On 02/14/2011 11:17 AM, Florin Iucha wrote:
> On Mon, Feb 14, 2011 at 10:45:39AM -0600, Justin Krejci wrote:
>> Explain how NAT does this? NAT simply mangles the IP headers.
>> A stateful firewall can protect you from port scans and other baddies
>> without NAT.
>
> If an attacker can't know your IP address, they can't connect to it.
Is that a motive to postpone IPv6 deployment? If so, see RFC 3041
(Privacy Extensions). However, using security-by-obscurity as an
argument on this list is almost as pointless as Godwinning the thread... ;-)
>> It is bad because it has broken protocols, applications, and end-to-end
>> communications and caused much grief and likely loss of functionality in
>> various applications because of it, unseen loss of functionality.
>
> Facebook? Google? Flickr? Netflix?
Actually, yes, possibly. LSN/CGN (large-scale/carrier-grade NAT) has
the potential to wreak havoc on AJAX-happy implementations, simply due
to port exhaustion (as you later mentioned). IIRC Google (particularly
Maps) and Facebook are pretty AJAX-heavy; I imagine the others might be.
>> I maintain NAT is evil. And even "extending the life of IPv4" is
>> debatable as a plus for the overall picture.
>
> I do not maintain that NAT is beautiful for everybody all the time.
> But 'evil' is a loaded term that should be reserved for special occasions.
I can agree with your position on the word "evil." The word is tossed
around far too casually -- I'm guilty of that, too.
The pro/anti NAT discussion has been played out many times before,
probably most frequently on the NANOG list.
Jima