Home / Blogs

Why NAT Isn't As Bad As You Thought

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Martin Geddes

Please do sit down. Should the shock cause you to suddenly lose consciousness, I hereby disclaim all responsibility for any subsequent loss or injury. I'm about to defend the anthrax of the Internet: NAT.

Network Address Translation is a hack to enable private IP addresses on one side of a router (inside your network) to talk to public IP addresses on the other side (on the Internet, outside your network). It really doesn't matter how it works. The consequence is that unless the router is specifically configured, outsiders can't get in uninvited. So those on the inside can't, by default, act as servers of any service to the outside world. Even worse, even if your administrator sets things up for you, you're still limited. Without some amazing additional magic, only one computer can be a server for any particular type of service (such as delivering web pages, or answering phone calls). Ouch.

Now, this would leave you wondering, why on earth does anyone use this restrictive technology? The usual, superficial — and incorrect — answer is that it alleviates a shortage of public IP addresses caused by the original 32-bit address space conceived in an era before the Internet exploded in popularity. This has been repeatedly shown as bunkum. Even allowing for the inefficiencies of the original class A/B/C etc. address structure (and subsequent refinements), there are plenty of addresses for every PC and terminal ever manufactured to date. We could construct governance mechanisms to dole them out if the political desire existed. An easy way would be to simply burn a static IP address into each device at birth, and then spend a pile of cash on improved routing directories and protocols.

No, the real reason is a familiar one to programmers, particularly of object-oriented paradigms: encapsulation. It hides the inner implementation of a network from what's outside. No contract exists between us that guarantees every PC will keep hold of some sort of unique identifier. It's a means of reducing complexity among humans. The encapsulation complements the abstraction that DNS provides, each suitable for different circumstances.

But that isn't the real reason I would defend NAT. It is much more subtle than that. Even based on the above, you could reasonably argue that the loss of functionality and damage to the end-to-end nature of the Internet outweighs any administrative gains. Indeed, this is exactly what an article at CircleID last autumn just did (NAT: Just Say No).

Corporate use of NAT is really just a short-cut to preventing lowly subordinates from taking control of the ship's wheelhouse. Complete routability between all endpoints is simply not going to happen this side of a martian invasion and complete revision of the human genome to eliminate the hereditary insecurity of senior management over employee insurrection. So there isn't a discussion to be had. If it wasn't NATted, it would be firewalled off anyway.

Now, in the consumer space things are different. IP addresses are kept artificially scarce. If you're a really good girl, you might be given a static one you can keep and treasure. But if you're not the teacher's pet, you'll get a few dynamic IP addresses that change at the whim of your provider. And if you're a bad girl, you'll get a meagre single IP address. (Those condemned to a special education regime might even get a pre-NATted private IP address, but that's considered extreme punishment.)

This is a simple means of price discrimination. And, as Andrew Odlyzko eloquently points out two recent [PDF] papers [PDF], in moderate doses, that is a good thing. The $300 economy ticket from New York to London can't exist without the $3000 business class lumpy bed in the front. But without a rabble of cheapskate plebs, the businessman would be shelling out $30,000 for fractional ownership of a corporate jet, in which he could pretend that the inability to stand up tall and stretch is the height of luxury. Everyone wins.

The reason consumers like to use NAT is that it just works: even if I have a generous connectivity provider that gives out IP addresses like candy at Halloween, I still use NAT because I just don't care to investigate. And the vendors don't care to educate the public, because remedial Internet literacy isn't a profit centre.

So we sift out those happy with just web and email, or passive consumers of megamedia visual candycrap. This leaves the refined tastes of the homebrew server crowd. They'll have to pay extra. This is a good thing overall, even if us techno-elitists don't like the end of the free ride.

Moaning that NAT is the devil's technology doesn't help you. Skype made the technology easy to use through an overlay network. Speak Freely didn't, because that was seen as an impure thought. The real world clearly values usability over ideological correctness. The day may come when the NATted user of Skype can determine that they receive worse service (e.g. worse voice quality, or a slower frame rate on a video version of Skype.) They will then upgrade to a more expensive Internet connection with more IP addresses for all their proliferating gizmos.

IPv6 doesn't solve this. The existence of a gazillion unused addresses doesn't force your limited choice of suppliers to hand any of them over to you. They can simply refuse the route ones they didn't allocate. Tough luck.

NAT is economically efficient because it is part of a scheme of price discrimination through control of the supply of IP addresses. The market has spoken. Get used to it. Move on.

By Martin Geddes, Founder, Martin Geddes Consulting Ltd. He provides consulting, training and innovation services to telcos, equipment vendors, cloud services providers and industry bodies. For the latest fresh thinking on telecommunications, sign up for the free Geddes newsletter.

Related topics: DNS, Internet Governance, IP Addressing, IPv6, P2P, Privacy, Security, Telecom



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll