- About Us
NAT allows administrators to set up a gateway between a local area network and the Internet. When packets go in and out the gateway, it is the NAT box that keeps tracks of which internal computer ordered which packets from the outside.
NAT critics claim that NAT as a kludge, a work-around. They say it is something that has never worked well, causes security problems, and breaks or complicates Internet applications. It grew in popularity only because of the growing scarcity of Internet addresses: a commodity which, at least back in 1995, when the Net appeared to be doubling in size every 12 months, seemed to be in short supply.
The shortage of new Internet numbers was the original driving need for IPv6, which the IETF is developing. The version of IP now widely in use across the Internet, version 4 uses a 32-bit addressing scheme, which can provide a total of about four billion addresses. In contrast, IPv6 has 128-bit addresses, which should provide about 35 trillion addresses enough to hand every person, place and thing in the world its own IP number.
In development since the mid-90s, IPv6 is almost ready ready for mass deployment. The U.S. Defense Department, for instance, indicated last June that it wishes to move to IPv6 for some of its networks by 2008.
But part of the problem the keepers of the Internet standards are now experiencing is getting software and hardware makers and Internet service providers, DoD aside, to adopt IPv6. Kludges that they may be, NATs may also be sapping the very need for these parties to use IPv6. "I'm a bit confused as to why enterprises would be interested in v6," wrote Soliman Hesham.
And NAT may also be providing an additional useful function to the Internet at large beyond just saving IP addresses. It also keeps security-oblivious users, those services by broadband providers and ISPs, tucked behind a gateway. Widespread NAT use by Internet service providers raise the question--does everybody actually need their own Internet address? Will Internet service providers even let Joe Sixpack have his own IP address?
Recently, IETF discussions over NAT have been so fierce that they have forced the debates over the very necessity of IPv6 . The debates have also called into question the mission of the group itself: Should the IETF be "architecturally fundamentalist" as one member put it, and stick to its vision of one IP numbering system everywhere? Or is its mission only to provide standards for the Internet users for whatever applications they may use, no matter how inelegant ?
NATs represent "one particular area where there's a clear and growing divide between this community and the network administrator community (particularly enterprise and residential)," wrote Melinda Shore on the list in December. She added, "We've known about these problems for a very long time and the argument that these problems are a serious impediment to network -- have not been accepted by the people who deploy real networks."
She concluded, "In that context our arguments are sometimes perceived as condescending and out-of-touch".
On a topic as controversial as NAT, one can plunge the pitchfork down pretty much anywhere in the past few years of the IETF mailing list and pull up some well-argued contention. Last month for instance, an engineer had queried the list about NAT that set off a firestorm. He was upgrading his organization's network and wanted to make an argument to his management against the use of NATs. He knew NATs were problematic. But were there any white papers or studies that documented the flaws? There were none anyone could immediately name, though much grumbling about NATs commenced nonetheless.
Last June, the Defense Department announcement of its move to IPv6 set off a similar debate, with many of the same participants taking the same sides.
Why the fuss? As Bob Braden wrote, "I think it would be more accurate to say that a NAT contravenes the basic Internet principle of universal connectivity."
The Internet, as envisioned by its founders, was one in which every node on the network had direct availability to every other node.
NAT, on the other hand, hides end-users behind a gateway. And more than a few participants on the list could see what that leads to.
Trying to make NATs work is "the modern task of Sisyphus," Keith Moore remarked. Applications such as Internet telephony or IPsec security protocol were difficult to set up to work with NAT.
"Not only are we [losing] existing applications, there are untold new things that are not making it to market. These new applications are unable to generate the critical mass they need to make any marketing noise because the NAT rich environment is too difficult for Joe Sixpack to deal with," Tony Hain wrote earlier this month.
Melinda Shore pointed that FTP clients, as originally written, would not work with NAT. Neither would video conference applications. "NAT has a surprisingly wide ripple effect that's almost completely negative," she wrote.
"If these applications work 'out of the box' it means effort has be put into developing NAT traversal solutions. While this effort is necessary, it is sad that effort had to be expended. The developers could have been adding extra features, rather than working around a common network infrastructure limitation," Mark Smith wrote earlier this month.
That NATs themselves are used as security devices -- in place of firewalls -- led to more problems. It was not a role they were designed to perform.
"I can tell a firewall to get out of the way ... and the application protocols will function as designed and expected. I cannot tell a NAT to do that, but instead must first educate the vendor about the protocol that's being blocked, wait for them to do their market research and/or prioritize the application among their Great List of Applications They Have Broken, and then maybe one day get a patch that actually spoofs the protocol well enough for it to work with a middlebox in the way," Eric Hall wrote.
NATs also have security issues. Since NAT boxes must forward packets from the outside IP addresses to internal ones, it must change forwarding information. "Basically, once you've committed to rewriting the forwarding information in an IP datagram, then it's open season on all manner of horrible opportunities for intermediaries to engage in Internet abuse," wrote James Woodyatt.
Distributed Denial of Service attacks are one such form of abuse. That IP addresses of the machines inside a NAT network are not identifiable outside the network has led to DDoS attacks, where the end points can not be determined, Moore said.
All of these shortcomings have generated little sympathy amongst certain IETF members, Moore being the most verbal critic.
"The NAT vendors are the irresponsible ones. they create a mess out of the network and then expect IETF to clean it up, then claim that IETF is in denial for not doing so. [A]nd of course IETF has tried to do so, more than once, and failed. Not for lack of effort, but because it's simply not possible to fix NAT," Moore wrote.
So if NAT sucks so badly, then why is it so widely used? This is the question that haunts IETF.
"The market has clearly decided that IPv4+NAT is the most cost-effective solution to providing them. The IETF really needs to sit and ponder the implications of that," J. Noel Chiappa wrote.
Ronald van der Pol suggested that NATs should be "seen for what they really are, an essential and important part of the Internet infrastructure," he wrote, add that "NAT boxes and firewalls play an important and necessary security role."
Perhaps the existence of NATs points to a larger architectural flaw -- maybe the limits of the idea of universal connectivity itself. In the Internet's younger days, all the parties were more or less responsible and so could share resources. Is that the same today?
Other mailing list members pointed out potential problems with the kind-of-end-to-end connectivity that IPv6 promises. Telemarketing, for instance. Moore asked that if the telemarketers of tomorrow had the same tool spammers today worked with, how often would we receive calls on our Internet telephones for product pitches?
Security would be another issue.
"The end machines are simply too vulnerable. Without firewall and service restriction, you'll have your entire network compromised very quickly," wrote Eric Rescorl.
Others had suggested to continue using NATs along with IPv6 -- certainly it can be done easily enough. But then this raises the question about the deployment of IPv6 in the first place. If NATs will continue to be used, why should large enterprises bother with the upgrade anyway?
That is the chicken and egg problem IETF faces, thanks to NAT. NAT may be causing untold problems on the Net, problems IPv6 could go a long way to solving. But NAT also reduced the drive to implement IPv6 in the first place.
"If the Internet architecture provided i) plenty of addresses, ii) locally allocatable addresses, and iii) the ability change providers easily, there would be *no* NAT boxes," Chiappa wrote.