[unisog] Anyone doing large scale NAT for their campus?

Tom Perrine tep at SDSC.EDU
Fri Sep 20 22:17:55 GMT 2002


NAT was designed as a way to avoid the exhaustion of IPV4 addresses.

The fact that it "can" (for some values of "can") be used for
"security" (for some small values of "security") is, well, not always
a good idea.

NAT breaks the fundamental end-to-end design of the Internet.  There
are others who take a more religious stance than I do in this area,
but there are things that Just Don't Work with NAT.

NAT breaks some things that you might want, and makes other things
harder.  Kerberos pretty much doesn't like NAT, and that likely
includes the M$ version of K5 which is part of Active Directory, IIRC.

It means that you have to keep lots of logs, forever, just to be able
to figure out which machine was acting as which address/port at which
time.  Even if you don't expect law enforcement to show up, how about
when *you* try to track down the student host that is serving
streaming video (eating all your bandwidth), or mounting that denial
of service attack?

Also, aren't there some real nasties with IPSEC and NAT?  Last I heard
(a year or more ago?) IPSEC and NAT just really didn't like each
other.

I don't know anyone who has tried to NAT an entire 35K host site.  It
does sound like quite the challenge.  I'm glad CISCO is willing to try
it out at *your* site :-) If this is such a good idea, why doesn't
CISCO already do it for all *their* users on their corporate networks?

Personally, and it is just a personal preference, I'd try to do some
"real" security instead of relying solely on NAT.  NAT in combination
with some other stuff, like good configuration management on operating
systems, and a firewall (or 5), and *good* logging is more
complicated, but I suspect more effective and much more featureful for
the users.

I guess this is just my knee-jerk reaction to anyone who says they
have (will sell me!) a silver bullet that will solve all my problems
in any area.  A.I.?  Yup, did that.  "OO-design?", yup.  "One big
firewall?", uh-huh.

Hmm, must be Friday, my soapbox is showing.

-- 
Tom E. Perrine <tep at SDSC.EDU> | San Diego Supercomputer Center 
http://www.sdsc.edu/~tep/     | 



More information about the unisog mailing list