>What it comes down to is making a choice in a time where choices are
>becomming increasingly limited. Adopting NAT w/ proxies may be
preferable
>to re-numbering later. Many organizations, especially those that are
>only now deciding to connect to the Internet, need to make the choice.
>Most organizations cannot go out and get a /19, and need to get their
>addresses from their upstream. Getting a "divorce" later could turn
into
>an expensive proposition, one that the upstream is likely to be well
>aware of.
I just read an RFC on that subject, RFC 2008
ftp://ds.internic.net/rfc/rfc2008.txt was released as BCP 7 on Oct.
16th, and covers this in depth. Its well worth the read if you're
interested in this subject.
What I took out of RFC2008 was that renumbering is inevitable,
regardless of what you do today. Whether it be renumbering IPv4 to
IPv6, renumbering due to CIDR, renumbering due to merger, or
renumbering because you changed your ISP, it will take place in the
vast majority of sites that are on today or that come on in the
foreseeable future. Bottom line is that you should put some method of
renumbering into your network design as soon as possible. Maybe a NAT
eliminates that need (future technological uses of IP addresses are
impossible to qualify), or maybe it just defers the renumbering process
until a device is available that handles your future requirements. They
certainly have value in IPv4 environments assuming you've already input
their specific functionality into your threat/risk model and accepted
their limitations (i.e. maybe your authentication scheme is IP based
and cannot work when a NAT is in place, or maybe you need to know
actual source IP address for your logging to provide you with the
information you want, etc...).
I think they need to get smarter, like be able to talk to each other so
logging doesn't get blurred because you passed through two of them on
your way to the Internet, for example. Maybe that's a management
function that their not intended to serve? And as Peter pointed out, we
need proxies for things that don't like NATs (or that NATs don't like).
Personally, I don't think that NATs add security to your Firewall, but
instead some obscurity. That said, their value for other purposes, like
being able to have as many IP addresses as you need, or performing a
corporate merger, can't be overlooked.
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security Consulting
mailto:Russ .
Cooper @
RC .
Toronto .
on .
ca
Follow-Ups:
|
|
