[unisog] Anyone doing large scale NAT for their campus?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Mon Sep 23 15:40:23 GMT 2002
On Mon, 23 Sep 2002 09:45:38 CDT, Scott Genung <sagenung at ilstu.edu> said:
> It can be argued that NAT undermines the end-to-end model of the Internet.
> However (my opinion), that is only a religious argument. NAT does not
> really (appear) to impact file sharing applications because translations
> already exist by the time a user is seeking content from a host on your
> network because this host already registered itself with an external
> directory (thereby creating the translation).
File Sharing is not the only peer-to-peer application.
NAT breaks *EVERY* protocol that expects you to be able to issue a listen()
on the "inside" of the NAT without having to invent some sort of directory
service to work around the fact that NAT screws up the concept of a "well
known port" if there's two machines that want to listen to the port behind
the NAT. (Notice this is why IPSec doesn't get along with NAT - it assumes
that it's able to reach port 500 on the destination without the data getting
molested along the way - and the NAT box can't rewrite the IP addresses without
breaking the signatures on them).
The only reason that this doesn't affect "file sharing" is because those
already use a central directory. The *REAL* problem is all the things that
*aren't* being deployed because it's too much of a pain to do a directory.
For instance, what implication does NAT have for VoIP or streaming multicast
of media? Does your answer change if both people who want to use VoIP are
behind a NAT, and neither one particularly wants to publish themselves in
a phone number directory (which shouldn't be needed, if you're able to use
hostnames or IP addresses because the end-to-end model works).
Ever tried to do FTP through a NAT that wasn't FTP aware? Remember how painful
that was in the days when NATs weren't FTP-aware? Now consider that you get
to go through that pain *EVERY SINGLE TIME* some new protocol comes out. And
there's a good chance that unlike FTP, a lot of protocols will be marginal
enough that you're NOT going to get a firmware update for your NAT box to
support it. Sorry - there's a new better-than-Kazaa system? You can't use it
because your vendor hasn't supported it yet.
If that's "only a religious argument", so be it.
Computer Systems Senior Engineer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20020923/676f5293/attachment-0006.bin
More information about the unisog