Stephen Sprunk wrote : |-> What about application protocols like ftp that specify network addresses in |-> the protocol session? Do you propose the NAT gateway alter FTP packets in |-> transit? |-> Yes, that is exactly what NAT does - it has a pool (or a static list, or both) of "Externally facing" IP addresses, and it alters the IP packets in realtime (in both directions, obviously) between "Externally facing" IP and "Internally facing" IP address, on a per-conversation basis. It then keeps a "cache" of what addresses have been dynamically mapped to what. The aggro used to be that for things like DNS/Mail/News etc. (almost any service machine) you have to keep the IP address the same and not dynamically change it. However, NAT boxes allow you to use dynamic mapping for your users and static for your other services. They also provide extremely good security - check out Cisco's PIX at : http://www.cisco.com/warp/public/751/pix/index.html which is basically a low spec PC in a rack-mountable box, that can happily perform NAT at 100Mb/sec. CPU-wise, NAT is not a hard thing to do, although you might end up needing a fair whack of memory on a box with *lots* of flows per second. The security features of the PIX are not a feature of NAT - they are a feature of the PIX, so you don't (I presume ;) get them on standard NAT boxes. |-> Also, I don't believe it will be possible to use host or user-based AH/ESP |-> with NAT, since they protect the source address. |-> Good point - TBH, I don't know how NATs deal/don't deal with ESP. Although the last time I looked, ESP had only been implemented with DES, and was therefore fatally flawed (there was a draft by Bellovin about this somewhere...) This is not an insurmountable problem - it can be solved either at the initial key exchange, or by the NAT in realtime, and will hopefully be / have been solved by one of the ipsec groups - I'll go and check out ESP again and see if NAT breaks it or not - I don't know much about it at the mo' |-> Stephen Sprunk |-> Cheers, Lyndon Levesley Xara Networks |-> At 17:34 26 02 97 +0000, Lyndon Levesley wrote: |-> > There's always the nice 'n' easy system of using 10/8 and NAT as a |-> >provider, making renumbering about 5 minutes work. |-> > |-> > Even taken to the extreme, it wouldn't take long to change your BGP |-> >announcements / have your provider change their BGP announcements / |-> >whatever. |-> > |-> > Nameservers are a bit harder to renumber, but that's not too bad. |-> > |-> > Wonder how long it'll be before ISPs rather than corporates start to |-> >use NAT for most of their network. |-> I've had a wonderful time... ...but this wasn't it.