Home / Blogs

NAT: Just Say No

The enormous success of the Internet came as a surprise to most all of its early developers, and that certainly holds true for the developers of IPv4. No one expected that the 32-bit IPv4 address space would be insufficient to accommodate the future needs of what was then a small research network. But by the mid-1990s the steadily increasing demand for IP addresses threatened the remaining supply. Many predicted that the available IPv4 addresses would last for only a few years more.

The long-term solution to the IP address depletion problem was to create a new version of IP with an expanded address space. Originally called IPng for IP next generation, this proposed version eventually became IPv6. However, short-term workarounds were required to slow the rate of IPv4 address depletion until the work on IPv6 could be completed. One short-term solution was Network Address Translation (NAT). Also known as IP masquerading or Port Address Translation (PAT), NAT resides between the Internet and a group of hosts on a server, firewall, or router. Through a clever manipulation of port numbers, NAT allows a large number of hosts to share a single unique IPv4 address.

Fueled by the lack of public IP addresses, 70% of Fortune 1000 companies have been forced to deploy NATs (Source: Center for Next Generation Internet). NATs are also found in hundreds of thousands of small business and home networks where several hosts must share a single IP address. It has been so successful in slowing the depletion of IPv4 addresses that many have questioned the need for IPv6 in the near future. However, such conclusions ignore the fact that a strategy based on avoiding a crisis can never provide the long-term benefits that solving the underlying problems that precipitated the crisis offers.

However, NAT was never intended as a long-term solution, and it presents a number of problems in modern networks. Most significantly, NAT destroys a key benefit of the Internet as a network of 'always-on, equally-connected, easily-reachable' peers. Peer-to-peer capability provides a powerful tool, empowering users to become active contributors to the Internet, rather than just consumers. Peer-to-peer systems assume that a user can find and connect to another user, but if a user is hidden behind a NAT device this assumption is not valid. As a result, present peer-to-peer systems utilize an extra level of complexity made necessary only to circumvent NAT obstacles.

NAT also presents challenges for many applications that incorporate the host's IP address in the application-layer data. This issue is particularly problematic for security protocols such as IPSec. If the Internet is to become a community of peers, strong security is essential. Additionally, NAT is a roadblock for applications requiring Quality of Service (QoS) such as Voice over IP (VoIP) and real-time video. NAT is recognized as one of the single largest roadblocks to the widescale adoption of VoIP with its promised cost savings and enhanced communication services. However, NAT was helpful in delaying a global IP address crisis, but in return has extracted a proportional 'pound of flesh' by delaying uncounted peer-to-peer network innovations and their associated cost savings.

The adoption of IPv6, with its abundance of addresses, eliminates any need for NAT and, by extension, eliminates the roadblocks to Internet progress that NAT represents.

By IPv6 Forum

Related topics: IP Addressing, IPv6, Security, Telecom, VoIP

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Re: NAT: Just Say No George Kirikos  –  Oct 26, 2003 11:01 AM PST

NAT is useful for security, and need not be a bad thing, even if IPv6 is widely deployed. I'd rather have my company's PCs behind a firewall/router that exposes only 1 IP address, instead of having a situation where the internal network architecture is exposed by making each PC visible to the entire world.

Hackers can attempt to hit the single IP address all day, but won't be able to see what's behind it as they are all machines in the 192.168.xxx.yyy or 10.aaa.bbb.ccc address spaces, which are private and unreachable.

Re: NAT: Just Say No Mike O'Donnell  –  Oct 31, 2003 8:23 PM PST

NAT has nothing essential to do with security. Packet filtering is useful for security. Packet filtering is often bundled with NAT, but is completely independent. Packet filtering can be installed on any bottleneck with or without NAT.

Mike O'Donnell

Re: NAT: Just Say No James Seng  –  Nov 04, 2003 10:32 PM PST

NAT != Security.

It gives you certain invisibility, which is like a false sense of security. But it does not mean you are secure.

Re: NAT: Just Say No George Kirikos  –  Nov 05, 2003 6:51 AM PST

Right, I didn't mean to imply it was the ultimate in security — "security through obscurity" never is the best choice. But, if all IP addresses were "public", would that be better, rather than having the option to obscure things a little? Presumably IPv6 would have something comparable, though, to allow obscurity of devices that don't need to be seen by the outside world? (e.g. you don't need to see the IP address of my printer)

Re: NAT: Just Say No Candace  –  Nov 06, 2003 3:42 PM PST

NAT is not really recognized as the biggest roadblock to VoIP when you have companies like Jasomi implementing NAT traversal engines.

NAT is the biggest roadblock to the newer emerging technologies, involved with pervasive and location-aware computing.  We can have "smart buildings" with NAT but we cannot have smart communities of smart buildings.

Re: NAT: Just Say No Phil Howard  –  Nov 09, 2003 9:45 AM PST

Having all IP addresses public is not any less secure or vulnerable, given a correct firewall configuration.  If you deny by default, and open exactly what should be allowed (address and port tuple), you are as secure as the firewall can do, short of advance features like protocol specific inspection, etc.

What does it matter if I see the IP address of your printer or not?  If I see your IPv6 subnet assignment, I can speculate every address you might have (billions and billions and ...) but cannot reach.  So what if I happen to just guess what your actual printer IP address is?  Since the firewall won't let me reach it, I won't know if it is really there or not.  All that I will be able to reach is what your firewall allows me to reach.  Surely you are not going to expose your internet printer names on your external authoritative DNS server.

By not having NAT, what I can learn about you that NAT would obscure, is whether or not different services are running on different addresses.  If you expose FTP and HTTP, I can see if they are the same IP address.  Even then, I won't know that they are, or are not, IP aliases, or a multihomed machine.  I even recommend that, given enough IP addresses (which IPv6 will do for everyone), every service should be on a different IP address just so it can be "vectored" wherever you might choose to do so.

It sounds like perhaps you (like so many others) have become so dependent on NAT as a form of security, that your firewall is in fact wide open (e.g. does not deny by default).  It may be effectively secure that way, but the danger is that it taught an incorrect approach to security that does not work universally.

Even denying by default shouldn't be necessary to be secure if all servers correctly understand who they are communicating with.  With IPsec or TLS layered connections, along with strong authentication, all a firewall does is keep unwanted traffic from eating up internal LAN bandwidth (which is generally going to be higher than the outside pipe).

Re: NAT: Just Say No George Kirikos  –  Nov 09, 2003 10:08 AM PST

I agree with you, Phil. The key is, as you said, "given a correct firewall configuration". When IPv6 rolls out here, I'd likely take advantage of it properly, as I can be pretty confident about having a correct firewall configuration, having used and programmed computers for a while.

An average Joe User might not have that confidence, though, and might only be using the web and email, though. They can't be counted on to keep everything updated and properly configured. The "KISS" principle, "Keep It Simple Stupid", would apply. Although, hopefully firewalls become even easier to use, so that EVERYONE has one (one can see Microsoft is now making a big push for folks to get them, to reduce the impact of their operating system exploits).

There's a discussion on IPv6 NAT on the NANOG mailing list too, by the way. See:

http://www.merit.edu/mail.archives/nanog/2003-10/msg01484.html

and related posts.

Re: NAT: Just Say No Phil Howard  –  Nov 09, 2003 11:27 AM PST

A "correct firewall" will also deny by default, and provide the owner/operator/administrator with a simple tool to designate what services are to be open.  A user not smart enough to know he needs to turn services on to make the firewall "work" would most likely be using Windows.  The (optional) software would immediately come up stating that the firewall is "blocking everything ... what would you like to unblock?".  Joe user won't need to know port numbers because the DUI (dumb user interface ... but they won't know it means that) will just say things like "Your web server?  To allow access to it, enter the IP address of it" in a basic control panel.  Smarter firewalls might include buttons like "Autoconfigure" which finds services and asks if they should be open or not (for most services).

NAT's "security" is a side-effect, none of which cannot be gotten by other means, whether IPv4 or IPv6.  NAT could still have some occaisional justified uses even in the IPv6 realm.  A "correct firewall" starts with the firewall makers.  The problem has been that too many non-NAT firewalls were "everything permitted by default", and that's not correct.

Will we be able to get rid of NAT as IPv6 goes into wide deployment?  No.  Will firewall makers all do "the right thing"?  No.  But at least we can say "You no longer need NAT" and be correct in that statement.  Joe User might still have it for his home LAN because he knows no better (and his firewall maker doesn't, either).  But those who use correct firewalls, or have the smarts to know how to change those we have to become correct, can successfully deploy NAT-less IPv6 connectivity and be as secure as the current state of the art allows.

Re: NAT: Just Say No George Kirikos  –  Nov 09, 2003 11:43 AM PST

I agree with you 100%. What really, really bothers me is that in the past 25 years of the PC revolution, computers are still so hard to use. Was it the same 25 years after the telephone was invented, or TV, or the automobile? I doubt it. Just like most folks don't want to tinker with the engine of their car, most folks don't want to be wasting so much time on their PCs getting it to 'work' — they'd want to just turn it on, and have it work.

When most grandmothers are online, I think then we'll know that the PC revolution has succeeded.

Re: NAT: Just Say No Paul Wilson  –  Nov 13, 2003 6:40 AM PST

It should be noted that NAT is not required or recommended by the policies of any Regional Internet Registry.  On the contrary, the assignment of public address space by ISPs to their customer networks is fully supported by well-defined policies and procedures, and additional addresses are readily available to ISPs which consume their address space in this manner. 

It does appear that many ISPs choose not to make public addresses available to customers, for a variety of reasons of technical or business policy.  However such policies are adopted at the choice of the ISP concerned, and are not encouraged in any way by RIRs.

Paul Wilson
Director General, APNIC
www.apnic.net

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Sponsored Topics

dotMobi

Mobile

Sponsored by
dotMobi
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Verisign

Security

Sponsored by
Verisign
Afilias

DNS Security

Sponsored by
Afilias