On Nov 16, 2011, at 8:43 AM, William Herrin wrote:
On Wed, Nov 16, 2011 at 11:11 AM, Owen DeLong <owen@delong.com> wrote:
On Nov 15, 2011, at 2:01 PM, William Herrin wrote:
On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <marka@isc.org> wrote:
If you want to use unroutable addresses then use a bastion host / proxy.
What is a modern NAT but a bastion host proxy for which application compatibility has been maximized?
It is a mechanism for header mutilation which creates additional costs in hardware (cost of routers), software (development of NAT traversal code in various applications, NAT software in some cases), security (NAT obfuscates audit trails and increases the difficulty and cost of event correlation, forensics, abuser identification, and attack source identification and mitigation, etc.).
In other words, all of the things a proxy does but without sacrificing as many applications.
No, in the proxy case, the sessions internal and sessions external are separate and the proxy software ties them together. In the NAT case, the internal and external sessions are one and the same, but, the header is mutilated as part of the IP forwarding process. However, yes, as someone else pointed out, the key difference is that they suck in different ways. Owen