What NAT is useful for

November 14, 2007

I can think of at least three things that NAT is good for:

  • it compacts address space; many machines can be behind a single IP address.
  • it makes a decent outgoing-traffic-only firewall, which provides a significant amount of protection to machines.
  • to some degree it denies outsiders what I'll call 'traffic intelligence'; how many machines you have, how they're grouped, and what machine or group is responsible for what traffic.

(Sometimes the lack of traffic intelligence can be a problem, such as when the campus network people report that our primary NAT gateway machine is doing an awful lot of suspicious traffic.)

The second thing is certainly important to us, and I suspect that the third thing is important to many companies. There are ways of working around both of these additional benefits if an attacker is determined and skilled, and of course NAT is not the only way of providing either. But it's certainly useful that both benefits come along for free when you're already using NAT for the first reason, and especially that they happen automatically, without the need for any special configuration.

IPv6 eliminates the need for address space compaction but does nothing in particular to deal with the other two things NAT is good for (and if IPSec really does become pervasive, IPv6 may complicate the second significantly). This can make sysadmins unhappy, especially when well intentioned people tell them that IPv6 has made NAT unnecessary.

(Note that denying traffic intelligence is very important in some consumer environments, where your ISP is attempting a revenue grab by charging extra for the privilege of letting you connect multiple machines.)

Written on 14 November 2007.
« Why vfork() got created (part 2)
Platform risk and platform (in)security »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Nov 14 23:17:05 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.