May 11, 2005

Dispute with Dave over merits of NAT

Hey Dave,

---- Way back on 28 Apr 2005, David Farmer declared:
NAT is EVIL! There I have balanced the universe again. :)

Well, actually NAT is a tool and like most tools it is morally neutral.
Also like most tools in the hands of a professional or someone else
who knows what they are doing, it can be useful and even a good
thing. However, in the hands of someone who doesn't know what
they are doing, most any tool can be bad and even dangerous.

---- Brad's response ----
Yup.

Thanks for the detailed response. I obviously don't
share your concern over NAT drawbacks, particularly
in the cases of firewire, VPC, or home configs, but
you do make an interesting case with good details.

Generally speaking, you raised valid criticisms,
but based on extensive experience I'll explain in
more detail (for the last time, I promise) why I
still think NAT is actually good for some things.

The main drawback is NAT breaks an external admin's
ability to ID (e.g. traceroute) which node behind
NAT is causing or experiencing net problems, and to
directly reach the IP address from outside the NAT.
A few apps will also misbehave, but most users don't
do videoconferencing and such. Surfing, email, ssh,
some VPN clients, most other client apps work fine.

There are benefits. NAT also frustrates hackers and
prevents users from running world-reachable servers.
I'm not saying NAT is a firewire, but it does help
and can be used in conjunction with a real firewall.

Breaking central control of course matters when you
manage ten thousand nodes (as you do). More nodes,
more of a problem, but not every department needs to
be seen that way. Some small shops could easily and
safely operate as locally-managed abstractions. If
you find major network probs coming from IP address
X, kill X - temporarily. Then it's that admin's prob.
If you don't see any probs on a given IP, why worry?

A local NAT would not scale well beyond a couple of
hundred nodes (including printers, etc.) but in one
smaller org I ran NAT for 200+ PCs over four years.

Success depends on a halfway-competent admin, a few
compromises, and intelligence when troubleshooting.
Where I worked we paid just a few hundred bucks per
month for shared Internet over most years, saving
taxpayers over the period maybe ten thousand bucks
vs. allocating around 200 real IPs. Many use this
logic at home: Cable modem plus router is usually
much cheaper than getting several real IPs in DSL.

Responses to Krukenberg claims about limitations:

1. Global addressibility - so what? My home
boxes (OS X, Windows, and Linux) all work
fine behind a cable/DSL router. See above.

2. Global uniqueness - again, so? As long as
the provider (at home, Comcast) is able to
associate a problem with a particular IP,
they can blame or restrict the main node.

3. Persistence of host-to-address binding -
Breaks a few apps, kills remote control
from outside NAT, but otherwise no big.

4. Address structure - I don't buy this.
From outside, one whole NAT world can
be seen as one IP address (as VPC can).
The local admin can map what's inside.

5. Deployability of applications - Partly
true. Apps are usually not deployed from
way up top but from departmental servers.
In NAT I could deploy apps from server(s)
in my LAN, and NAT can span buildings if
the respective network is so configured
(not here; it was where I last worked).

6. Reliability - Why would NAT be any less
reliable than "proper" routing? I've seen
over a million emails route fine via NAT.
Reliability depends on hardware and a good
provider, not on how the IPs get assigned.

7. Scalability - yes, limited, but I see no
inherent issues up to around 200+ nodes.

8. Private address spaces and VPNs - a
concern if remote access into the boxes
matters, less so if key servers get real
IP addresses using secondary NICs - as I
set it up to reach GroupWise from home.

---- the next is from Dave ----
Most people don't know what NAT really is, how it works, what its
limits are, what it breaks....

---- Brad's response ----
Most folks won't care. See above about the
apps I can use at home without caring it's
NAT. I setup the same for several relatives,
including one who does all her work for IBM
over a VPN connection via NAT + cable modem.
Comcast has never had a reason to complain.

---- the next is from Dave ----
Lets look at another tool, a hand gun, this is a very useful tool in
some situations. But I don't think anyone would argue that it is not
dangerous in the wrong hands. I'll also note that the University has
rules about having hand guns on campus, counter to the way the
state legislature thinks things should be, I'll add.

---- Brad's response ----
That is not a good analogy. The default behavior
of a handgun is to destroy things. It takes skill
and thought to avoid nasty results. This is not
the case with NAT, which in typical uses - VPC
or cable/DSL routers, requires almost no skill
to configure and use safely and effectively.

---- also from Dave ----
I know, you have a weak argument when you have to bring hand
guns into the argument. Here are some much better arguments!

http://pete.kruckenberg.com/blog/archives/000207.html
http://pete.kruckenberg.com/blog/archives/000211.html
[the discussion goes on in this vein, but this is enough]

Posted by tapli005 at May 11, 2005 9:31 AM