[GTALUG] NAT [was Re: Linux hardening question]
D. Hugh Redelmeier
hugh at mimosa.com
Sat Jul 1 17:38:14 EDT 2017
| From: James Knott via talk <talk at gtalug.org>
| I have no use for those who insist IPv4 is good enough, when it
| hasn't been since the day it became necessary to use NAT.
Actually NAT was not introduced to deal with a global shortage of IP
addresses. It was introduced to get rid of a local shortage.
For example, Rogers at home (the first broadband service for consumers in my
area) was marketed as meant for hooking one device (not a server!) to the
internet. The theory was that you'd pay extra for each other device and
they would get their own IP. This wasn't 100% crazy since most homes that
had a computer that could connect to the internet had only one.
I ran NAT (and servers) at home with a Linux gateway because I did already
have a LAN. (Unlike most folks, I had globally routable addresses in my
LAN but of course Rogers could not route that traffic to me.)
Pretty soon people wanted to run LANs at home BUT they were Microsoft LANs
-- not safe in public. So naturally a broadband router-with-NAT made a
lot of sense.
Now many folks think NATing is the normal and most reasonable form of
firewall!
NAT actually damages the internet's original design. Nodes are peers, not
clients or servers. But only initiators (clients, roughly speaking) can
be behind NAT. So many protocols have had to be butchered to survive NAT.
More information about the talk
mailing list