently, IETF discussions over NAT have been so fierce that they have forced the debates over the very necessity of IPv6 . The debates have also called into question the mission of the group itself: Should the IETF be "architecturally fundamentalist" as one member put it, and stick to its vision of one IP numbering system everywhere? Or is its mission only to provide standards for the Internet users for whatever applications they may use, no matter how inelegant ?

NATs represent "one particular area where there's a clear and growing divide between this community and the network administrator community (particularly enterprise and residential)," wrote Melinda Shore on the list in December. She added, "We've known about these problems for a very long time and the argument that these problems are a serious impediment to network -- have not been accepted by the people who deploy real networks."

She concluded, "In that context our arguments are sometimes perceived as condescending and out-of-touch".

NAT NAUGHT?

On a topic as controversial as NAT, one can plunge the pitchfork down pretty much anywhere in the past few years of the IETF mailing list and pull up some well-argued contention. Last month for instance, an engineer had queried the list about NAT that set off a firestorm. He was upgrading his organization's network and wanted to make an argument to his management against the use of NATs. He knew NATs were problematic. But were there any white papers or studies that documented the flaws? There were none anyone could immediately name, though much grumbling about NATs commenced nonetheless.

Last June, the Defense Department announcement of its move to IPv6 set off a similar debate, with many of the same participants taking the same sides.

Why the fuss? As Bob Braden wrote, "I think it would be more accurate to say that a NAT contravenes the basic Internet principle of universal connectivity."

The Internet, as envisioned by its founders, was one in which every node on the network had direct availability to every other node.

NAT, on the other hand, hides end-users behind a gateway. And more than a few participants on the list could see what that leads to.

Trying to make NATs work is "the modern task of Sisyphus," Keith Moore remarked. Applications such as Internet telephony or IPsec security protocol were difficult to set up to work with NAT.

"Not only are we [losing] existing applications, there are untold new things that are not making it to market. These new applications are unable to generate the critical mass they need to make any marketing noise because the NAT rich environment is too difficult for Joe Sixpack to deal with," Tony Hain wrote earlier this month.

Melinda Shore pointed that FTP clients, as originally written, would not work with NAT. Neither would video conference applications. "NAT has a surprisingly wide ripple effect that's almost completely negative," she wrote.

"If these applications work 'out of the box' it means effort has be put into developing NAT traversal solutions. While this effort is necessary, it is sad that effort had to be expended. The developers could have been adding extra features, rather than working around a common network infrastructure limitation," Mark Smith wrote earlier this month.

That NATs themselves are used as security devices -- in place of firewalls -- led to more problems. It was not a role they were designed to perform.

"I can tell a firewall to get out of the way ... and the application protocols will function as designed and expected. I cannot tell a NAT to do that, but instead must first educate the vendor about the protocol that's being blocked, wait for them to do their market research and/or prioritize the application among their Great List of Applications They Have Broken, and then maybe one day get a patch that actually spoofs the protocol well enough for it to work with a middlebox in the way," Eric Hall wrote.

NATs also have security issues. Since NAT boxes must forward packets from the outside IP addresses to internal ones, it must change forwarding information. "Basically, once you've committed to rewriting the forwarding information in an IP datagram, then it's open season on all manner of horrible opportunities for intermediaries to engage in Internet abuse," wrote James Woodyatt.

Distributed Denial of Service attacks are one such form of abuse. That IP addresses of the machines inside a NAT network are not identifiable outside the network has led to DDoS attacks, where the end points can not be determined, Moore said.

All of these shortcomings have generated little sympathy amongst certain IETF members, Moore being the most verbal critic.

"The NAT vendors are the irresponsible ones. they create a mess out of the network and then expect IETF to clean it up, then claim that IETF is in denial for not doing so. [A]nd of course IETF has tried to do so, more than once, and failed. Not for lack of effort, but because it's simply not possible to fix NAT," Moore wrote.

AND YET...

So if NAT sucks so badly, then why is it so widely used? This is the question that haunts IETF.

"The market has clearly decided that IPv4+NAT is the most cost-effective solution to providing them. The IETF really needs to sit and ponder the implications of that," J. Noel Chiappa wrote.

