Keith, The idea that Network Administrators and Corporate IT are some-how less qualified to weigh the cost/benefits of choosing to use NAT vs specific applications then their end users are is a strange notion to say the least. As is the idea that they don't have to deal with the consequences of those decisions.
Most end-users on corporate networks have no grounding, qualification or knowledge to make informed technical decisions about the applications they use let alone about the costs and benefits of deploying technologies such as NAT. Most end users haven't even HEARD of NAT...if I mentioned the word to them they would assume I was talking about an insect (and mis-spelling it). By saying this I'm not denigrating those end users either.... They shouldn't HAVE to understand the implications of such technologies.... they have their own fields and specialties which they are experts in. That's what they get paid for.... what WE get paid for is understanding the implications of things like NAT and of the unseen costs associated with certain applications and technologies. Even if the end users did understand those implications....they would be doing so through the lens of their own narrow self-interest. Jane really isn't going to be too concerned if her choice of technology interferes with what Joe is doing... as long as her needs are met. As Network Admins in Corporate IT it's OUR job to make sure that corporate network is functioning smoothly as a WHOLE for EVERYONE. It's our job to make sure that our companies technology goals as a whole are being met and to balance those goals against the needs and desires and priorities of individual end users.... most of whom may not even be fully aware of those technology goals. At the end of the day, if we're not meeting those responsibilities well then WE'RE the ones that are going to be getting pink slips.... not the receptionist that wants to run lime-wire because she thinks "it's cool". Whether or not to run NAT is a choice for individual administrators to decide. In many cases, it DOESN'T harm their organizations environments at all.... because the applications they would be missing are NOT the "best applications to get work done" or meet the organizations technology goals.... or because NAT friendly alternatives exist for the ones that do. Even in cases where there is some application that might prove useful...usually work around can be found... and in those cases it's upto the Network Admins to make cost/benefit decisions about whether it makes more sense to find a work around for that Application...or find a work around for the benefits he perceives NAT provides. Furthermore, even if we choose NAT today...there is nothing to say that if in future priorities change we can't revisit that decision. Ultimately these are the type of choices that Network Admins are paid to make.... and trust me, if we end up making poor ones we DO get held accountable for them. NAT is simply one type of tool which is available in our toolbox. Thanks to the work people are doing with IPv6... there ARE alot more options available in that toolbox. That's a good thing. However, just because NAT isn't a very good tool for SOME situations doesn't mean we should take it out of the tool box when it's still a perfectly good tool for MANY situations (which it IS). It's like saying that because we have all these fancy power tools available today...we should all throw out our hammers when the hammer still works perfectly well for many jobs. Christopher Engel -----Original Message----- From: Keith Moore [mailto:[email protected]] Sent: Monday, November 02, 2009 5:01 PM To: Chris Engel Cc: '[email protected]' Subject: Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel wrote: > Keith, > > Whether NAT is a useful discriminator or NOT is rather irrelevant > (though I happen to find it a useful one).... the point is the Network > Administrator and company security policy IS a useful security discriminator > in determining what applications are valuable or not...and THEY can determine > whether the benefits of NAT outweigh the costs. Actually, I disagree. In my experience (at least for networks that serve a significantly sized population of users) such people are usually quite ignorant of both the diversity of needs of their users, and the true impact of NAT on their networks in terms of the range of the applications that NATs deny to users; and are therefore unable to make a realistic estimate of the costs. Of course, it's not unusual for a network administrator to view applications as thorns in his side, and to try to reduce the number of applications available to users. > NO ONE is arguing that NAT is a useful tool for EVERY network. I'm > glad that there will be more alternatives available under IPv6 for people to > use. However, that does NOT mean that for many of the people who currently > use it that NAT is not currently useful and would not be so in future > regardless of the other options available. Just because person X in thier > situation finds a particular tool more harmful then helpful is NOT a good > arguement for denying the tools use to EVERYONE. The same could be said of applications whose functions are impaired by NAT. e.g. Just because a network administrator thinks that such applications are more harmful than helpful is NOT a good reason for denying the use of those applications to EVERYONE on that network. Perhaps unfortunately, nobody has figured out a way to prevent NATs from being used in IPv6. But the ONLY significant benefit of NAT in the IPv4 world is associated with their use to conserve precious address space, and even that comes with significant pain. The other benefits are corner cases that apply only to very specific situations. > Let the people who find the tool useful CHOOSE to use it (and live > with the consequences of that choice) and those who don't, don't. The problem is, the people who are choosing to install NATs are not the ones dealing with the consequences of that choice. > Furthermore, it's definitely NOT special-purpose networks that look to > tightly limit the services that traverse the network boundary. That's a > pretty significant goal in pretty much all corporate security. My company > deals with ALOT of Fortune 1000 clients and almost every one which has had a > security review as part of their vendor qualification process MANDATES NAT... > not just in the ASP hosting environment...but even in the corporate networks > of the vendors they deal with. Most of those Fortune 1000 companies use Windows too...which doesn't say much for their sense of security. > On most corporate networks I've seen...the recommended security > standard has become not just DENY ALL IN but DENY ALL OUT and then poke open > holes AS REQUIRED. You certainly don't need NAT to do that. > You're other argument doesn't make much sense to me. Yes, NAT > protecting the private network from exposure may indeed "mask" the fact that > the FW rules have been misconfigured.... in that sense it is doing it's job > as a compensating control. I'm pretty sure that almost any network admin is > going to be happier discovering that flaw in a routine audit of their FW > config rather then discovering it because of an ACTUAL breach....I'm almost > certain the business owners who's assets are being protected would be. That's > the whole point of compensating controls. If you want a layered defense (which I agree is a good thing), it makes far more sense to have multiple layers of firewall (as well as intrusion detection and active probing) than to trust a NAT to "do the right thing" when you have a configuration error. > Note, when I'm speaking here...I'm really addressing the utility of > NAT from the perspective of employing it at the edge of private > networks....particularly corporate enterprise or non-profit organization > networks. You might label these as "special-purpose" networks...but I really > wouldn't. Nor I. > In these instances, the end users do NOT rightfully have the > expectation to run any old application they may choose or want and have it > work. They are specifically utilizing assets (including the computers they > happen to be sitting at) that are NOT owned or controlled by them.... and > they are doing so in the capacity as paid representatives of the organization > whose assets they are utilizing. I'm not talking about the "rights" of end users in such situations, but rather, their ability to use the best applications available in order to get their work done. Yes, a company can, if it wishes, dictate precisely which applications a user may or may not use on the company's network or equipment; and yes, the company can attempt to enforce those restrictions by placing impediments in the network. Of course, they do that at the peril of harming their company's ability to compete in the marketplace. But it's their choice. But given that it chooses to limit the apps that can be used on its network, why in the world should it employ NAT to do that when there are far better tools for the job? Or to put it another way, why should it cripple its networks a priori so that it becomes more difficult to support new applications even when their utility becomes apparent? Keith _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
