On Mon, 2011-02-14 at 11:17 -0600, Florin Iucha wrote:
> On Mon, Feb 14, 2011 at 10:45:39AM -0600, Justin Krejci wrote:
> > Explain how NAT does this? NAT simply mangles the IP headers.
> > A stateful firewall can protect you from port scans and other baddies
> > without NAT.
> 
> If an attacker can't know your IP address, they can't connect to it.

If an attacker knows your IP address and you block access, they can't
connect to it.

> 
> > It is bad because it has broken protocols, applications, and end-to-end
> > communications and caused much grief and likely loss of functionality in
> > various applications because of it, unseen loss of functionality.
> 
> Facebook?  Google?  Flickr?  Netflix?

Websites only? How much cruft has been added to web browsers and webapps
to help identify individual users? How many extra software bugs? End
users are paying the price by having increased complexity all over the
place that affects businesses (particularly network operators like ISPs)
as NAT adds overhead to network devices and humans to maintain. The
venerable FTP and SIP don't like NAT. NAT is such a fundamental part of
so many things these days but has about zero benefit. What about the
requirement of having some third party broker connections between NAT'ed
hosts for the average lay person?

> 
> It is bad for *you* and *me*, but not for average Joe.  Average Joes
> vastly outnumber us.  Unless we come up with a killer app that AJ
> cares about and is broken by IPv4 NAT, then the ISPs will march
> forward.  Eventually they will run out of money to buy routers
> (because of the 64K ports per IPs) but that's next year, not this.

My point is not that nothing works with NAT, it is that it has added
unnecessary complexity and overhead for about zero gain. Developer code
overhead, administrative overhead/complexity, more QA requirements, etc.
Just because something can be "worked around" doesn't mean we should
have no concern that it is there at all. Should we not bother with the
fundamental flaws and just carry on because we have a work around in
place?

> 
> > I maintain NAT is evil. And even "extending the life of IPv4" is
> > debatable as a plus for the overall picture.
> 
> I do not maintain that NAT is beautiful for everybody all the time.
> But 'evil' is a loaded term that should be reserved for special occasions.

How is NAT ever beautiful for anyone? I don't claim there is no place
for NAT but it is not beautiful and let's not confuse NAT with security.
Turn off NAT and your stateful deny-default policy firewall still blocks
all the same packets just as well.