Tony Hain writes:
Roeland Meyer wrote:
... Then consider that most developers are NOT network engineers. They expect the network to *be there*, period.
Or more completely, they expect the network to be transparent so that every port at the destination IP address connects to the same machine, and there is no operational restriction on which end initiates the communication.
Nicely put. Of course, that model does not correspond to reality, nor is it ever likely to. Traffic is always going to be controlled, filtered, redirected, and translated at administrative boundaries. Global, packet-level, end-to-end connectivity is dead, until somebody comes up with a compelling argument for why a Windows PC in an Internet cafe in Sofia, Bulgaria needs unfettered, packet-level access to a Coke machine in a break room at Sun Microsystems in Palo Alto. Like the battleship that radios a request for the lighthouse to move out of its way, detractors of NAT seem to be waiting for the world to modify itself to accomodate their end-to-end model. Eric Hall <ehall@ehsco.com> has expressed the position succinctly:
The fact is that I can write an Internet-compliant application in about two minutes that will break every NAT ever sold, simply because they don't have a proxy for the protocol. NATs violate fundamental Internet principles.
Many stupid things can be done in about two minutes. This particular fundamentalist tenet has been at odds with reality since the first firewall was installed, and will only become more so. Jim Shankland