[GTALUG] NAT [was Re: Linux hardening question]

[D. Hugh Redelmeier]

| From: James Knott via talk <talk at gtalug.org>

| I have no use for those who insist IPv4 is good enough, when it
| hasn't been since the day it became necessary to use NAT.

Actually NAT was not introduced to deal with a global shortage of IP 
addresses.  It was introduced to get rid of a local shortage.

For example, Rogers at home (the first broadband service for consumers in my 
area) was marketed as meant for hooking one device (not a server!) to the 
internet.  The theory was that you'd pay extra for each other device and 
they would get their own IP.  This wasn't 100% crazy since most homes that 
had a computer that could connect to the internet had only one.

I ran NAT (and servers) at home with a Linux gateway because I did already 
have a LAN.  (Unlike most folks, I had globally routable addresses in my 
LAN but of course Rogers could not route that traffic to me.)

Pretty soon people wanted to run LANs at home BUT they were Microsoft LANs 
-- not safe in public.  So naturally a broadband router-with-NAT made a 
lot of sense.

Now many folks think NATing is the normal and most reasonable form of 
firewall!

NAT actually damages the internet's original design.  Nodes are peers, not 
clients or servers.  But only initiators (clients, roughly speaking) can 
be behind NAT.  So many protocols have had to be butchered to survive NAT.