[unisog] Anyone doing large scale NAT for their campus?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Sep 23 15:40:23 GMT 2002


On Mon, 23 Sep 2002 09:45:38 CDT, Scott Genung <sagenung at ilstu.edu>  said:

> It can be argued that NAT undermines the end-to-end model of the Internet. 
> However (my opinion), that is only a religious argument. NAT does not 
> really (appear) to impact file sharing applications because translations 
> already exist by the time a user is seeking content from a host on your 
> network because this host already registered itself with an external 
> directory (thereby creating the translation). 

File Sharing is not the only peer-to-peer application.

NAT breaks *EVERY* protocol that expects you to be able to issue a listen()
on the "inside" of the NAT without having to invent some sort of directory
service to work around the fact that NAT screws up the concept of a "well
known port" if there's two machines that want to listen to the port behind
the NAT. (Notice this is why IPSec doesn't get along with NAT - it assumes
that it's able to reach port 500 on the destination without the data getting
molested along the way - and the NAT box can't rewrite the IP addresses without
breaking the signatures on them).

The only reason that this doesn't affect "file sharing" is because those
already use a central directory.  The *REAL* problem is all the things that
*aren't* being deployed because it's too much of a pain to do a directory.
For instance, what implication does NAT have for VoIP or streaming multicast
of media?  Does your answer change if both people who want to use VoIP are
behind a NAT, and neither one particularly wants to publish themselves in
a phone number directory (which shouldn't be needed, if you're able to use
hostnames or IP addresses because the end-to-end model works).

Ever tried to do FTP through a NAT that wasn't FTP aware?  Remember how painful
that was in the days when NATs weren't FTP-aware?  Now consider that you get
to go through that pain *EVERY SINGLE TIME* some new protocol comes out.  And
there's a good chance that unlike FTP, a lot of protocols will be marginal
enough that you're NOT going to get a firmware update for your NAT box to
support it.  Sorry - there's a new better-than-Kazaa system? You can't use it
because your vendor hasn't supported it yet.

If that's "only a religious argument", so be it.
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20020923/676f5293/attachment-0006.bin


More information about the unisog mailing list