[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[RRG] NAT capabilities
Earlier Robin Whittle wrote:
% NAT doesn't give portability or multihoming.
This is provably wrong.
My employer's internal IP network has been using NA(P)T
for years, for many reasons -- including the address
portability and multi-homing capabilities that it provides.
As this type of deployment appears not to be obvious
to some, I'll try to sketch the way things work. I doubt
we were the first deployment of this architecture. I
believe this network architecture to be widely deployed
around the globe at present.
Basic Deployment Concept:
- All internal devices are numbered in private address space
- Policy says that only authorised devices should be reachable
from initiating nodes outside the corporate internal network.
There are relatively few of these; some live in a DMZ subnet.
- Policy says that only authorised application protocols are
permitted. Anything not authorised is blocked by the firewall.
- A NAPT+IPsec-VPN+Firewall box is deployed at each point
where a segment of the corporate network touches the
global Internet. Some boundaries might have multiple
such boxes that share session state among themselves.
These boxes have at least one public IP address each,
sometimes a box might have a handful of public IP addresses.
- All external traffic is processed by the firewall function.
Authorised external traffic is then sent through to the
inside via the NAPT function. The inverse is performed
for traffic originating inside and terminating outside.
- IPsec VPNs are used between such boxes to create secure
internal connectivity among corporate sites. These VPNs
take traffic arriving on the red interface of the gateway
box, put it into an IPsec tunnel, and send it out the
black interface of the gateway for delivery to an equivalent
remote gateway system (where the traffic is decrypted,
removed from the tunnel, and forwarded to its destination).
- Remote offices or remote workers typically have one such box
that has 1 public IP address (on its black interface).
- Because only a handful of our devices have any public IP
address(es), renumbering is practical. IT typically brings
up the new uplink first, configures that into the gateway
boxes as appropriate, then deconfigures the defunct public
- Most often, the gateway boxes can learn their public IP
address(es) by acting as a DHCP client on their black
interface(es). This makes things even easier.
- Internal systems never need to be touched when external
- Again, this is handled by the gateway boxes. If there are
multiple upstream providers, then each gateway typically
gets at least one public IP for each upstream provider.
- As the total number of public IP addresses is tiny, IT
says this is practical for them to undertake.
NAT operational problems:
- IT says that they don't have any real operational problems
due to NAT/NAPT. Only explicitly allowed applications are
permitted through the firewall. All of these work fine
with NAT/NAPT (To use ftp, "passive mode" is required,
but that is already widely deployed, so not an issue.)
- Some other organisations, having different policies,
might have different conclusions about whether a NA(P)T
approach is reasonable.
I am not suggesting that this is the only possible approach.
I am also not suggesting that everyone will like this approach.
It clearly does work well for a significant number of current
IPv4 deployments, however.
to unsubscribe send a message to firstname.lastname@example.org with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg