[125952] in North American Network Operators' Group
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast
daemon@ATHENA.MIT.EDU (Jon Lewis)
Tue Apr 27 14:37:38 2010
Date: Tue, 27 Apr 2010 14:37:08 -0400 (EDT)
From: Jon Lewis <jlewis@lewis.org>
To: Valdis.Kletnieks@vt.edu
In-Reply-To: <19110.1272392139@localhost>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 27 Apr 2010 Valdis.Kletnieks@vt.edu wrote:
> The difference is that if a protocol wants to be end-to-end, I can fix a
> firewall to not break it. You don't have that option with a NAT.
Maybe we want end-to-end to break.
Firewalls can trivially be misconfigured such that they're little more
than routers, fully exposing all the hosts behind them to everything bad
the internet has to offer (hackers, malware looking to spread itself,
etc.).
At least with NAT, if someone really screws up the config, the "inside"
stuff is all typically on non-publicly-routed IPs, so the worst likely to
happen is they lose internet, but at least the internet can't directly
reach them.
This has to be one of the bigger reasons people actually like using NAT.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
