[e2e] Re: NAT usage at large companies
RJ Atkinson
rja at extremenetworks.com
Thu Oct 17 23:23:03 PDT 2002
On Wednesday, Oct 16, 2002, at 14:12 America/Montreal, John Heidemann
wrote:
> On Mon, 14 Oct 2002 22:42:33 PDT, Vadim Antonov wrote:
>> On Mon, 14 Oct 2002, Joe Touch wrote:
>>> Since the NAT likely shares the majority of the path that determines
>>> RTT
>>> and bandwidth, it won't hurt sharing.
>>
>> Very often, this is not the case. What you have in a typical
>> organization
>> is single NAT/firewall, and a VPN behind it. Quite often parts of
>> that
>> VPN are on different continents :)
>
> Can folks offer some more details about how prevalent this kind of
> NAT deployment is?
I'm not sure precisely what Joe means here.
In my own experience, it is very very common for a geographically
distributed
organisation (of any size) to buy commodity IP bandwidth separately for
each location,
and put a NAT+Firewall+VPN box (typically IPsec ESP tunnel-mode with
manual keying
for the VPN) at the edge of each site. This edge box performs
NAT(+PAT) from interior
addresses (e.g. 10.x.y.z) to a global IP address of the edge box for
non-VPN traffic
existing that edge box. The edge box uses the IPsec VPN tunnel for
traffic between
that site and any other site of the same organisation. Non-VPN traffic
is typically
also subject to firewall rules performed by the same box that performs
the NAT(+PAT).
Several firms (names omitted here) make boxes with these capabilities.
> My assumption was that NAT is primarily used by homes/small
> organizations that are geographically co-located.
>
> I would have assumed that organizations large enough to have large
> multiple, geographically distributed locations (i.e., more than just a
> few people dialing in) would use application-level gateways for most
> of their traffic (especially for web traffic).
That is not a typical configuration in my experience.
In particular, application-level gateways seem generally uncommon
as an alternative to (NAT+Firewall+IPsec VPN) to connect multiple sites
at different locations.
> Can you suggest (or imply :-) what large organizations would deploy
> NATs as their primary means of gatewaying traffic to the Internet?
NDAs preclude me naming particular customers who do this, but as
near as I can tell, the practice I outline above is VERY common.
Ran
rja at extremenetworks.com
More information about the end2end-interest
mailing list