[e2e] Re: NAT usage at large companies

RJ Atkinson rja at extremenetworks.com
Thu Oct 17 23:23:03 PDT 2002 

On Wednesday, Oct 16, 2002, at 14:12 America/Montreal, John Heidemann 
wrote:
> On Mon, 14 Oct 2002 22:42:33 PDT, Vadim Antonov wrote:
>> On Mon, 14 Oct 2002, Joe Touch wrote:
>>> Since the NAT likely shares the majority of the path that determines 
>>> RTT
>>> and bandwidth, it won't hurt sharing.
>>
>> Very often, this is not the case.  What you have in a typical 
>> organization
>> is single NAT/firewall, and a VPN behind it.  Quite often parts of 
>> that
>> VPN are on different continents :)
>
> Can folks offer some more details about how prevalent this kind of
> NAT deployment is?

	I'm not sure precisely what Joe means here.

	In my own experience, it is very very common for a geographically 
distributed
organisation (of any size) to buy commodity IP bandwidth separately for 
each location,
and put a NAT+Firewall+VPN box (typically IPsec ESP tunnel-mode with 
manual keying
for the VPN) at the edge of each site.  This edge box performs 
NAT(+PAT) from interior
addresses (e.g. 10.x.y.z) to a global IP address of the edge box for 
non-VPN traffic
existing that edge box.  The edge box uses the IPsec VPN tunnel for 
traffic between
that site and any other site of the same organisation.  Non-VPN traffic 
is typically
also subject to firewall rules performed by the same box that performs 
the NAT(+PAT).
Several firms (names omitted here) make boxes with these capabilities.

> My assumption was that NAT is primarily used by homes/small
> organizations that are geographically co-located.
>
> I would have assumed that organizations large enough to have large
> multiple, geographically distributed locations (i.e., more than just a
> few people dialing in) would use application-level gateways for most
> of their traffic (especially for web traffic).

	That is not a typical configuration in my experience.
In particular, application-level gateways seem generally uncommon
as an alternative to (NAT+Firewall+IPsec VPN) to connect multiple sites
at different locations.

> Can you suggest (or imply :-) what large organizations would deploy
> NATs as their primary means of gatewaying traffic to the Internet?

	NDAs preclude me naming particular customers who do this, but as
near as I can tell, the practice I outline above is VERY common.

Ran
rja at extremenetworks.com

More information about the end2end-interest mailing list