I try to avoid the Obfuscation argument when I can. I've seen people try to be smart by telling Law Enforcement that they don't keep logs and can't point to which host was a problem behind a NAT box, only to see Law Enforcement take all the PCs instead of the one in question. So it's always made me nervous. As for the security value; I think it's more a privacy value than anything. But you can accomplish almost the same thing by having those hosts use a web proxy; which you likely want to be doing anyway so you can scan content for threats.
I personally have no desire for it; but if someone wants to implement it I won't stop them. On Tue, Jun 14, 2011 at 1:28 PM, William Herrin <b...@herrin.us> wrote: > On Tue, Jun 14, 2011 at 1:04 PM, Ray Soucy <r...@maine.edu> wrote: >> I think in the long term telling everyone to jump into the BGP table >> is not sustainable; and not operationally consistent with the majority >> of SMB networks. >> >> A better solution; and the one I think that will be adopted in the >> long term as soon as vendors come into the fold, is to swap out >> RFC1918 with ULA addressing, and swap out PAT with NPT; then use >> policy routing to handle load balancing and failover the way most >> "dual WAN" multifunction firewalls do today. >> >> Example: >> >> Each provider provides a 48-bit prefix; >> >> Internally you use a ULA prefix; and setup prefix translation so that >> the prefix gets swapped appropriately for each uplink interface. This >> provides the benefits of "NAT" used today; without the drawback of >> having to do funky port rewriting and restricting incoming traffic to >> mapped assignments or UPnP. > > Hi Ray, > > There's a nuance here you've missed. > > There are two main reasons for ULA inside the network: > > 1. Address stability (simplifies network management) > 2. Source obfuscation (improves the depth of the security plan) > > Option 1: Obfuscation desired. > > ULA inside. NAT/PAT at both borders. You don't use prefix translation > here because prefix translation does little obfuscation: it has a 1:1 > relationship with each individual host and still reveals the internal > routing structure. > > Option 2: Stability, no obfuscation desired. > > ULA inside, prefix translation at both borders. > > Option 3: Neither stability nor obfuscation required. > > GUA from one of the providers inside. Prefix translation to the other > provider for the connections desired out that border. Giving the hosts > real GUA addresses maximizes application compatibility. > > Regards, > Bill Herrin > > > -- > William D. Herrin ................ her...@dirtside.com b...@herrin.us > 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> > Falls Church, VA 22042-3004 > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/