RFC 2993 Architectural Implications of NAT

1
RFC 2993 Architectural Implications of NAT

• Tony Hain
• Microsoft

2
Issues

• Impacts the End-to-End principle
• Enforces a Client / Server model
• NAT is NOT a simple router replacement

3
Advantages of NATs

• Simplifies provider switching by masking the
  address changes
• Breaks the Internet into a collection of address
  authorities
• Port variants block inbound connection like
  packet filtering Firewalls
• Enables hiding a collection of hosts which
  provide a combined service

4
Problems with NATs

• Breaks the basic tenet that the endpoints are in
  control of the communication
• Creates a single point of fate sharing
• May allow TCP state violations
• Complicates multi-homing due to state
• Inhibits implementation of current IP layer
  security
• Casual use of private addresses invites
  collisions
• Introduces complexity when publicly published
  services reside on the private side
• Products may embed a NAT function without
  identifying it as such

5
Deployment Guidelines

• Examine the applications that will need to
  traverse the NAT and verify their immunity to
  address changes.
• Determine need for public toward private
  connections and configure accordingly
• Determine if the applications traversing the NAPT
  or RSIP expect all ports from the public IP
  address to be the same endpoint
• Identify cases where NAT is acting as a gateway
  between security realms
• Assure applications used both internally and
  externally avoid embedding names