[ppml] those pesky users...

Ted Mittelstaedt tedm at ipinc.net
Tue Mar 27 16:41:40 EDT 2007 


>-----Original Message-----
>From: Owen DeLong [mailto:owen at delong.com]
>Sent: Tuesday, March 27, 2007 1:28 PM
>To: George Kuzmowycz
>Cc: tedm at ipinc.net; ppml at arin.net
>Subject: Re: [ppml] those pesky users...
>
>
>
>On Mar 27, 2007, at 1:05 PM, George Kuzmowycz wrote:
>
>>
>>
>>>>> "Ted Mittelstaedt" <tedm at ipinc.net> 03/27/2007 3:30:58 PM >>>
>>
>>> The biggest thing that encourages NAT from a corporate point of view
>> is
>>
>> I won't get into "biggest" or "next biggest", but certainly a major
>> factor in encouraging NAT in the corporate world is a generation of
>> CIO's raised in the belief that NAT is a major component of an  
>> effective
>> security policy. If the IP stack on the PC of Joe in Accounting has a
>> 1918 address, then that evil packet from Romania won't get there. The
>> absence of "end-to-end" in this view is not a design flaw, it is a
>> desirable feature. For these purposes v4 vs v6 is irrelevant; they  
>> don't
>> want a globally-routable address of either flavor on the vast majority
>> of their machines.
>>
>You are, unfortunately, correct about the CIO/other management and even
>some IT professionals misconception of the role of NAT in this process.
>
>The reality is that what they care about is stateful inspection, and,  
>you
>can't have overloaded NAT without stateful inspection, so, most people
>don't truly understand the distinction.  The reality is that NAT can be
>implemented without stateful inspection (as long as it isn't overloaded,
>or, even if overloaded, you at least have some control over which
>services are reachable), just as easily as stateful inspection can be
>implemented without NAT.  So, NAT provides NO security benefit
>directly, and, is not required for stateful inspection which actually
>does provide the security benefit.
>
>The global uniqueness or not of the address on a particular host
>is actually irrelevant to security, but, there is an unfortunately large
>body of religion who does not understand or accept this basic
>fact.
>

It makes no difference to a customer that is using, for example, a
/22 internally if the ISP comes along and assigns him a /22 of IPv4
or a /29 of IPv4.  He is STILL GOING TO PUT a NAT in there.  Sure, he
amy configure the NAT to go 1:1 in the first case and he may configure
the NAT to go 1:1024 in the second case, but in either case he's
going to use a NAT, so that he can easily move his connection to his
ISP to some other ISP if he wants to without renumbering his internal
numbers.

Sure, he wants stateful inspection also.  And sure he can get stateful
inspection in either the 1-to-1 instance or the overload instance.

But he does not want to be tied to a specific ISP, and the only thing out
there that is going to allow him to move his stuff when he pleases is
if he is running NAT.

>Hopefully, they will eventually discover that Galileo was right and
>the world is round.
>

Does it really matter?  Frankly, who cares if the stateful inspection is
implemented in the translator or not?  Your going to have the translator
for portability requirements, regardless, unless the org is large 
enough to justify a direct allocation and/or and AS number, so why is
it so important to you to correct some incorrect assumption in some
non-networking managers pointed head?

Ted

More information about the ARIN-PPML mailing list