> What applications that people want to run--and the IT managers would > want to enable--are actually inhibited by NAT? It seems to me that > most of the applications inconvenienced by NAT are ones that IT > managers would want to screen off anyway.
Not really. For example, ftp as originally defined doesn't work through NATs, and no standard VoIP or multimedia conferencing protocol works through NAT. What I think is a huge problem that people tend to be pretty hand-wavy about is that many of the mechanisms that are introduced to help complex applications work through NATs introduce new security exposures, whether it's the "pseudo-NAT attack" described by Dupont and that we've run into with STUN, or external relays allowing internal users to run unauthorized servers, or stateful inspection/rewrite forcing application users not to use encryption or integrity protection, or ... NAT has a surprisingly wide ripple effect that's almost completely negative. Melinda
