[GTALUG] NAT [was Re: Linux hardening question]

[James Knott]

On 07/01/2017 05:38 PM, D. Hugh Redelmeier via talk wrote:
> | From: James Knott via talk <talk at gtalug.org>
>
> | I have no use for those who insist IPv4 is good enough, when it
> | hasn't been since the day it became necessary to use NAT.
>
> Actually NAT was not introduced to deal with a global shortage of IP 
> addresses.  It was introduced to get rid of a local shortage.
>
> For example, Rogers at home (the first broadband service for consumers in my 
> area) was marketed as meant for hooking one device (not a server!) to the 
> internet.  The theory was that you'd pay extra for each other device and 
> they would get their own IP.  This wasn't 100% crazy since most homes that 
> had a computer that could connect to the internet had only one.
>
> I ran NAT (and servers) at home with a Linux gateway because I did already 
> have a LAN.  (Unlike most folks, I had globally routable addresses in my 
> LAN but of course Rogers could not route that traffic to me.)

These days, I get a /56 prefix from Rogers.  That's 2^72 addresses,
which get split into 256 /64s.  Rogers can route the entire /56 prefix
to me.  My first Internet connection was with io.org, using SLIP, not
PPP, over dial up.  I had a static address then.  I also had Rogers at home.

>
> Pretty soon people wanted to run LANs at home BUT they were Microsoft LANs 
> -- not safe in public.  So naturally a broadband router-with-NAT made a 
> lot of sense.

Back in those days, Microsoft networks did not use IP.  I recall
reading, while at IBM, what went into making it IP compatible. (I had
access to a lot of technical info, when I worked at IBM.)

> Now many folks think NATing is the normal and most reasonable form of 
> firewall!
>
> NAT actually damages the internet's original design.  Nodes are peers, not 
> clients or servers.  But only initiators (clients, roughly speaking) can 
> be behind NAT.  So many protocols have had to be butchered to survive NAT.
>
Yep, you may recall the days when FTP wouldn't work through NAT. 
However, the address limitation of IPv4 was recognized well over 20
years ago and led to the development of IPv6.  As I mentioned, I first
heard of it in 1995.  You may want to see what Vint Cerf has to say
about it.  He's been regretting 32 bit addresses for many years.

Incidentally, I first heard about NAT when I saw a dial up NAT router,
at Computer Fest in 1996.

Also, at IBM, I had 5 static IPv4 addresses, 1 for my computer and 4 for
testing in my work.  I similarly had 5 SNA addresses.  Back then, my
computer's address was 9.29.146.147.