Where NAT disenfranchises the end-user ...
Hello all, In the recent multi-homing dicussions, many references were made, both public and private, to encouraging NAT and NAT techniques, in implementing local multi-homing. To be honest, even though I've used NAT myself and have implemented NAT for friends and clients, I would NEVER represent that a NAT'd address has the full connectivity to the Internet that a static address does. I've had many people ask me why. I've even gotten some hate-mail from members of this forum over this. The attached message is one instance-proof of where NAT is deficient. If you are selling transit and you are going to NAT them, then you cannot tell them that they have access to the full internet. There is a *lot* of stuff that will not transition a NAT boundary. A business that requires direct Internet access can't use NAT at the border. A business that delivers services to the internet can't use NAT, for their application servers, at all. BTW, I apologize if the subject-line appears inflammatory. |> -----Original Message----- |> From: ceo@vany.org [mailto:ceo@vany.org] |> Sent: Wednesday, September 05, 2001 10:39 AM |> To: announce@icann-ncc.org; ga@dnso.org |> Subject: [ga] Announcement: Invitation to remote participation in |> Non-Commercial Domain Names Holders Constituency in Montevideo |> |> |> The NCDNHC invites to all interested not able to attend our |> meeting in |> Montevideo to join us online. |> |> The meeting will be held on September 7 from 9:30 a.m. to |> 2:00 p.m local |> time (UTC -3). |> |> Details on remote participation are as follow: |> |> 1. Remote participation will be done through the VRVS system. To |> access it please browse http://www.vrvs.org |> 2. The Videoconference will take place in the Virtual Room Neptune, |> accesible from the World Wide Virtual Rooms. |> 3. To download the necessary software please access the |> DOWNLOAD sections at http://www.vrvs.org/ftp/ftp.html. All |> software is |> free of use |> 4. To learn more about how to use the VRVS tools, please |> access the DOC |> section at http://www.vrvs.org/Doc/doc.html |> 5. Don't forget to register your machine in the VRVS before use any |> tool installed. |> |> Connectivity requisites: |> 1. A public fixed IP address |> 2. A LAN must not be behing a NAT (Network Address Translation) |> 3. Machines should be properly registered in the DNS |> system. If you |> don't know what is this, please contact your network administrator. |> 4. Dialup users also can use VRVS (it is suppoused that |> your ISP have |> their DNS correctely setted-up) |> 5. H323 clients as Netmeeting, Polycom, and others works also with |> VRVS. Please read the documentation for more details. |> |> IMPORTANT: Try the VRVS software several days before the meeting to |> make sure that everything works properly. For this purpose, Vany |> Martinez will be in a test virtual room named CAFE, accessible from |> World Wide virtual rooms on September 6 from 10:00 a.m. to |> 12:00 p.m. local time (UTC -3). |> |> For any futher inquiry, please address them directly to Vany |> Martinez at |> ceo@vany.org |> |> |> -- |> Nilda Vany Martinez Grajales |> Information Technology Specialist |> Sustainable Development Networking Programme/Panama |> e-mail: vany@sdnp.org.pa |> http://www.sdnp.org.pa |> |> Nilda Vany Martinez Grajales |> Information Technology Specialist |> Sustainable Development Networking Programme/Panama |> http://www.sdnp.org.pa |> e-mail: vany@sdnp.org.pa |> Tel: (507) 230-4011 ext 213 |> Tel: (507) 230-3455 |> Fax: (507) 230-3646 |> __________________________________________ |> Get your free domain name and domain-based |> e-mail from Namezero.com |> New! Namezero Plus domains now available. |> Find out more at: http://www.namezero.com |> |> -- |> This message was passed to you via the ga@dnso.org list. |> Send mail to majordomo@dnso.org to unsubscribe |> ("unsubscribe ga" in the body of the message). |> Archives at http://www.dnso.org/archives.html |>
on 9/6/01 10:13 AM, Roeland Meyer at rmeyer@mhsc.com wrote:
To be honest, even though I've used NAT myself and have implemented NAT for friends and clients, I would NEVER represent that a NAT'd address has the full connectivity to the Internet that a static address does. I've had many people ask me why. I've even gotten some hate-mail from members of this forum over this. The attached message is one instance-proof of where NAT is deficient.
