Home / Blogs

Why NAT Isn't As Bad As You Thought

Martin Geddes

Please do sit down. Should the shock cause you to suddenly lose consciousness, I hereby disclaim all responsibility for any subsequent loss or injury. I'm about to defend the anthrax of the Internet: NAT.

Network Address Translation is a hack to enable private IP addresses on one side of a router (inside your network) to talk to public IP addresses on the other side (on the Internet, outside your network). It really doesn't matter how it works. The consequence is that unless the router is specifically configured, outsiders can't get in uninvited. So those on the inside can't, by default, act as servers of any service to the outside world. Even worse, even if your administrator sets things up for you, you're still limited. Without some amazing additional magic, only one computer can be a server for any particular type of service (such as delivering web pages, or answering phone calls). Ouch.

Now, this would leave you wondering, why on earth does anyone use this restrictive technology? The usual, superficial — and incorrect — answer is that it alleviates a shortage of public IP addresses caused by the original 32-bit address space conceived in an era before the Internet exploded in popularity. This has been repeatedly shown as bunkum. Even allowing for the inefficiencies of the original class A/B/C etc. address structure (and subsequent refinements), there are plenty of addresses for every PC and terminal ever manufactured to date. We could construct governance mechanisms to dole them out if the political desire existed. An easy way would be to simply burn a static IP address into each device at birth, and then spend a pile of cash on improved routing directories and protocols.

No, the real reason is a familiar one to programmers, particularly of object-oriented paradigms: encapsulation. It hides the inner implementation of a network from what's outside. No contract exists between us that guarantees every PC will keep hold of some sort of unique identifier. It's a means of reducing complexity among humans. The encapsulation complements the abstraction that DNS provides, each suitable for different circumstances.

But that isn't the real reason I would defend NAT. It is much more subtle than that. Even based on the above, you could reasonably argue that the loss of functionality and damage to the end-to-end nature of the Internet outweighs any administrative gains. Indeed, this is exactly what an article at CircleID last autumn just did (NAT: Just Say No).

Corporate use of NAT is really just a short-cut to preventing lowly subordinates from taking control of the ship's wheelhouse. Complete routability between all endpoints is simply not going to happen this side of a martian invasion and complete revision of the human genome to eliminate the hereditary insecurity of senior management over employee insurrection. So there isn't a discussion to be had. If it wasn't NATted, it would be firewalled off anyway.

Now, in the consumer space things are different. IP addresses are kept artificially scarce. If you're a really good girl, you might be given a static one you can keep and treasure. But if you're not the teacher's pet, you'll get a few dynamic IP addresses that change at the whim of your provider. And if you're a bad girl, you'll get a meagre single IP address. (Those condemned to a special education regime might even get a pre-NATted private IP address, but that's considered extreme punishment.)

This is a simple means of price discrimination. And, as Andrew Odlyzko eloquently points out two recent [PDF] papers [PDF], in moderate doses, that is a good thing. The $300 economy ticket from New York to London can't exist without the $3000 business class lumpy bed in the front. But without a rabble of cheapskate plebs, the businessman would be shelling out $30,000 for fractional ownership of a corporate jet, in which he could pretend that the inability to stand up tall and stretch is the height of luxury. Everyone wins.

The reason consumers like to use NAT is that it just works: even if I have a generous connectivity provider that gives out IP addresses like candy at Halloween, I still use NAT because I just don't care to investigate. And the vendors don't care to educate the public, because remedial Internet literacy isn't a profit centre.

So we sift out those happy with just web and email, or passive consumers of megamedia visual candycrap. This leaves the refined tastes of the homebrew server crowd. They'll have to pay extra. This is a good thing overall, even if us techno-elitists don't like the end of the free ride.

Moaning that NAT is the devil's technology doesn't help you. Skype made the technology easy to use through an overlay network. Speak Freely didn't, because that was seen as an impure thought. The real world clearly values usability over ideological correctness. The day may come when the NATted user of Skype can determine that they receive worse service (e.g. worse voice quality, or a slower frame rate on a video version of Skype.) They will then upgrade to a more expensive Internet connection with more IP addresses for all their proliferating gizmos.

IPv6 doesn't solve this. The existence of a gazillion unused addresses doesn't force your limited choice of suppliers to hand any of them over to you. They can simply refuse the route ones they didn't allocate. Tough luck.

NAT is economically efficient because it is part of a scheme of price discrimination through control of the supply of IP addresses. The market has spoken. Get used to it. Move on.

By Martin Geddes, Founder, Martin Geddes Consulting Ltd. He provides consulting, training and innovation services to telcos, equipment vendors, cloud services providers and industry bodies. Prior to establishing his own consulting business, he was Strategy Director for the network and IT division of BT.

Related topics: DNS, Internet Governance, IP Addressing, IPv6, P2P, Privacy, Security, Telecom

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Protect Your Privacy - Opt Out of Public DNS Data Collection

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Measuring DNS Performance for the User Experience

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Internet Grows to 296 Million Domain Names in Q2 2015

Dyn Comments on ICG Proposal for IANA Transition

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

Introducing the Verisign DNS Firewall

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Key Considerations for Selecting a Managed DNS Provider

Verisign Mitigates More DDoS Attacks in Q1 2015 than Any Quarter in 2014

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

Sponsored Topics