[GTALUG] NAT [was Re: Linux hardening question]

D. Hugh Redelmeier hugh at mimosa.com
Sun Jul 2 10:29:00 EDT 2017


| From: James Knott via talk <talk at gtalug.org>

| On 07/01/2017 05:38 PM, D. Hugh Redelmeier via talk wrote:

| > For example, Rogers at home (the first broadband service for consumers in my 
| > area)

I'm wrong.  Rogers Wave was the first in my area (1997 or 1998, I
think).  It was rebranded in 2000 to Rogers @ Home.

| These days, I get a /56 prefix from Rogers.

I'm not sure why I don't get IPv6 from Rogers.  I intend to look into
that -- probably I've misconfigured something on my gateway (a PC
running CentOS 7; the cable modem is running in bridge mode).

My IPv4 /24 is globally assigned.  That's not going to happen with
IPv6.

| > Pretty soon people wanted to run LANs at home BUT they were Microsoft LANs 
| > -- not safe in public.  So naturally a broadband router-with-NAT made a 
| > lot of sense.
| 
| Back in those days, Microsoft networks did not use IP.  I recall
| reading, while at IBM, what went into making it IP compatible. (I had
| access to a lot of technical info, when I worked at IBM.)

Was that still true in 1997?  I thought by Windows for Workgroups 3.11
had a TCP/IP stack and Windows 95 must have (but I didn't use
Windows).

| > NAT actually damages the internet's original design.  Nodes are peers, not 
| > clients or servers.  But only initiators (clients, roughly speaking) can 
| > be behind NAT.  So many protocols have had to be butchered to survive NAT.
| >
| Yep, you may recall the days when FTP wouldn't work through NAT. 

Right.  But part of that is that FTP was a very early protocol and was
not designed that well.  Even an FTP client can't survive NAT without
the NATting box having special-purpose code to rewrite things inside
the FTP packets.

| However, the address limitation of IPv4 was recognized well over 20
| years ago and led to the development of IPv6.  As I mentioned, I first
| heard of it in 1995.  You may want to see what Vint Cerf has to say
| about it.  He's been regretting 32 bit addresses for many years.

Of course IPv6 is a Good Thing.  But change is hard, especially if one
sees no immediate personal benefit.

I think that it is even worse that we don't use DNSSec.  The security
implications of not securing DNS seem enormous.

And while listing currently lost causes, I really wish we'd gotten to
Opportunistic Encryption.

| Incidentally, I first heard about NAT when I saw a dial up NAT router,
| at Computer Fest in 1996.

I miss Computer Fests.

| Also, at IBM, I had 5 static IPv4 addresses, 1 for my computer and 4 for
| testing in my work.  I similarly had 5 SNA addresses.  Back then, my
| computer's address was 9.29.146.147.

I got my /24 before I had a broadband connection.  I think that it was
in the late 1980s when I was pondering what IP addresses to stick on
my 2-node LAN.  I didn't want to use an RFC 1918 address (this was
before RFC 1918 or even 1597).  So I naively asked for some IPs and got
them.  It was many years before they were actually routed from the
internet to my LAN.


More information about the talk mailing list