[e2e] Re: NAT usage at large companies
Joe Touch
touch at ISI.EDU
Fri Oct 18 12:56:29 PDT 2002
RJ Atkinson wrote:
>
> On Wednesday, Oct 16, 2002, at 14:12 America/Montreal, John Heidemann
> wrote:
>
>> On Mon, 14 Oct 2002 22:42:33 PDT, Vadim Antonov wrote:
>>
>>> On Mon, 14 Oct 2002, Joe Touch wrote:
>>>
>>>> Since the NAT likely shares the majority of the path that determines
>>>> RTT
>>>> and bandwidth, it won't hurt sharing.
>>>
>>> Very often, this is not the case. What you have in a typical
>>> organization
>>> is single NAT/firewall, and a VPN behind it. Quite often parts of that
>>> VPN are on different continents :)
>>
>>
>> Can folks offer some more details about how prevalent this kind of
>> NAT deployment is?
>
> I'm not sure precisely what Joe means here.
I was talking about a case where the NAT provided access to a set of
nearby resources. NATs alias connections to those resources, presenting
them as if all at the NAT.
In such a case, TCB sharing works fine; the dominant part of the path
(BW, latency, loss, etc.) is shared, so the aliasing doesn't hurt.
Vadim presented a counterexample in which a single NAT hid
geographically distributed resources, which indeed could defeat TCB sharing.
> In my own experience, it is very very common for a geographically
> distributed
> organisation (of any size) to buy commodity IP bandwidth separately for
> each location,
> and put a NAT+Firewall+VPN box (typically IPsec ESP tunnel-mode with
> manual keying
> for the VPN) at the edge of each site.
Vadim was referring to a single NAT. Cases with multiple NATs, each for
a separate local region, are equivalent to the case I was discussing.
Joe
More information about the end2end-interest
mailing list