[arin-ppml] Set aside round deux

Kevin Kargel kkargel at polartel.com
Wed Aug 4 10:46:01 EDT 2010 

> 
> This has been gone over here before but please do explain what NAT breaks
> that wouldn't have otherwise been dealt with by statefull inspection?
> 
There are many examples but to pick the perhaps most common consumer app talk to anyone who has an Xbox and wants to host games.  They can probably quote you chapter and verse about "Strict NAT" and they will be more than happy to tell you about the woes of getting it to work.

Yes you can make it work by taking the time to configure port forwarding through NAT or to place the game console in the DMZ, but these are really workarounds to defeat NAT and also defeat any perceived security offered by NAT.

> Yes we know that UPNP and dirt-cheap CPE break easily.  Most recognize
> this as an implementation and not a protocol issue.
> 
> > NAT/PAT breaks many common consumer applications, requiring complex
> > workarounds that consume much helpdesk time. NAT costs my organization
> time
> > (s/time/money/g) every day when we have to deal with it.
> 
> Really?  "many common consumer applications", such as?
> 
Almost any of the P2P apps requiring an outside host to initiate a connection.  Again, port forwarding or DMZ hosting will resolve that but it is a lot more time (read money) to walk a casual consumer through accomplishing that than it would be to adjust an SPI firewall.

> > That time would be much reduced if we could simply add an 'allow' rule
> > rather than going through the steps to properly configure PAT.
> 
> Good luck selling "we could simply add an 'allow' rule" to the security
> officer.  Consider too that even organizations with sufficient addresses
> space (from legacy allocations) still use NAT on their internal networks.
> This is because they have network engineers who understand security.

And this is different from getting the 'security officer' to create a PAT rule for NAT how, aside from taking much less time to accomplish?  

For the record I am talking about the hordes of residential customers, not from the perspective of an enterprise organization.  I don't know of any residential consumers who have a 'security officer'.  Most of them will happily do whatever the helpdesk suggests they do.  

As has been said multiple times here, any security benefits from NAT come from the SPI firewall that is required to implement NAT, not from the NAT itself.  

> 
> Roger Marquis

More information about the ARIN-PPML mailing list