I always find it amusing when a network administrator effectively says "I want to be able to use NAT to cripple my network so that valuable applications cannot run on it". The fact is that NAT is not a useful discriminator between valuable and harmful applications. Whether NAT breaks an application has nothing to do with the legitimacy or utility of that application.
In my experience, NAT is detrimental to security because it makes it much more difficult to trace security breaches. In the example you cite where the NAT provides an "insurance policy" backup to a misconfigured firewall, another way to look at what's happening is that the NAT is masking the fact that the firewall is misconfigured -- and perhaps, permitting breaches that would not be permitted were the firewall properly configured. I agree that that NAT can be useful to an ASP in managing the mapping between external address and internal hardware. I see this as a corner case rather than an argument for the general utility of NAT. And in general, if you are running a special-purpose network whose only purpose is to provide a very small and well-identified, specific set of services, NAT might work just fine for you. But most networks aren't like that. The whole idea of IP is to allow a network to support a broad range of services, and NATs are detrimental to that in almost every way. Keith _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