Ronald van der Pol suggested that NATs should be "seen for what they really are, an essential and important part of the Internet infrastructure," he wrote, add that "NAT boxes and firewalls play an important and necessary security role."

Perhaps the existence of NATs points to a larger architectural flaw -- maybe the limits of the idea of universal connectivity itself. In the Internet's younger days, all the parties were more or less responsible and so could share resources. Is that the same today?

Other mailing list members pointed out potential problems with the kind-of-end-to-end connectivity that IPv6 promises. Telemarketing, for instance. Moore asked that if the telemarketers of tomorrow had the same tool spammers today worked with, how often would we receive calls on our Internet telephones for product pitches?

Security would be another issue.

"The end machines are simply too vulnerable. Without firewall and service restriction, you'll have your entire network compromised very quickly," wrote Eric Rescorl.

Others had suggested to continue using NATs along with IPv6 -- certainly it can be done easily enough. But then this raises the question about the deployment of IPv6 in the first place. If NATs will continue to be used, why should large enterprises bother with the upgrade anyway?

That is the chicken and egg problem IETF faces, thanks to NAT. NAT may be causing untold problems on the Net, problems IPv6 could go a long way to solving. But NAT also reduced the drive to implement IPv6 in the first place.

"If the Internet architecture provided i) plenty of addresses, ii) locally allocatable addresses, and iii) the ability change providers easily, there would be *no* NAT boxes," Chiappa wrote.

Share    Print    Comments   

Comments

on IETF roiled over NAT

Note: Comments are owned by the poster. We are not responsible for their content.

How do you.

Posted by: Stumbles on January 27, 2004 02:28 AM
Ok, here's a simple question. Without NAT how does one handle the same situation under IPV6?

#

Re:How do you.

Posted by: Anonymous Coward on January 27, 2004 03:30 AM
Answer: Firewalls. With more firewalls in use, the price of firewalls, in general, will decline.

Then you can have a LAN party AND have everyone at the party connect to Battle.Net with 0 problems.

#

Right...

Posted by: Anonymous Coward on January 27, 2004 07:10 AM
Yeah, setting up iptables is much easier than plugging in a linksys box and walking through a tabbed menu or two.

#

Re:How do you.

Posted by: nexex on January 27, 2004 07:27 AM
It grew in popularity only because of the growing scarcity of Internet addresses...


NAT use has soared because more people have multiple computers -- and they don't want to pay for three ISP accounts for three computers when you can share one account with NAT.

#

Re:How do you.

Posted by: Anonymous Coward on January 27, 2004 07:57 AM
But IPv6 addresses are a dime a dozen. You don't need to worry about that.

#

I hate NAT :-)

Posted by: Scott Wunsch on January 27, 2004 03:26 AM
NAT does not provide security. A stateful packet filtering firewall doesn't have to do any more work than a NAT device (tracking connections), and provides exactly the same level of security as using NAT.



To put it in Linux terms, the following setup provides the same security as NAT:



<TT>iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -j REJECT</TT>



But if you actually want to open up a port on the machine behind that firewall, it's easy. Doing so with NAT introduces extra complexity.



NAT also complicates troubleshooting. Without NAT, you can sniff the traffic at any point along the path of the packet, and you should see the same picture. If you don't see the same picture, then you know where the problem is. But with NAT, the IP addresses involved change at a certain point, and in a busy network, it becomes difficult/impossible to disentangle the traffic generated by a particular machine.



NAT also complicates tracking down the source of network abuse or other traffic that might need to be tracked. The IP address you see on the receiving end maps to many different potential sources, and the administrator of the source network likely has no way to determine which internal machine was responsible for it.

#

Re:I hate NAT :-)

Posted by: Anonymous Coward on January 27, 2004 04:53 AM
It's a little disingenuous to separate NAT and stateful firewalls because in real life, most NAT boxes have a stateful firewall built in. For the vast majority of home users, a small NAT box is exactly what they need, which is why they're so popular. In fact, these NAT boxes actually enhance security because they provide a single point of control over what is allowed into the network.

The IETF is experiencing a bit of cognitive dissonance - the real world isn't acting the way they want it to, and they would rather hold on to their precious theories than face real life. The cold, hard fact is that NAT satisfies a need, and satisfies it cheaper and simpler than the IETF ivory-tower solution.

#

Re:I hate NAT :-)

Posted by: Anonymous Coward on January 27, 2004 06:49 AM
Is it not also a little disingenuous to think NAT and stateful firewalls are somehow inseparable or are one and the same?

A small firewall box, very similar to that small NAT box you refer to, is as capable (if not more so) of providing you a simple, single point of security for your network, no matter the IP protocol, without the issues NAT introduces. A NAT box is not unique or special in the security it provides, but rather is a means of connecting multiple computers through a single IP address.

However it is you choose to set up your network is not very relevant, it is your choice after all. The "real world" problem is when NAT occurs upstream from your own private little world. Suddenly you can't kludge your way through that NAT box to get things to work anymore, but must ask your ISP to do so... is they choose to.

#

Re:I hate NAT :-)

Posted by: Anonymous Coward on January 27, 2004 06:55 AM
It's not that. If I wanted to use IPv6 at home TODAY, where would I go? DSL uses PPPoE here, which is IPv4 only. Cable doesn't offer IPv6 either. I'm also not aware of any IPv6 dial-up providers. Will 'residential' providers even allow multiple IPv6 addresses per 'connection', or will PPPoE suddenly get tremendously popular as a method for controlling the number of users on a connection. But it really all comes down to a chicken and egg situation. No one will ask for it until there's a foundation for it, and there won't be a foundation for IPv6 until customers start asking for it.

#

Re:I hate NAT :-)

Posted by: Anonymous Coward on January 27, 2004 10:00 AM
you should try to identify the various functions that are in such a box. a local net (that's where you need the NAT when you have only one IP address) is connected to other nets through gateways (at least one). if you have less IP addresses than you have devices that want to connect, these gateways perform the network address translations that let you live with the insufficient number of IP addresses. they also provide the external network security through firewalls. IPv6 still implements the same network topology, i.e. the gateway won't go away and can still provide the firewall fubctionality. whether it provides the address translation or not is completely irrelevant for the security aspect.


in case of DSL or cable connections with an external cable or DSL modem, you essentially have a home (local) network consisting of one machine and the gateway machine

#

Re:I hate NAT :-)

Posted by: Anonymous Coward on January 27, 2004 07:25 AM
NAT does not provide security?



Perhaps you can explain how my lan hasn't been hacked in the last few years?



To put it in Linux terms, the following setup provides the same security as NAT:




Didn't you just finish saying NAT does not pro...?



Can you also provide the code for opening port 80? Allowing ssh only from my lan behind one public ip address (nat) to my apache server on another public ip address? Allowing access to ssh from my lan to the outside world?



Where do I put the code? How do I enable it to run on every boot up? Do I then have to leave a workstation or server running instead of an appliance?



But if you actually want to open up a port on the machine behind that firewall, it's easy. Doing so with NAT introduces extra complexity.




Gee, let's see...Open browser. That's a tough one. enter ip address of appliance...getting tougher. enter user name and password...can I spell?...hit forwarding tab...can I use a mouse?...enter port number to forward in first field...hit apply...double check...close browser...rocket science.



NAT also complicates troubleshooting. Without NAT, you can sniff the traffic at any point along the path of the packet, and you should see the same picture. If you don't see the same picture, then you know where the problem is. But with NAT, the IP addresses involved change at a certain point, and in a busy network, it becomes difficult/impossible to disentangle the traffic generated by a particular machine.




Let's see...how best to answer above...LIAR!...that should do it.



NAT also complicates tracking down the source of network abuse or other traffic that might need to be tracked. The IP address you see on the receiving end maps to many different potential sources, and the administrator of the source network likely has no way to determine which internal machine was responsible for it.




Once again, how best to answer above...oh yeah, LIAR!



That just about covers everything.

#

Re:I hate NAT :-)

Posted by: Anonymous Coward on January 27, 2004 09:27 AM
A few points about your comments. I see and respond to your major arguments as follows:

1. Configuration of a firewall is difficult.

    Current firewall management software is getting easier and easier, local firewalls (as included in many Linux and I believe new Windows distributions) would come with a configuration allowing outgoing connections without incoming connections. Standard firewalls (linux based) I have used come with very reasonable default configurations as well as have good utilities for changing the configurations.

