Home / Blogs

NAT: Just Say No

The enormous success of the Internet came as a surprise to most all of its early developers, and that certainly holds true for the developers of IPv4. No one expected that the 32-bit IPv4 address space would be insufficient to accommodate the future needs of what was then a small research network. But by the mid-1990s the steadily increasing demand for IP addresses threatened the remaining supply. Many predicted that the available IPv4 addresses would last for only a few years more.

The long-term solution to the IP address depletion problem was to create a new version of IP with an expanded address space. Originally called IPng for IP next generation, this proposed version eventually became IPv6. However, short-term workarounds were required to slow the rate of IPv4 address depletion until the work on IPv6 could be completed. One short-term solution was Network Address Translation (NAT). Also known as IP masquerading or Port Address Translation (PAT), NAT resides between the Internet and a group of hosts on a server, firewall, or router. Through a clever manipulation of port numbers, NAT allows a large number of hosts to share a single unique IPv4 address.

Fueled by the lack of public IP addresses, 70% of Fortune 1000 companies have been forced to deploy NATs (Source: Center for Next Generation Internet). NATs are also found in hundreds of thousands of small business and home networks where several hosts must share a single IP address. It has been so successful in slowing the depletion of IPv4 addresses that many have questioned the need for IPv6 in the near future. However, such conclusions ignore the fact that a strategy based on avoiding a crisis can never provide the long-term benefits that solving the underlying problems that precipitated the crisis offers.

However, NAT was never intended as a long-term solution, and it presents a number of problems in modern networks. Most significantly, NAT destroys a key benefit of the Internet as a network of 'always-on, equally-connected, easily-reachable' peers. Peer-to-peer capability provides a powerful tool, empowering users to become active contributors to the Internet, rather than just consumers. Peer-to-peer systems assume that a user can find and connect to another user, but if a user is hidden behind a NAT device this assumption is not valid. As a result, present peer-to-peer systems utilize an extra level of complexity made necessary only to circumvent NAT obstacles.

NAT also presents challenges for many applications that incorporate the host's IP address in the application-layer data. This issue is particularly problematic for security protocols such as IPSec. If the Internet is to become a community of peers, strong security is essential. Additionally, NAT is a roadblock for applications requiring Quality of Service (QoS) such as Voice over IP (VoIP) and real-time video. NAT is recognized as one of the single largest roadblocks to the widescale adoption of VoIP with its promised cost savings and enhanced communication services. However, NAT was helpful in delaying a global IP address crisis, but in return has extracted a proportional 'pound of flesh' by delaying uncounted peer-to-peer network innovations and their associated cost savings.

The adoption of IPv6, with its abundance of addresses, eliminates any need for NAT and, by extension, eliminates the roadblocks to Internet progress that NAT represents.

By IPv6 Forum

Related topics: Cybersecurity, IP Addressing, IPv6, Networks, Telecom, VoIP


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


Re: NAT: Just Say No George Kirikos  –  Oct 26, 2003 12:01 PM PDT

NAT is useful for security, and need not be a bad thing, even if IPv6 is widely deployed. I'd rather have my company's PCs behind a firewall/router that exposes only 1 IP address, instead of having a situation where the internal network architecture is exposed by making each PC visible to the entire world.

Hackers can attempt to hit the single IP address all day, but won't be able to see what's behind it as they are all machines in the 192.168.xxx.yyy or 10.aaa.bbb.ccc address spaces, which are private and unreachable.

Re: NAT: Just Say No Mike O'Donnell  –  Oct 31, 2003 9:23 PM PDT

NAT has nothing essential to do with security. Packet filtering is useful for security. Packet filtering is often bundled with NAT, but is completely independent. Packet filtering can be installed on any bottleneck with or without NAT.

Mike O'Donnell

Re: NAT: Just Say No James Seng  –  Nov 04, 2003 11:32 PM PDT

NAT != Security.

It gives you certain invisibility, which is like a false sense of security. But it does not mean you are secure.

Re: NAT: Just Say No George Kirikos  –  Nov 05, 2003 7:51 AM PDT

Right, I didn't mean to imply it was the ultimate in security — "security through obscurity" never is the best choice. But, if all IP addresses were "public", would that be better, rather than having the option to obscure things a little? Presumably IPv6 would have something comparable, though, to allow obscurity of devices that don't need to be seen by the outside world? (e.g. you don't need to see the IP address of my printer)

Re: NAT: Just Say No Candace  –  Nov 06, 2003 4:42 PM PDT

NAT is not really recognized as the biggest roadblock to VoIP when you have companies like Jasomi implementing NAT traversal engines.

NAT is the biggest roadblock to the newer emerging technologies, involved with pervasive and location-aware computing.  We can have "smart buildings" with NAT but we cannot have smart communities of smart buildings.

Re: NAT: Just Say No Phil Howard  –  Nov 09, 2003 10:45 AM PDT

Having all IP addresses public is not any less secure or vulnerable, given a correct firewall configuration.  If you deny by default, and open exactly what should be allowed (address and port tuple), you are as secure as the firewall can do, short of advance features like protocol specific inspection, etc.

What does it matter if I see the IP address of your printer or not?  If I see your IPv6 subnet assignment, I can speculate every address you might have (billions and billions and ...) but cannot reach.  So what if I happen to just guess what your actual printer IP address is?  Since the firewall won't let me reach it, I won't know if it is really there or not.  All that I will be able to reach is what your firewall allows me to reach.  Surely you are not going to expose your internet printer names on your external authoritative DNS server.

By not having NAT, what I can learn about you that NAT would obscure, is whether or not different services are running on different addresses.  If you expose FTP and HTTP, I can see if they are the same IP address.  Even then, I won't know that they are, or are not, IP aliases, or a multihomed machine.  I even recommend that, given enough IP addresses (which IPv6 will do for everyone), every service should be on a different IP address just so it can be "vectored" wherever you might choose to do so.

It sounds like perhaps you (like so many others) have become so dependent on NAT as a form of security, that your firewall is in fact wide open (e.g. does not deny by default).  It may be effectively secure that way, but the danger is that it taught an incorrect approach to security that does not work universally.

Even denying by default shouldn't be necessary to be secure if all servers correctly understand who they are communicating with.  With IPsec or TLS layered connections, along with strong authentication, all a firewall does is keep unwanted traffic from eating up internal LAN bandwidth (which is generally going to be higher than the outside pipe).

Re: NAT: Just Say No George Kirikos  –  Nov 09, 2003 11:08 AM PDT

I agree with you, Phil. The key is, as you said, "given a correct firewall configuration". When IPv6 rolls out here, I'd likely take advantage of it properly, as I can be pretty confident about having a correct firewall configuration, having used and programmed computers for a while.

An average Joe User might not have that confidence, though, and might only be using the web and email, though. They can't be counted on to keep everything updated and properly configured. The "KISS" principle, "Keep It Simple Stupid", would apply. Although, hopefully firewalls become even easier to use, so that EVERYONE has one (one can see Microsoft is now making a big push for folks to get them, to reduce the impact of their operating system exploits).

There's a discussion on IPv6 NAT on the NANOG mailing list too, by the way. See:


and related posts.

Re: NAT: Just Say No Phil Howard  –  Nov 09, 2003 12:27 PM PDT

A "correct firewall" will also deny by default, and provide the owner/operator/administrator with a simple tool to designate what services are to be open.  A user not smart enough to know he needs to turn services on to make the firewall "work" would most likely be using Windows.  The (optional) software would immediately come up stating that the firewall is "blocking everything ... what would you like to unblock?".  Joe user won't need to know port numbers because the DUI (dumb user interface ... but they won't know it means that) will just say things like "Your web server?  To allow access to it, enter the IP address of it" in a basic control panel.  Smarter firewalls might include buttons like "Autoconfigure" which finds services and asks if they should be open or not (for most services).

NAT's "security" is a side-effect, none of which cannot be gotten by other means, whether IPv4 or IPv6.  NAT could still have some occaisional justified uses even in the IPv6 realm.  A "correct firewall" starts with the firewall makers.  The problem has been that too many non-NAT firewalls were "everything permitted by default", and that's not correct.

Will we be able to get rid of NAT as IPv6 goes into wide deployment?  No.  Will firewall makers all do "the right thing"?  No.  But at least we can say "You no longer need NAT" and be correct in that statement.  Joe User might still have it for his home LAN because he knows no better (and his firewall maker doesn't, either).  But those who use correct firewalls, or have the smarts to know how to change those we have to become correct, can successfully deploy NAT-less IPv6 connectivity and be as secure as the current state of the art allows.

Re: NAT: Just Say No George Kirikos  –  Nov 09, 2003 12:43 PM PDT

I agree with you 100%. What really, really bothers me is that in the past 25 years of the PC revolution, computers are still so hard to use. Was it the same 25 years after the telephone was invented, or TV, or the automobile? I doubt it. Just like most folks don't want to tinker with the engine of their car, most folks don't want to be wasting so much time on their PCs getting it to 'work' — they'd want to just turn it on, and have it work.

When most grandmothers are online, I think then we'll know that the PC revolution has succeeded.

Re: NAT: Just Say No Paul Wilson  –  Nov 13, 2003 7:40 AM PDT

It should be noted that NAT is not required or recommended by the policies of any Regional Internet Registry.  On the contrary, the assignment of public address space by ISPs to their customer networks is fully supported by well-defined policies and procedures, and additional addresses are readily available to ISPs which consume their address space in this manner. 

It does appear that many ISPs choose not to make public addresses available to customers, for a variety of reasons of technical or business policy.  However such policies are adopted at the choice of the ISP concerned, and are not encouraged in any way by RIRs.

Paul Wilson
Director General, APNIC

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


DNS Security

Sponsored by Afilias
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic