North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: BGP announcements and small providers
- From: Lyndon Levesley
- Date: Wed Feb 26 15:18:03 1997
Stephen Sprunk wrote :
|-> What about application protocols like ftp that specify network addresses in
|-> the protocol session? Do you propose the NAT gateway alter FTP packets in
Yes, that is exactly what NAT does - it has a pool (or a static
list, or both) of "Externally facing" IP addresses, and it alters the
IP packets in realtime (in both directions, obviously) between
"Externally facing" IP and "Internally facing" IP address, on a
per-conversation basis. It then keeps a "cache" of what addresses
have been dynamically mapped to what.
The aggro used to be that for things like DNS/Mail/News etc. (almost
any service machine) you have to keep the IP address the same and not
dynamically change it. However, NAT boxes allow you to use dynamic
mapping for your users and static for your other services. They also
provide extremely good security - check out Cisco's PIX at :
which is basically a low spec PC in a rack-mountable box, that can
happily perform NAT at 100Mb/sec. CPU-wise, NAT is not a hard thing
to do, although you might end up needing a fair whack of memory on a
box with *lots* of flows per second.
The security features of the PIX are not a feature of NAT - they are
a feature of the PIX, so you don't (I presume ;) get them on standard
|-> Also, I don't believe it will be possible to use host or user-based AH/ESP
|-> with NAT, since they protect the source address.
Good point - TBH, I don't know how NATs deal/don't deal with ESP.
Although the last time I looked, ESP had only been implemented with
DES, and was therefore fatally flawed (there was a draft by Bellovin
about this somewhere...)
This is not an insurmountable problem - it can be solved either at
the initial key exchange, or by the NAT in realtime, and will
hopefully be / have been solved by one of the ipsec groups - I'll go
and check out ESP again and see if NAT breaks it or not - I don't
know much about it at the mo'
|-> Stephen Sprunk
|-> At 17:34 26 02 97 +0000, Lyndon Levesley wrote:
|-> > There's always the nice 'n' easy system of using 10/8 and NAT as a
|-> >provider, making renumbering about 5 minutes work.
|-> > Even taken to the extreme, it wouldn't take long to change your BGP
|-> >announcements / have your provider change their BGP announcements /
|-> > Nameservers are a bit harder to renumber, but that's not too bad.
|-> > Wonder how long it'll be before ISPs rather than corporates start to
|-> >use NAT for most of their network.
I've had a wonderful time...
...but this wasn't it.
- - - - - - - - - - - - - - - - -