2. Applications work through NAT without problem.

    Yes you can port forward but if the app has ip information in the payload your NAT must have a special module or code to handle rewriting that app. There are many cases where this was necessary (a quick look at my firewall shows modules for FTP, H323, Quake3, and many more).

    New apps must have a module written, the developers have to write additional code for handling NAT (slowing development and making some tasks impossible) or it just doesn't work through NAT.

    Several internal servers have problem using the same external address and port (ex: I want to have ssh access to several internal machines but port 22 is forwarded only to one). Yes there are ways to overcome this but they complicate the environment.

3. NAT does not complicates troubleshooting.

    NAT clearly adds a step of checking to see what address/ports are being translated (if you have access to the point where NAT is being done). It also adds the possiblility of running out of ports with port-forwarding (many internal addresses using the port space of one or a few external addresses).

4. NAT hinders the ability of the destination to find out what the actual source address is.

    You seems to think this is not the case. How would you stop a client (potentially infected or misbehaving) from DOSing you on port 25 (SMTP) while still allowing well-behaving clients to connect?

IMO, NAT was a solution to limited IP address space. People later found it provided some security, which it does. It does so much in the same way you CAN pound a nail in with a screwdriver (it is not a good tool for the job).

    When you implement a sufficient address space (such as with IPv6) NAT boxes can be replaced by firewalls. This results in better application support, reduced network app development costs, easier troubleshooting and a simpler network design (one global address space).

#

Love firewalls? Tell it to Debian

Posted by: Anonymous Coward on January 27, 2004 10:46 AM
You should forward your post to the Debian developers and fans. It seems they have no problem with distros based on woody shipping without a simple firewall. Or any firewall.



And no problem <A HREF="http://slashdot.org/comments.pl?sid=92798&cid=7972978" TITLE="slashdot.org">defending it</a slashdot.org> either.

#

Anonymity

Posted by: Anonymous Coward on January 27, 2004 04:26 AM
This is all about trying to stop anonymity on the internet. NAT is not perfect, but useful enough when people want to have a completely private and closed network.

People have also got to ask, like the article says, if peoples' networks and the internet is working, why the rush to IPv6? Why not be efficient and save on IP addresses where necessary? Certainly corporates just do not want to touch their network infrastructure if it is working. They also may not be able to.

Melinda Shore pointed that FTP clients, as originally written, would not work with NAT. Neither would video conference applications.

So what? This is straw clutching.

"Not only are we [losing] existing applications, there are untold new things that are not making it to market. These new applications are unable to generate the critical mass they need to make any marketing noise because the NAT rich environment is too difficult for Joe Sixpack to deal with," Tony Hain wrote earlier this month.

Rubbish. What are all these new amazing applications this idiot is talking about?

"Basically, once you've committed to rewriting the forwarding information in an IP datagram, then it's open season on all manner of horrible opportunities for intermediaries to engage in Internet abuse," wrote James Woodyatt.

Err, that's the whole point of TCP/IP dumbass. What are you going to do. Use encrypted hardware to stop people from monitoring and changing their packets? F*****f! Personally, I find any suggestion that this is a security problem to be irresponsible because what goes around comes around. I will decide what comes in and leaves my network - no one else.

"The end machines are simply too vulnerable. Without firewall and service restriction, you'll have your entire network compromised very quickly," wrote Eric Rescorl.

Exactly. You should use NAT with a properly configured firewall to keep private networks private. It is a faff, but it can be done. I don't want there to be open season with a direct line from everywhere on the internet into my private network. Direct marketing to each device? There is not a chance in hell I want that to happen. Have people not learned from a little operating system called Windows?

We've got a lot of people trying to come up with ways to bad mouth NAT because they want to try to end anonymity for systems and networks that may be legitimately private. Their arguments are very, very weak.

