'Re: Bridging and NAT - philosophical question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Bridging and NAT - philosophical question
From:       "Crist J. Clark" <crist.clark () attbi ! com>
Date:       2002-04-30 7:50:11
[Download RAW message or body]

On Mon, Apr 29, 2002 at 06:11:48PM -0400, Carson Gaspar wrote:
> 
> 
> --On Monday, April 29, 2002 11:05 AM -0700 "Crist J. Clark" 
> <crist.clark@attbi.com> wrote:
> 
> > I knew this (and didn't care since a NAT'ing bridge is such a heinous
> > concept (oh, and it would be a lot more work to do it right)) back
> > when I was adding the code, but then I forgot it in the meantime.
> 
> OK, I understand all the reasons why NAT is an abomination, in general. 
> What I _don't_ understand is why NAT is more evil on a bridge than on a 
> router. Can someone who espouses that religion enlighten me? My initial 
> analysis yields:
> 
> - NAT frequently occurs between a real network and a virtual network (one 
> which exists nowhere, except in a routing table). The firewall having or 
                                    ^^^^^^^
> not having IP addresses seems to be irrelevant to the discussion.

Routing. Network layer. Router. Not bridge.

> - NAT on a bridge makes 2 (or more) parts of a network segment have a 
> different view of the routing universe. I can see this being bizarre if 
                        ^^^^^^^
> there are hosts on the local nets, but if the bridge has no local hosts, 
> this should not be an issue.

Routing. Network layer. Router. Not bridge.

Routing is done between different logical networks, that is networks
with different network numbers. Pretty much by definition, when a
machine is doing NAT, it is the gateway between two logical
networks. And another thing is that one of the uses of NAT is to make
a router look kinda like a bridge (when you want machines on a local
physical network to think a machine on a different physical network is
local, a NAT box can do the trick). If you actually _have_ a bridge in
that case, why do NAT?

That's not to say that I absolutely believe there is no situation
where a NATing bridge might be the best kludg^W solution. But I can't
fathom one. Anyone can feel free to enlighten me. And if they are
compelling, I can make ipnat(8) work with FreeBSD bridging (and an
offer of $$$ for my time would compell me whether or not I find their
arguments asthetically pleasing ;).
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic