Home / Blogs

Why NAT Isn't As Bad As You Thought

Martin Geddes

Please do sit down. Should the shock cause you to suddenly lose consciousness, I hereby disclaim all responsibility for any subsequent loss or injury. I'm about to defend the anthrax of the Internet: NAT.

Network Address Translation is a hack to enable private IP addresses on one side of a router (inside your network) to talk to public IP addresses on the other side (on the Internet, outside your network). It really doesn't matter how it works. The consequence is that unless the router is specifically configured, outsiders can't get in uninvited. So those on the inside can't, by default, act as servers of any service to the outside world. Even worse, even if your administrator sets things up for you, you're still limited. Without some amazing additional magic, only one computer can be a server for any particular type of service (such as delivering web pages, or answering phone calls). Ouch.

Now, this would leave you wondering, why on earth does anyone use this restrictive technology? The usual, superficial — and incorrect — answer is that it alleviates a shortage of public IP addresses caused by the original 32-bit address space conceived in an era before the Internet exploded in popularity. This has been repeatedly shown as bunkum. Even allowing for the inefficiencies of the original class A/B/C etc. address structure (and subsequent refinements), there are plenty of addresses for every PC and terminal ever manufactured to date. We could construct governance mechanisms to dole them out if the political desire existed. An easy way would be to simply burn a static IP address into each device at birth, and then spend a pile of cash on improved routing directories and protocols.

No, the real reason is a familiar one to programmers, particularly of object-oriented paradigms: encapsulation. It hides the inner implementation of a network from what's outside. No contract exists between us that guarantees every PC will keep hold of some sort of unique identifier. It's a means of reducing complexity among humans. The encapsulation complements the abstraction that DNS provides, each suitable for different circumstances.

But that isn't the real reason I would defend NAT. It is much more subtle than that. Even based on the above, you could reasonably argue that the loss of functionality and damage to the end-to-end nature of the Internet outweighs any administrative gains. Indeed, this is exactly what an article at CircleID last autumn just did (NAT: Just Say No).

Corporate use of NAT is really just a short-cut to preventing lowly subordinates from taking control of the ship's wheelhouse. Complete routability between all endpoints is simply not going to happen this side of a martian invasion and complete revision of the human genome to eliminate the hereditary insecurity of senior management over employee insurrection. So there isn't a discussion to be had. If it wasn't NATted, it would be firewalled off anyway.

Now, in the consumer space things are different. IP addresses are kept artificially scarce. If you're a really good girl, you might be given a static one you can keep and treasure. But if you're not the teacher's pet, you'll get a few dynamic IP addresses that change at the whim of your provider. And if you're a bad girl, you'll get a meagre single IP address. (Those condemned to a special education regime might even get a pre-NATted private IP address, but that's considered extreme punishment.)

This is a simple means of price discrimination. And, as Andrew Odlyzko eloquently points out two recent [PDF] papers [PDF], in moderate doses, that is a good thing. The $300 economy ticket from New York to London can't exist without the $3000 business class lumpy bed in the front. But without a rabble of cheapskate plebs, the businessman would be shelling out $30,000 for fractional ownership of a corporate jet, in which he could pretend that the inability to stand up tall and stretch is the height of luxury. Everyone wins.

The reason consumers like to use NAT is that it just works: even if I have a generous connectivity provider that gives out IP addresses like candy at Halloween, I still use NAT because I just don't care to investigate. And the vendors don't care to educate the public, because remedial Internet literacy isn't a profit centre.

So we sift out those happy with just web and email, or passive consumers of megamedia visual candycrap. This leaves the refined tastes of the homebrew server crowd. They'll have to pay extra. This is a good thing overall, even if us techno-elitists don't like the end of the free ride.

Moaning that NAT is the devil's technology doesn't help you. Skype made the technology easy to use through an overlay network. Speak Freely didn't, because that was seen as an impure thought. The real world clearly values usability over ideological correctness. The day may come when the NATted user of Skype can determine that they receive worse service (e.g. worse voice quality, or a slower frame rate on a video version of Skype.) They will then upgrade to a more expensive Internet connection with more IP addresses for all their proliferating gizmos.

IPv6 doesn't solve this. The existence of a gazillion unused addresses doesn't force your limited choice of suppliers to hand any of them over to you. They can simply refuse the route ones they didn't allocate. Tough luck.

NAT is economically efficient because it is part of a scheme of price discrimination through control of the supply of IP addresses. The market has spoken. Get used to it. Move on.

By Martin Geddes, Founder, Martin Geddes Consulting Ltd. He provides consulting, training and innovation services to telcos, equipment vendors, cloud services providers and industry bodies. Prior to establishing his own consulting business, he was Strategy Director for the network and IT division of BT.

Related topics: DNS, Internet Governance, IP Addressing, IPv6, P2P, Privacy, Security, Telecom

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Sponsored Topics

Verisign

Security

Sponsored by
Verisign
dotMobi

Mobile

Sponsored by
dotMobi
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Afilias

DNSSEC

Sponsored by
Afilias