#

Re:Anonymity

Posted by: Anonymous Coward on January 27, 2004 06:42 AM
Just saying arguments are rubbish and saying show me these things is a nonsense argument. How can you show an invention that can't be invented? I'll admit that this doesn't prove things one way or another on itself. However it is shown with resonable confidence that NAT complicates systems, and as such decreases ability to write a networked application by an individual that can deal with it. So it seems quite reasonable to me that inventions are being stiffled.
Most of your other counter arguments besides the one above are weak as well, like why rush forward to ipv6? Well even with NAT it's shown that it's just a matter of time before ipv4 runs out, and so not having the infrastructure in place on time is tantamount to creating a crisis deliberatly.

As such ipv6 should be implemented in a timely and orderly fashion while it is still possible.

Quickshot

#

Re:Anonymity

Posted by: Anonymous Coward on January 27, 2004 10:18 AM
i really like it when somebody without a clue pretends to be an authority. the boxes that often are referred as NAT boxes are actually gateways that in addition to their routing capacity provide additional services like NAT and security (through firewalls). dropping the NAT function doesn't have any effect on the security aspect. instead, it makes the programming of such a box simpler, which by itself should improve the security

#

Re:Anonymity

Posted by: Anonymous Coward on January 27, 2004 11:59 PM
Yep, but the IPs are still public. Many people and organisations just do not want that, and it doesn't take away the fact that many arguments for IPv6 are just plain weak. New video applications? Give me a break. Deriding the fact that IP packets can be changed?

In many cases NAT and IPv4 are part of the infrastructure - they ain't going to change it after a few years.

#

NAT and Home Networks

Posted by: Anonymous Coward on January 27, 2004 04:27 AM
I've seen this discussion before about NAT vs. IPV6, and decided to put my 2 cents in, FWIW.

I use NAT on a Linksys router for my home network. It provides me with several benefits.

1. I can easily share a single internet connection between multiple computers. My ISP only gives multiple IP addresses to those paying a significantly higher monthly fee (you're now a business in their eyes), so this is cheaper. I doubt very much that switching to IPV6 would encourage the ISP to do anything different. It also doesn't tie-up a dedicated computer.

2. No one outside my home network can see any of the machines inside it (or at least, not easily). That's the way I like it -- it's my private network, and it's nobody's business what's in it but mine.

3. When I re-format and re-install Windows (which is, on average, at least once a year), NAT appears to give me time to download the necessary Windows Updates before someone tries to put a virus on the machine. I have heard of people getting infected within a few minutes of connecting to the Internet.

4. Port Forwarding (I don't know if this is considered a part of NAT, but it is a feature of the router) allows me to redirect port requests from the outside to any address on the network I want. I have even found a use for occasionally re-directing a port to a non-existing address.

5. I imagine they exist, but I haven't heard of a virus that attacks routers. An overwhelming number of viruses, however, do exist that attack the OS (Windows, mainly). Having the NAT on the router, and then a good firewall running on the computer, is, IMHO, an appropriate response to the reality of computing in this day and age.

Oh, for those that are wondering, my main operating system is Suse Linux, but I dual boot Windows XP Pro, since I need that for work sometimes. Most of my concerns lie with Windows, and not Linux.

Even if my ISP were to give out as many addresses as I need, I still don't want the machines on my network visible from the outside. If I ever replace NAT, it will probably be with something that does pretty much the same thing, only with better security.

#

Re:NAT and Home Networks

Posted by: Serge Wroclawski on January 27, 2004 10:31 AM
Your discussion mixes a number of issues together.

The main support you seem to have for NAT can be accomplished without NAT by use of a packet filter (a firewall). A firewall doesn't imply NAT, and will afford the same security without the problems as outlined in the article.

I suggest that you don't actually know much about NAT or how it works. If you did- you wouldn't have raised the points you have.

Please do yourself the favor of reading up on IP and NAT- you may find your views changed.

- Serge

#

Re:NAT and Home Networks

Posted by: Anonymous Coward on January 28, 2004 04:58 PM
There are additional factors that work in a NAT's favor securitywise. Since all systems behind a NAT appear to come from a different IP address from the originating computer, an outside attacker doesn't know the precise architecture of the network behind the NAT. If you only have a firewall in place, data gathering is significantly simplified for prospective attackers. Security through obscurity isn't the only answer, but in this case it certainly doesn't hurt.

Further, a NAT doesn't require the cost or red tape typically associated with putting a system on a network. A globally accessable IP doesn't need to be purchased from an ISP or allocated from a company's pool of addresses. The network is also more portable, as one could disconnect the entire thing and plug it in elsewhere with few changes. This is particularly useful in embedded devices, where one might have an internal network that can't be limited by the requirements of other networks that it may attach to.

That's not to say that NAT is the one true answer. There are certainly many headaches caused by packet mangling that can't be easily solved on the protocol level. I've had to work around NAT's faults often enough that I understand where you're coming from. The internet being what it is though, NAT does have a place. As much as we might all like it to, it's not going to go away.

#

NAT is a necessity in today's Internet

Posted by: Anonymous Coward on January 27, 2004 04:44 AM
Let's face it folks. The IPV6 designers have failed miserably. They are not living in the real world. Having each and every machine directly accessible on the Internet is asking to be hacked. NATs maybe a poor man's firewall, but they are quite effective. Most script kiddies just move on to other softer targets. For under $60US, I can buy a pretty decent NAT/firewall device. Most software firewalls (ZoneAlarm, Black Ice etc.) are totally useless, prompting the user constantly with technical messages about opening up ports. They eventually open all ports, just to stop the nagging, defeating the purpose of having them.

Many hardware NAT devices have the ability to block sites, keywords and various harmful technologies like ActiveX. It is almost impossible to have a usesful IE with ActiveX totally disabled. I configure one device with my policies, and my entire network is protected, regardless of OS, configuration and setup.

In addition, many ISPs give just one IP address to connect to the Internet. I can easily see them charging more for each IPV6 address you want, making the service more expensive.

I am totally sold on the combo of IPV4+NAT. I will not setup a single computer on the Internet without the benefits of a NAT device. Until IPV6 offers the same benefits and security, it will not take off. The IPV6 guys are just pissed because there really isin't any reason to implement IPV6.

#

Re:NAT is a necessity in today's Internet

Posted by: Roel Schroeven on January 27, 2004 05:23 AM
It is perfectly possible to have a small box that looks, feels and smells just the same as your NAT/firewall box, but routes ipv6 instead of ipv4. It gives the same security, the machines on our local lan are shielded from the Internet to the same degree. Except for NAT itself, anything that these boxes do can be done as well or even better with ipv6.

Only one difference: the ipv6 box will not break active FTP, VPN and, video conferencing as NAT does.

#

Re:NAT is a necessity in today's Internet

Posted by: Anonymous Coward on January 27, 2004 06:44 AM
Yes, I know.
But the whole purpose of NAT is to hide the private network. M$ software is always going to be full of security holes, no matter what public face they want place on it. Even today, after all this time and anti-virus products out there, MS-Blaster is still causing major problems for ISPs. So much so, that the ISPs forced M$ to issue a tool to remove it. When you look at these machines, you will see that most of these machines are publicly addressable on the Internet. These types of viruses spread by accessing publicly available machines on the Internet. NATs hide these machines and are much less susceptable to these security problems. I am a computer consultant and out of 45 clients, only 1 has had virus/spyware problems within the last year.

Let's face it, there is no application for a business environment that needs to have a machine directly accessing the Internet or needing IPV6. Today's NAT devices have become quite good and are relatively cheap.

Let's look at them:

FTP:
This is a total bogus boogeyman. Even the most basic NAT device handles this protocol with ease.

VPN:
For under $200US you can buy NAT devices that handle VPN with ease. I actually use these (Netgear makes a couple of good models on the low end) to connect construction trailers to the corporate office. They offer both 3DES and IPSec encryption. This is server-server VPN access. They also provide client-server VPN passthru access. I have 1 client in which I have connected over 30 trailers to the corporate office in this manner. The trailer computers see all of the servers at the main office with ease. This is a cheap and efficient solution.

Video Conferencing:
This one is a bit more problematic, but has been easily solved. The better NAT devices have H.323 support already turned on. This solution is good for the low end. Other solutions, like Intel, have applets that figure out the dynamic address and reconfigure automatically. Again, IPV4 solution works, and is cheap enough.

Email: SMTP/POP etc.
In a personal setting, NAT devices handle this easily. In a corporate setting, all email should go through a central server. Spam/virus filtering is a necessity. Also, email needs to be properly logged and archived. In many industries, regulations impose fines if this is not done. Also, the protection of trade secrets and proprietary information is a must in today's global market. No employee should ever be allowed to access outside SMTP servers. The risks/fines are too great.

Media
Again, NAT devices handle these protocols with ease. More than one machine can have Real Player or MS Media Player playing music and video simultaniously. In a business setting, many limit use of these protocols, in order to preserve bandwidth or to avoid legal issues with RIAA/MPA etc.

groupware/IM etc.
A corporation should set up their own IM server. They should not rely on AOL, MSN, Yahoo etc. These networks are totally insecure, and much sensitive business information can be passed on. All of these networks have serious security problems that they've known for a long time and have not bothered to fix them. Corporate spying is quite common. Many European countries (especially the French) use corporate spying as a way to get a competitive advantage. On one occassion, one of my clients, detected this kind of intrusion and was able to feed false info, resulting in my client getting the upper hand in a negotiation.

At this time, there really is no IPV6 killer application that would cause one to say "Hey.. I got to have that". There is no reason to incur the overhaul expenses to IPV6 in order to satisfy a few "purists". The benefits of IPV6 are few and at this time do not warrent the expense. When applications that really take advantage of IPV6, (like its QOS abilities) then maybe it may be worthwhile. But for now, I'm recommending to all of my clients to stay with IPV4+NAT.

#

Re:NAT is a necessity in today's Internet

Posted by: Anonymous Coward on January 27, 2004 12:05 PM
Thank you for injecting a little bit of sanity into this mess of hysteria. Your post has more insight and is more useful than the original story.

#

Re:NAT is a necessity in today's Internet

Posted by: Roel Schroeven on January 28, 2004 04:46 PM
A good firewall (very much like the one in your NAT-box) hides the private network as well as NAT does.

Advantage is that you don't need all this bandaids to get stuff working. And when something new comes along, you don't need to buy other bandaids.

Disadvantage: we need to do some work for the transition.

I think the advantages for outweigh the disadvantages.

#

Re:NAT is a necessity in today's Internet

Posted by: Anonymous Coward on January 27, 2004 06:21 AM
I seriously doubt the IETF cares the slightest bit that you (or anyone for that matter) puts their private home network behind a NAT. The "real world" issue is when NAT occurs at the ISP, as is becoming increasingly more common.

You have control over your NAT, and can set up kludge workarounds (such as port forwarding) when and if you need to. However, if you are behind an ISPs NAT, you no longer have the option to work around it directly.

#

Dream On

Posted by: Anonymous Coward on January 27, 2004 04:49 AM
As Bob Braden wrote, "I think it would be more accurate to say that a NAT contravenes the basic Internet principle of universal connectivity."

Yeah, well the world of Flower Children and Free Love is long gone, too. Deal with it!

#

A couple of points

Posted by: Anonymous Coward on January 27, 2004 06:31 AM
The way I see it is as followed:

Pro:
1. ipv6 without NAT is nice so you won't have to search for hours when a certain app won't work because it isn't going through the NAT-ed interface

2. We can communicate with just about everyone on the planet who's online. With a direct connection.
The RIAA and Movie industry would probably love this since they have a direct source to attack instead of going through a lot of trouble to find a certain person.

Con:
1. Bye bye privacy

2. Administrative nightmare. Who is gonna hand out the addresses? It will have to be a global organisation. Or am I mistaken and can we still use private ranges?

3. There are millions of clueless people out there who don't even know what security means. They plug their computer on the big net and voila: a total security disaster. With all the worms and virusses spreading already, how long will it take for a worm/virus to spread if it can reach practically everyone? And don't count on Microsoft to write secure software cause it is not gonna happen any time soon. And even if they do, how many clueless "admins" are out there?

4. Spam already accounts for more than 60% of all global email traffic. Imagine what will happen if we start plugging all computers directly to the internet. Spam world.

Sure, a good firewall will probably block a lot of the stuff but I don't think it will get any better by banning NAT. Probably worse.

I'm betting that as soon as everyone starts using ipv6 and no NAT that trafic will probably explode.

#

ipv6? its the wrong question

Posted by: Sparky5555 on January 27, 2004 07:50 AM
and certainly not the answer.

