"J. Noel Chiappa" <[EMAIL PROTECTED]> writes:
> Perry, I'm curious about the technical aspects of the problems you're
seeing,
> in particular:
>
> Are the problems you are seeing due to i) the need for NAT boxes to
grope
> around in packets, ii) the fact that hosts don't have permanent,
globally
> visible internetwork-level 'names', or iii) something else (e.g. complex
> configuration management)?
To me the biggest problem here, is the common situation such that companies
have separate (and necessary) Internet and Remote Access firewalls. RA
firewalls exist in multiple global locations within an enterprise.
Multiple instances of the same Private addresses would enter (or exit) the
enterprise network via Private lines from different companies if not for
careful configuration management across and negotiation between "NAT
Administrators", within the enterprise, and between enterprises. The most
difficult part is the negotiation with client/vendor site NAT Admins as to
who should NAT which addresses into which addresses. We often need to
negotiate between 3 RA connected companies. Not only is this painful, but
one can never sleep comfortably, knowing that a NAT Admin at a 3rd company
will not make a mistake and connect someone new at our NATed address.
There are not enough Private Addresses to go around.
I would propose that an additional block of addreses be added to those
designated in RFC1918. That would be a big practical help.
Steven
Steven M. Polinsky
Vice President, Information Technology
Goldman, Sachs & Co.
180 Maiden Lane
New York, NY 10038
212-902-3669
