On 04/20/2010 09:31 PM, Roger Marquis wrote:
Jack Bates wrote:
.01%? heh. NAT can break xbox, ps3, certain pc games, screw with various
programs that dislike multiple connections from a single IP, and the
crap load of vpn clients that appear on the network and do not support
nat traversal (either doesn't support it, or big corp A refuses to
enable it).
If this were really an issue I'd expect my nieces and nephews, all of
whom are big
game players, would have mentioned it. They haven't though, despite
being behind
cheap NATing CPE from D-Link and Netgear.
Address conservation aside, the main selling point of NAT is its
filtering of inbound
session requests. NAT _always_ fails-closed by forcing inbound
connections to pass
validation by stateful inspection. Without this you'd have to depend
on less
reliable (fail-open) mechanisms and streams could be initiated from
the Internet at
large. In theory you could enforce fail-closed reliably without NAT,
but the rules
would have to be more complex and complexity is the enemy of
security. Worse, if
As others have mentioned on the list, this is wrong. NAT is the one that
makes things
much more complicated in fact. And even NAT can be tricked.
But I do have a question:
Do you think TCP-port 53 for DNS are only used for domain-name transfers ?
non-NATed CPE didn't do adequate session validation, inspection, and
tracking, as
low-end gear might be expected to cut corners on, end-user networks
would be more
exposed to nefarious outside-initiated streams.
Arguments against NAT uniformly fail to give credit to these security
considerations,
which is a large reason the market has not taken IPv6 seriously
to-date. Even in big
business, CISOs are able to shoot-down netops recommendations for 1:1
address mapping
with ease (not that vocal NAT opponents get jobs where internal
security is a
concern).
IMO,
Roger Marquis