Frankly, I could give an excrement less about it, its not yet ready for prime time in any event, and the changeover will have to be done globally in order for it to have a snowballs chance in hell of its working as intended.

NAT? Thats the answer AFAIAC. With NAT, not done in my router or DSL modem but in my firewall box with iptables, my little 2 machine home network is invisible to all the script kiddies. One port, the identd port is seen, and is reported to be closed by the external scanners I've sicced onto it. Scanners get better all the time, so I redo that at about monthly intervals to make sure its still a nobodies home and the lights are out situation.

Until I can have that sort of secure feeling using ipv6, it is apparently an answer looking for someone to ask the right question. I haven't seen anyone even come close to asking it yet...

Cheers, Gene

#

place yer bets here

Posted by: Anonymous Coward on January 27, 2004 11:09 AM
Which can't miss mid-90's technology will win mass acceptance first... IPv6 or HDTV?

#

IPv6 Frontier Pioneering...

Posted by: Europa Dream on January 28, 2004 01:05 AM
"If the Internet architecture provided i) plenty of addresses, ii) locally allocatable addresses, and iii) the ability change providers easily, there would be *no* NAT boxes," Chiappa wrote.



Sounds to me like the solution is to use the same tactics as were used to convince people to start homesteads in areas without the full infrastructure they were used to. For IPv6, why not allocate a static block of 256 addresses, a top level domain name (and the ability to add sub-names for those 256 addresses freely and easily), and control over who hosts the DNS and Routing entries for that block of addresses (yes, I know there are security issues...) for every man, woman, and child on Earth. That'd take about 2 trillion addresses and could, perhaps, be administered through UNESCO as a birthright for every person. When a person got a device with a programmable address, they could assign one of their personal IP addresses to it and release the manufacturer's IP that it came with back into that manufacturer's address pool (for a credit of some sort). If they ended up with more than 256 addresses needed, they could purchase more for a nominal fee (presumably with the "credit" they had accumulated from returning some of the manufacturers' IP addresses by using their own). Yes, massive wastage, but it would give IPv6 an "in" (especially in the developing world) that would provide it the traction it would need to make it into the real world. Time would take care of the rest.



P.S. I agree with both the "fundamentalist" view and the "pragmatist" view regarding NAT. I believe that both views are correct, and that the result of this debate will be decided "democratically" by people "voting" with their network implementations. At the end of the day, both sides will probably have to compromize somewhat to arrive at a solution that works for everyone.

#

The Genie is out of the bottle.

Posted by: Anonymous Coward on January 28, 2004 03:34 AM
NAT is the proverbial Genie. With recent developments in Open-source Operating systems and software, Anyone can drop a CD into a 486-class machine and build themselves a NAT/firewall to share their DSL/Cable connection to the internet amongst multiple machines without the provider's knowledge. That saves money. I personally don't know too many people willing to double their ISP bill if they don't have to. My main point is the NAT in IPTABLES works just as well for IPv6 as v4. Even if my ISP called me tomorrow and said I had to use an IPv6 address, I'm not getting rid of the NAT... I like (my computers) living in obscurity. Network security is kinda like the story of a group of people chased by a hungry Grizzly bear; You don't have to be faster than the bear, just faster than the other guy.

#

A couple of reasons that NAT has flourished

Posted by: Anonymous Coward on January 28, 2004 05:23 AM
Consumers use NAT because the available devices that allow them to connect more than one computer to their internet connection use NAT.

These devices exist because ISPs generally don't like to provide more than one IP address. There are a couple of reasons that ISPs don't like to freely provide IP addresses:

Blocks of IP addresses have historically been very expensive for ISPs to purchase. This is related to the limitations in IPv4. Since there are a finite amount of IPv4 addresses, and since they were sold in large chunks (usually Class B or C), backbone providers started really raising the prices when the demand for IP addresses grew (this was in the mid- to late-90's).

Plus, back in the day, you typically either had a static IP address for your networked computer or a dynamic IP address assigned to your dialup computer (this was before broadband). DHCP - and the efficient use of an IP addresses pool that it gives - was not available to most people.

Additionally, as has been mentioned already, ISPs try to minimize "business" use of plain internet access accounts, and restricting access for multiple machines is one way to do that.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya