[125965] in North American Network Operators' Group
Re: the alleged evils of NAT,
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Apr 27 16:32:16 2010
To: Jon Lewis <jlewis@lewis.org>
In-Reply-To: Your message of "Tue, 27 Apr 2010 14:54:07 EDT."
<Pine.LNX.4.61.1004271449350.5148@soloth.lewis.org>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 27 Apr 2010 16:31:05 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1272400265_4032P
Content-Type: text/plain; charset=us-ascii
On Tue, 27 Apr 2010 14:54:07 EDT, Jon Lewis said:
> I think you forget where most networking is done. Monitoring? You mean
> something beyond walking down the hall to the network closet and seeing
> all the blinking lights are flashing really fast?
That site will manage to chucklehead their config whether or not it's NAT'ed.
> How about the typical home DSL/Cable modem user?
And they won't manage to chucklehead their config, even if it's not NAT'ed.
> Do you think they even
> know what SNMP is? Do you think they have host based firewalls on all
> their PCs?
Hmm... Linux has a firewall. MacOS has a firewall. Windows XP SP2 or later
has a perfectly functional firewall out of the box, and earlier Windows had
a firewall but it didn't do 'default deny inbound' out of the box.
Those people with XBoxes and Playstations and so on can take it up with their
vendors - they were certainly *marketed* as "plug it in and network", and at
least my PS/2 and PS/3 didn't come with a "Warning: Do Not Use Without a NAT"
sticker on them.
So who doesn't have a host-based firewall in 2010? The idea is old enough
that it's *really* time to play name-and-blame.
> Do you want mom and dad's PCs exposed on the internet, or
> neatly hidden behind a NAT device they don't even realize is built into
> their cable/DSL router?
Be careful here - I know that at least in my neck of Comcast cable, you can go
to Best Buy, get a cablemodem, plug the cable in one side, plug an ethernet and
one machine in the other side, and be handed a live on-the-network DHCP address
that works just fine except for outbound port 25 being blocked. For the past
month or so, my laptop has gotten 71.63.92.124 every night when I get home,
which certainly doesn't look very NAT'ed.
Are you *really* trying to suggest that a PC is not fit-for-purpose
for that usage, and *requires* a NAT and other hand-holding?
And for the record - I don't worry about my mother's PC being exposed on the
Internet, because she's running Vista, which has a sane firewall by default.
What *does* worry me is that she's discovered Facebook, and anything she clicks
on there will not have the *slightest* bit of trouble whomping her machine
through a NAT.
Let's be realistic - what was the last time we had a *real* threat that a
NAT would have stopped but the XP SP2 firewall would not have stopped? And
how many current threats do we have that are totally NAT-agnostic?
--==_Exmh_1272400265_4032P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFL10mJcC3lWbTT17ARAr8EAJwLQAEzVU3tExEqKibrbwbFJFtlBgCfYGvt
i5T1q5q5UNUrmwCIGxaTfBg=
=ZLnM
-----END PGP SIGNATURE-----
--==_Exmh_1272400265_4032P--
