[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT and NAT
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: NAT and NAT
- From: Chuck Yerkes <chuck+obsd_(_at_)_2003_(_dot_)_snew_(_dot_)_com>
- Date: Tue, 17 Dec 2002 11:16:25 -0800
- Mail-followup-to: Chuck Yerkes <chuck+obsd_(_at_)_2003_(_dot_)_snew_(_dot_)_com>, misc_(_at_)_openbsd_(_dot_)_org
- Reply-to: misc_(_at_)_openbsd_(_dot_)_org
Quoting Derick Siddoway (derick_(_at_)_panther_(_dot_)_bitflood_(_dot_)_net):
> Quick question. Let's say I have the following setup:
> Internet <--> RouterA + NAT for 192.168.1.x <--> RouterB + NAT for 10.x.x.x
> Now, I don't think that you can have nat on routers two deep like
> this, but I'm looking for confirmation.
It works fine. Our labs used 10/8 addresses, our regular
network had another NAT address. We regulary used ftp
and http from the lab to the Internet just like this.
There were ugly ways to open a connection back IN
(we needed a vendor to hit RouterA on a certain
port and end up on a 10.x.x.x address on port 443),
but it was a pain in the tushy.
Recall though, that NAT came about as a hack to deal
with two things:
- IPv4 address space exhaustion
- Routing table sizes:
Shown by the refusal of backbones to route 24 bit networks.
In 1993, we had a full feed of something like 24,000 routes. This
stressed routed on our 64MB, 25MHz machine. Currently, there
are, IIRC, something like 45k routes. Without NAT, we expected
45k routes by 1995.
- NAT is now seen as a poor man's firewall. I guess it's like
not putting your address on your house. Maintaining state makes
it less meaningless than it has been, but it also stops
current IPSec and several other things that keep address within
- NAT was also a convenient way to handle corporate mergers.
Two companies happen to use 10/8. You can spend a forever
getting them into unique spaces, or you can do a double
NAT box like this, to mitigate some of the issues, WITHIN
REASONABLE limits (20k concurrent connections is a bitch
for any stack).
And what, you can't move to IPv6 inside and a FAITH gateway? :)