You are correct in that one:many NAT isn't a "full" internet connection, and I agree that it shouldn't be represented as such.
A business that requires direct Internet access can't use NAT at the border.
Not true. While I expect you will take this as nitpicking, one:one NAT is very conveniently used for servers while one:many NAT can be used for generic workstation access while preserving a consistent LAN numbering scheme. Anything that a "full" internet connection gets you will also work with one:one NAT.
A business that delivers services to the internet can't use NAT, for their application servers, at all.
This is laughable. You're telling me that we can't use our Alteons or Arrowpoints that use NAT to provide (redundant and load balanced!) internet services? I guess we should just go back to the One Big Web Server days, and put all our MS SQL database servers out in "full" view of the internet. Now there's any idea. --Doug
On Thu, 6 Sep 2001, Doug Clements wrote:
A business that requires direct Internet access can't use NAT at the border.
Not true. While I expect you will take this as nitpicking, one:one NAT is very conveniently used for servers while one:many NAT can be used for generic workstation access while preserving a consistent LAN numbering scheme. Anything that a "full" internet connection gets you will also work with one:one NAT.
...except current implementations of IPSEC: http://www.isp-planet.com/technology/2001/ipsec_nat.html Luckily, the above article also mentions the fixes that are in the works... -- Bob <melange@yip.org> | Yes. I know. That is, indeed, *not* mayonnaise.
On Thu, 6 Sep 2001 22:29:38 -0400 (EDT) Bob K <melange@yip.org> wrote:
On Thu, 6 Sep 2001, Doug Clements wrote:
Anything that a "full" internet connection gets you will also work with one:one NAT.
...except current implementations of IPSEC:
Luckily, the above article also mentions the fixes that are in the works...
perhaps better to call them bandaids. (the changes in IPSec are necessary for several reasons, but we don't have to like them.) richard -- Richard Welty Averill Park Networking rwelty@averillpark.net 518-573-7592
On Thu, 6 Sep 2001, Roeland Meyer wrote:
Hello all,
To be honest, even though I've used NAT myself and have implemented NAT for friends and clients, I would NEVER represent that a NAT'd address has the full connectivity to the Internet that a static address does.
True... neither does a well-firewalled LAN. NAT has it's place, and we have many happy customers that are quite pleased with their NAT'd connections; some simple, some fancy. What irks me more than NAT are crappy protocols like FTP and H.323 that make too many assumptions about how much of my machine I am willing to expose in order to communicate using these protocols. I particularly detest any software that is not content to let the far end figure out the source address of a packet. NAT and firewalls have a way of showing you how poorly designed these protocols are. Charles
"Charles Sprickman" <spork@inch.com>
NAT has it's place, and we have many happy customers that are quite pleased with their NAT'd connections; some simple, some fancy.
NATs are a band-aid.
What irks me more than NAT are crappy protocols like FTP and H.323 that make too many assumptions about how much of my machine I am willing to expose in order to communicate using these protocols.
FTP was designed for ARPANET, H.323 was designed to work over ANY packet network. Neither of them were designed for TCP/IP in particular. They don't break the end-to-end design principles though. Neither do network games, chat tools, and other peer-to-peer protocols that run in elected-server or server-to-server modes. The fact is that I can write an Internet-compliant application in about two minutes that will break every NAT ever sold, simply because they don't have a proxy for the protocol. NATs violate fundamental Internet principles. They were broken from the start.
participants (6)
-
Bob K
-
Charles Sprickman
-
Doug Clements
-
Eric A. Hall
-
Richard Welty
-
Roeland Meyer