[41370] in North American Network Operators' Group
Re: Where NAT disenfranchises the end-user ...
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Fri Sep 7 12:03:35 2001
From: bmanning@vacation.karoshi.com
Message-Id: <200109071630.QAA14585@vacation.karoshi.com>
To: spork@inch.com (Charles Sprickman)
Date: Fri, 7 Sep 2001 16:30:24 +0000 (UCT)
Cc: rmeyer@mhsc.com (Roeland Meyer),
nanog@merit.edu ("NANOG (E-mail)")
In-Reply-To: <Pine.BSF.4.33.0109071149460.4876-100000@shell.inch.com> from "Charles Sprickman" at Sep 07, 2001 11:51:33 AM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
> > |> True... neither does a well-firewalled LAN.
> >
> > There is a substantial difference between broken access and controlled
> > access.
>
> Yes, but there are plenty of apps that will not work if you do not leave
> open large, arbitrary ranges of udp ports. This is fundamentally
> incompatible with most sane firewalls. Or NAT.
>
> Why write a protocol that way? Just to prove NAT sucks?
>
> Charles
No, because they were either written before NAT existed and
tried hard to conform to the end2end principles of Internet Architecture
or they were written after NAT existed and tried hard to conform to the
end2end principles of Internet Architecture.
NAT violates the end2end principles of the Internet Architecture
by placing one or more policy abstraction layer(s) between the endpoints.
That said, NAT is a tool in the tool box. I'd like to think that
its worth the effort to try and recover true end2end.
--bill
