Home / Blogs

Why NAT Isn't As Bad As You Thought

Martin Geddes

Please do sit down. Should the shock cause you to suddenly lose consciousness, I hereby disclaim all responsibility for any subsequent loss or injury. I'm about to defend the anthrax of the Internet: NAT.

Network Address Translation is a hack to enable private IP addresses on one side of a router (inside your network) to talk to public IP addresses on the other side (on the Internet, outside your network). It really doesn't matter how it works. The consequence is that unless the router is specifically configured, outsiders can't get in uninvited. So those on the inside can't, by default, act as servers of any service to the outside world. Even worse, even if your administrator sets things up for you, you're still limited. Without some amazing additional magic, only one computer can be a server for any particular type of service (such as delivering web pages, or answering phone calls). Ouch.

Now, this would leave you wondering, why on earth does anyone use this restrictive technology? The usual, superficial — and incorrect — answer is that it alleviates a shortage of public IP addresses caused by the original 32-bit address space conceived in an era before the Internet exploded in popularity. This has been repeatedly shown as bunkum. Even allowing for the inefficiencies of the original class A/B/C etc. address structure (and subsequent refinements), there are plenty of addresses for every PC and terminal ever manufactured to date. We could construct governance mechanisms to dole them out if the political desire existed. An easy way would be to simply burn a static IP address into each device at birth, and then spend a pile of cash on improved routing directories and protocols.

No, the real reason is a familiar one to programmers, particularly of object-oriented paradigms: encapsulation. It hides the inner implementation of a network from what's outside. No contract exists between us that guarantees every PC will keep hold of some sort of unique identifier. It's a means of reducing complexity among humans. The encapsulation complements the abstraction that DNS provides, each suitable for different circumstances.

But that isn't the real reason I would defend NAT. It is much more subtle than that. Even based on the above, you could reasonably argue that the loss of functionality and damage to the end-to-end nature of the Internet outweighs any administrative gains. Indeed, this is exactly what an article at CircleID last autumn just did (NAT: Just Say No).

Corporate use of NAT is really just a short-cut to preventing lowly subordinates from taking control of the ship's wheelhouse. Complete routability between all endpoints is simply not going to happen this side of a martian invasion and complete revision of the human genome to eliminate the hereditary insecurity of senior management over employee insurrection. So there isn't a discussion to be had. If it wasn't NATted, it would be firewalled off anyway.

Now, in the consumer space things are different. IP addresses are kept artificially scarce. If you're a really good girl, you might be given a static one you can keep and treasure. But if you're not the teacher's pet, you'll get a few dynamic IP addresses that change at the whim of your provider. And if you're a bad girl, you'll get a meagre single IP address. (Those condemned to a special education regime might even get a pre-NATted private IP address, but that's considered extreme punishment.)

This is a simple means of price discrimination. And, as Andrew Odlyzko eloquently points out two recent [PDF] papers [PDF], in moderate doses, that is a good thing. The $300 economy ticket from New York to London can't exist without the $3000 business class lumpy bed in the front. But without a rabble of cheapskate plebs, the businessman would be shelling out $30,000 for fractional ownership of a corporate jet, in which he could pretend that the inability to stand up tall and stretch is the height of luxury. Everyone wins.

The reason consumers like to use NAT is that it just works: even if I have a generous connectivity provider that gives out IP addresses like candy at Halloween, I still use NAT because I just don't care to investigate. And the vendors don't care to educate the public, because remedial Internet literacy isn't a profit centre.

So we sift out those happy with just web and email, or passive consumers of megamedia visual candycrap. This leaves the refined tastes of the homebrew server crowd. They'll have to pay extra. This is a good thing overall, even if us techno-elitists don't like the end of the free ride.

Moaning that NAT is the devil's technology doesn't help you. Skype made the technology easy to use through an overlay network. Speak Freely didn't, because that was seen as an impure thought. The real world clearly values usability over ideological correctness. The day may come when the NATted user of Skype can determine that they receive worse service (e.g. worse voice quality, or a slower frame rate on a video version of Skype.) They will then upgrade to a more expensive Internet connection with more IP addresses for all their proliferating gizmos.

IPv6 doesn't solve this. The existence of a gazillion unused addresses doesn't force your limited choice of suppliers to hand any of them over to you. They can simply refuse the route ones they didn't allocate. Tough luck.

NAT is economically efficient because it is part of a scheme of price discrimination through control of the supply of IP addresses. The market has spoken. Get used to it. Move on.

By Martin Geddes, Founder, Martin Geddes Consulting Ltd. He provides consulting, training and innovation services to telcos, equipment vendors, cloud services providers and industry bodies. For the latest fresh thinking on telecommunications, sign up for the free Geddes newsletter.

Related topics: Cybersecurity, DNS, Internet Governance, IP Addressing, IPv6, P2P, Privacy, Telecom


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Avenue4 Helps IPv4 Sellers and Buyers Gain Market Access, Overcome Complexities

Introduction to ACCELR/8 - Fast Lane to the IPv4 Market

Avenue4 Launches ACCELR/8, Transforming the IPv4 Market with Automated Order-Driven Trading

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure