Home / Blogs

NAT: Just Say No

The enormous success of the Internet came as a surprise to most all of its early developers, and that certainly holds true for the developers of IPv4. No one expected that the 32-bit IPv4 address space would be insufficient to accommodate the future needs of what was then a small research network. But by the mid-1990s the steadily increasing demand for IP addresses threatened the remaining supply. Many predicted that the available IPv4 addresses would last for only a few years more.

The long-term solution to the IP address depletion problem was to create a new version of IP with an expanded address space. Originally called IPng for IP next generation, this proposed version eventually became IPv6. However, short-term workarounds were required to slow the rate of IPv4 address depletion until the work on IPv6 could be completed. One short-term solution was Network Address Translation (NAT). Also known as IP masquerading or Port Address Translation (PAT), NAT resides between the Internet and a group of hosts on a server, firewall, or router. Through a clever manipulation of port numbers, NAT allows a large number of hosts to share a single unique IPv4 address.

Fueled by the lack of public IP addresses, 70% of Fortune 1000 companies have been forced to deploy NATs (Source: Center for Next Generation Internet). NATs are also found in hundreds of thousands of small business and home networks where several hosts must share a single IP address. It has been so successful in slowing the depletion of IPv4 addresses that many have questioned the need for IPv6 in the near future. However, such conclusions ignore the fact that a strategy based on avoiding a crisis can never provide the long-term benefits that solving the underlying problems that precipitated the crisis offers.

However, NAT was never intended as a long-term solution, and it presents a number of problems in modern networks. Most significantly, NAT destroys a key benefit of the Internet as a network of ‘always-on, equally-connected, easily-reachable’ peers. Peer-to-peer capability provides a powerful tool, empowering users to become active contributors to the Internet, rather than just consumers. Peer-to-peer systems assume that a user can find and connect to another user, but if a user is hidden behind a NAT device this assumption is not valid. As a result, present peer-to-peer systems utilize an extra level of complexity made necessary only to circumvent NAT obstacles.

NAT also presents challenges for many applications that incorporate the host’s IP address in the application-layer data. This issue is particularly problematic for security protocols such as IPSec. If the Internet is to become a community of peers, strong security is essential. Additionally, NAT is a roadblock for applications requiring Quality of Service (QoS) such as Voice over IP (VoIP) and real-time video. NAT is recognized as one of the single largest roadblocks to the widescale adoption of VoIP with its promised cost savings and enhanced communication services. However, NAT was helpful in delaying a global IP address crisis, but in return has extracted a proportional ‘pound of flesh’ by delaying uncounted peer-to-peer network innovations and their associated cost savings.

The adoption of IPv6, with its abundance of addresses, eliminates any need for NAT and, by extension, eliminates the roadblocks to Internet progress that NAT represents.

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

Filed Under

Comments

George Kirikos  –  Oct 26, 2003 7:01 PM

NAT is useful for security, and need not be a bad thing, even if IPv6 is widely deployed. I’d rather have my company’s PCs behind a firewall/router that exposes only 1 IP address, instead of having a situation where the internal network architecture is exposed by making each PC visible to the entire world.

Hackers can attempt to hit the single IP address all day, but won’t be able to see what’s behind it as they are all machines in the 192.168.xxx.yyy or 10.aaa.bbb.ccc address spaces, which are private and unreachable.

Mike O'Donnell  –  Nov 1, 2003 4:23 AM

NAT has nothing essential to do with security. Packet filtering is useful for security. Packet filtering is often bundled with NAT, but is completely independent. Packet filtering can be installed on any bottleneck with or without NAT.

Mike O’Donnell

James Seng  –  Nov 5, 2003 6:32 AM

NAT != Security.

It gives you certain invisibility, which is like a false sense of security. But it does not mean you are secure.

George Kirikos  –  Nov 5, 2003 2:51 PM

Right, I didn’t mean to imply it was the ultimate in security—“security through obscurity” never is the best choice. But, if all IP addresses were “public”, would that be better, rather than having the option to obscure things a little? Presumably IPv6 would have something comparable, though, to allow obscurity of devices that don’t need to be seen by the outside world? (e.g. you don’t need to see the IP address of my printer)

Candace  –  Nov 6, 2003 11:42 PM

NAT is not really recognized as the biggest roadblock to VoIP when you have companies like Jasomi implementing NAT traversal engines.

NAT is the biggest roadblock to the newer emerging technologies, involved with pervasive and location-aware computing.  We can have “smart buildings” with NAT but we cannot have smart communities of smart buildings.

Phil Howard  –  Nov 9, 2003 5:45 PM

Having all IP addresses public is not any less secure or vulnerable, given a correct firewall configuration.  If you deny by default, and open exactly what should be allowed (address and port tuple), you are as secure as the firewall can do, short of advance features like protocol specific inspection, etc.

What does it matter if I see the IP address of your printer or not?  If I see your IPv6 subnet assignment, I can speculate every address you might have (billions and billions and ...) but cannot reach.  So what if I happen to just guess what your actual printer IP address is?  Since the firewall won’t let me reach it, I won’t know if it is really there or not.  All that I will be able to reach is what your firewall allows me to reach.  Surely you are not going to expose your internet printer names on your external authoritative DNS server.

By not having NAT, what I can learn about you that NAT would obscure, is whether or not different services are running on different addresses.  If you expose FTP and HTTP, I can see if they are the same IP address.  Even then, I won’t know that they are, or are not, IP aliases, or a multihomed machine.  I even recommend that, given enough IP addresses (which IPv6 will do for everyone), every service should be on a different IP address just so it can be “vectored” wherever you might choose to do so.

It sounds like perhaps you (like so many others) have become so dependent on NAT as a form of security, that your firewall is in fact wide open (e.g. does not deny by default).  It may be effectively secure that way, but the danger is that it taught an incorrect approach to security that does not work universally.

Even denying by default shouldn’t be necessary to be secure if all servers correctly understand who they are communicating with.  With IPsec or TLS layered connections, along with strong authentication, all a firewall does is keep unwanted traffic from eating up internal LAN bandwidth (which is generally going to be higher than the outside pipe).

George Kirikos  –  Nov 9, 2003 6:08 PM

I agree with you, Phil. The key is, as you said, “given a correct firewall configuration”. When IPv6 rolls out here, I’d likely take advantage of it properly, as I can be pretty confident about having a correct firewall configuration, having used and programmed computers for a while.

An average Joe User might not have that confidence, though, and might only be using the web and email, though. They can’t be counted on to keep everything updated and properly configured. The “KISS” principle, “Keep It Simple Stupid”, would apply. Although, hopefully firewalls become even easier to use, so that EVERYONE has one (one can see Microsoft is now making a big push for folks to get them, to reduce the impact of their operating system exploits).

There’s a discussion on IPv6 NAT on the NANOG mailing list too, by the way. See:

http://www.merit.edu/mail.archives/nanog/2003-10/msg01484.html

and related posts.

Phil Howard  –  Nov 9, 2003 7:27 PM

A “correct firewall” will also deny by default, and provide the owner/operator/administrator with a simple tool to designate what services are to be open.  A user not smart enough to know he needs to turn services on to make the firewall “work” would most likely be using Windows.  The (optional) software would immediately come up stating that the firewall is “blocking everything ... what would you like to unblock?”.  Joe user won’t need to know port numbers because the DUI (dumb user interface ... but they won’t know it means that) will just say things like “Your web server?  To allow access to it, enter the IP address of it” in a basic control panel.  Smarter firewalls might include buttons like “Autoconfigure” which finds services and asks if they should be open or not (for most services).

NAT’s “security” is a side-effect, none of which cannot be gotten by other means, whether IPv4 or IPv6.  NAT could still have some occaisional justified uses even in the IPv6 realm.  A “correct firewall” starts with the firewall makers.  The problem has been that too many non-NAT firewalls were “everything permitted by default”, and that’s not correct.

Will we be able to get rid of NAT as IPv6 goes into wide deployment?  No.  Will firewall makers all do “the right thing”?  No.  But at least we can say “You no longer need NAT” and be correct in that statement.  Joe User might still have it for his home LAN because he knows no better (and his firewall maker doesn’t, either).  But those who use correct firewalls, or have the smarts to know how to change those we have to become correct, can successfully deploy NAT-less IPv6 connectivity and be as secure as the current state of the art allows.

George Kirikos  –  Nov 9, 2003 7:43 PM

I agree with you 100%. What really, really bothers me is that in the past 25 years of the PC revolution, computers are still so hard to use. Was it the same 25 years after the telephone was invented, or TV, or the automobile? I doubt it. Just like most folks don’t want to tinker with the engine of their car, most folks don’t want to be wasting so much time on their PCs getting it to ‘work’—they’d want to just turn it on, and have it work.

When most grandmothers are online, I think then we’ll know that the PC revolution has succeeded.

Paul Wilson  –  Nov 13, 2003 2:40 PM

It should be noted that NAT is not required or recommended by the policies of any Regional Internet Registry.  On the contrary, the assignment of public address space by ISPs to their customer networks is fully supported by well-defined policies and procedures, and additional addresses are readily available to ISPs which consume their address space in this manner. 

It does appear that many ISPs choose not to make public addresses available to customers, for a variety of reasons of technical or business policy.  However such policies are adopted at the choice of the ISP concerned, and are not encouraged in any way by RIRs.

Paul Wilson
Director General, APNIC
www.apnic.net

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global