*BSD News Article 76454

Return to BSD News archive 

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!paladin.american.edu!zombie.ncsc.mil!news.mathworks.com!uunet!in3.uu.net!van-bc!ddsw1!news.mcs.net!not-for-mail
From: les@MCS.COM (Leslie Mikesell)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: IP Masqerading?
Date: 19 Aug 1996 21:44:56 -0500
Organization: /usr/lib/news/organi[sz]ation
Lines: 39
Message-ID: <4vb8r8$lc1@Mercury.mcs.com>
References: <jfortes-1307951117380001@10.0.2.15> <32151AD0.699795F7@lambert.org> <4v8tcr$8ei@Mercury.mcs.com> <3218B774.3D2754EF@lambert.org>
NNTP-Posting-Host: mercury.mcs.com

In article <3218B774.3D2754EF@lambert.org>,
>
>] How many places using NAT would be comfortable with a non-firewalled
>] internet connection if they understood the implications.
>
>How many ISP's who charge for multiple addresses would allow
>inbound connections from NAT hosts?
>
>It's a silly question to ask.  We both know that the market
>niche for NAT exists because of an arbitrary economic distinction
>by ISP's in the first place, and making other arbitrary
>distinctions does not somehow ennoble the niche.

But the economics aren't arbitrary - it takes considerably more
effort to obtain/assign/delegate networks of addresses than
single addresses.  Suppose you were doing the work at both
ends to connect a bunch of remote offices to a hub site and
you know that (a) all they need at the remotes is email and
web browsing and (b) you are fairly likely to change ISP's at
the hub site and have to renumber everything soon.  Would
you waste the effort to put in full routing?   These days it
is fairly hard to get enough addresses to connect everything
let alone put in the subnetting you want for security/traffic
management.  It seems rather wasteful not to nat things that
are behind firewalls and generally unreachable anyway.

>] If tcp were elegant, NAT would be too - or there would be no
>] need for it.
>
>Well, that goes without saying, doesn't it?

Actually I think 'slirp' is pretty elegant, but it only works
where you control the inbound side of a dial-up link.  What
we need is your 'router-tunnel' connected to the equivalent of
a slirp nat/proxy possibly over an encrypted channel like
ssh uses.

Les Mikesell
  les@mcs.com