Home / Blogs

Why NAT Isn't As Bad As You Thought

Martin Geddes

Please do sit down. Should the shock cause you to suddenly lose consciousness, I hereby disclaim all responsibility for any subsequent loss or injury. I'm about to defend the anthrax of the Internet: NAT.

Network Address Translation is a hack to enable private IP addresses on one side of a router (inside your network) to talk to public IP addresses on the other side (on the Internet, outside your network). It really doesn't matter how it works. The consequence is that unless the router is specifically configured, outsiders can't get in uninvited. So those on the inside can't, by default, act as servers of any service to the outside world. Even worse, even if your administrator sets things up for you, you're still limited. Without some amazing additional magic, only one computer can be a server for any particular type of service (such as delivering web pages, or answering phone calls). Ouch.

Now, this would leave you wondering, why on earth does anyone use this restrictive technology? The usual, superficial — and incorrect — answer is that it alleviates a shortage of public IP addresses caused by the original 32-bit address space conceived in an era before the Internet exploded in popularity. This has been repeatedly shown as bunkum. Even allowing for the inefficiencies of the original class A/B/C etc. address structure (and subsequent refinements), there are plenty of addresses for every PC and terminal ever manufactured to date. We could construct governance mechanisms to dole them out if the political desire existed. An easy way would be to simply burn a static IP address into each device at birth, and then spend a pile of cash on improved routing directories and protocols.

No, the real reason is a familiar one to programmers, particularly of object-oriented paradigms: encapsulation. It hides the inner implementation of a network from what's outside. No contract exists between us that guarantees every PC will keep hold of some sort of unique identifier. It's a means of reducing complexity among humans. The encapsulation complements the abstraction that DNS provides, each suitable for different circumstances.

But that isn't the real reason I would defend NAT. It is much more subtle than that. Even based on the above, you could reasonably argue that the loss of functionality and damage to the end-to-end nature of the Internet outweighs any administrative gains. Indeed, this is exactly what an article at CircleID last autumn just did (NAT: Just Say No).

Corporate use of NAT is really just a short-cut to preventing lowly subordinates from taking control of the ship's wheelhouse. Complete routability between all endpoints is simply not going to happen this side of a martian invasion and complete revision of the human genome to eliminate the hereditary insecurity of senior management over employee insurrection. So there isn't a discussion to be had. If it wasn't NATted, it would be firewalled off anyway.

Now, in the consumer space things are different. IP addresses are kept artificially scarce. If you're a really good girl, you might be given a static one you can keep and treasure. But if you're not the teacher's pet, you'll get a few dynamic IP addresses that change at the whim of your provider. And if you're a bad girl, you'll get a meagre single IP address. (Those condemned to a special education regime might even get a pre-NATted private IP address, but that's considered extreme punishment.)

This is a simple means of price discrimination. And, as Andrew Odlyzko eloquently points out two recent [PDF] papers [PDF], in moderate doses, that is a good thing. The $300 economy ticket from New York to London can't exist without the $3000 business class lumpy bed in the front. But without a rabble of cheapskate plebs, the businessman would be shelling out $30,000 for fractional ownership of a corporate jet, in which he could pretend that the inability to stand up tall and stretch is the height of luxury. Everyone wins.

The reason consumers like to use NAT is that it just works: even if I have a generous connectivity provider that gives out IP addresses like candy at Halloween, I still use NAT because I just don't care to investigate. And the vendors don't care to educate the public, because remedial Internet literacy isn't a profit centre.

So we sift out those happy with just web and email, or passive consumers of megamedia visual candycrap. This leaves the refined tastes of the homebrew server crowd. They'll have to pay extra. This is a good thing overall, even if us techno-elitists don't like the end of the free ride.

Moaning that NAT is the devil's technology doesn't help you. Skype made the technology easy to use through an overlay network. Speak Freely didn't, because that was seen as an impure thought. The real world clearly values usability over ideological correctness. The day may come when the NATted user of Skype can determine that they receive worse service (e.g. worse voice quality, or a slower frame rate on a video version of Skype.) They will then upgrade to a more expensive Internet connection with more IP addresses for all their proliferating gizmos.

IPv6 doesn't solve this. The existence of a gazillion unused addresses doesn't force your limited choice of suppliers to hand any of them over to you. They can simply refuse the route ones they didn't allocate. Tough luck.

NAT is economically efficient because it is part of a scheme of price discrimination through control of the supply of IP addresses. The market has spoken. Get used to it. Move on.

By Martin Geddes, Founder, Martin Geddes Consulting Ltd. He provides consulting, training and innovation services to telcos, equipment vendors, cloud services providers and industry bodies. Prior to establishing his own consulting business, he was Strategy Director for the network and IT division of BT.

Related topics: DNS, Internet Governance, IP Addressing, IPv6, P2P, Privacy, Security, Telecom

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Sophia Bekele Weighs in on Obama's August US-Africa Leader Summit at the NYF Africa

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

DotConnectAfrica's Expert Selected to Attend the Hague Institute of Global Justice

DotConnectAfrica Delegates Attend the KHRC Internet & Human Rights Breakfast Roundtable in Nairobi

Smokescreening: Data Theft Makes DDoS More Dangerous

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Why We Decided to Stop Offering Free Accounts

Internet Business Council for Africa Participates at the EU-Africa 2014 Business Forum, Brussels

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Sponsored Topics