NAT PROs

  • Use of a single registered IP address for an entire network
  • Independence of ISP IP addresses
  • Transparent to end systems in some cases (increased security)
  • Delays need for IPv4 replacement
  • Mask the true internal IP addresses of the internal network

NAT CONs

  • Breaks end-to-end model (the private IP space might already be in use)
  • Enables end-to-end address conflicts (encourages poor address management)
  • Increases local support burden and complexity
  • Certain applications do not work properly in conjunction
    • Certain NAT boxes don’t allow member NT servers to talk to a PDC
    • Applications needing encryption and key exchange might be problematic
  • Increases the probability of mis-addressing
  • It might require more work if assigning registered IPs to private IPs
  • Possible performance degradation if you get close to the limit of about 25,000 connections
  • Obscures the ability to manage from the public side of the NAT box.

Based on the above information and of past experience, DoIT Network Services recommends NOT using NAT if there are other solutions available. The UW has plenty of IP space for departments if IP space is of concern.

If security is of concern and you purchased a firewall to protect yourself, then NAT isn’t really buying you any extra value. A host behind a NAT box that is initiating a DOS attack would be very difficult to troubleshoot. Since the host is being NATted to one or many registered IP addresses, it’s hard to determine which machine on the private network is initiating the DOS attack. You might ask how could a machine on the private network get compromised. In most cases, it is due to laptops or by unsecure wireless access points attached to the network.

We’ve seen where some firewalls running NAT do not translate the source IP address from the NetBIOS header causing domain trust relationships to break and clients attempting to log onto the domain to fail.

7/29/2003