Internet: Love it or hate it, Network Address
Translation will not be going away soon.
It is a common belief that IP addresses are running out. Every
device on a network needs to be uniquely identified by its IP
address, and the problem is that there are simply not enough IPv4
addresses.
The key advantage of IPv6 is that its addresses are 128 bits in
length, as opposed to the 32-bit length of IPv4 addresses. This
results in a huge number of IP addresses.
The big question is are we really running out of IPv4 addresses?
If so, IPv6 is certainly a reasonable solution. But thanks to
Network Address Translation (Nat), IPv4 addresses are, in fact, far
from depleted.
Nat offers the ability to share a single public, globally
routable IP address among many internet hosts. This is valuable in
the IPv4 world, where public IP addresses are, by necessity,
conserved.
Address conservation would not be as necessary if IPv6 were
deployed, and this has prompted Nat opponents to champion the
adoption of the new protocol. They argue that adopting IPv6 (and
eliminating Nat) will make the internet a better and safer place
for all of us, enable exciting new technologies. They believe it
will usher in the age of the "end-to-end" internet.
But is Nat really such a bad thing? And if it is, why are we so
attached to it?
Nat is a technology that some people love to hate. Some dislike
it because, early on, it tended to break some applications, in
particular certain gaming, client- server and virtual private
network technologies embedded their host's private IP address
inside data packets, where Nat translators couldn't find it.
The result was that data from Nat hosts could reach servers, but
the applications on those servers could not form a connection with
the requestor because they tried to use the host's private address
instead of their Nat gateway's public IP address
But the days of Nat breaking applications have long since gone.
Today, applications are written with the assumption that Nat will
be used. This means that embedding IP addresses inside data packets
- always a violation of networking standards - is now considered a
poor coding practice.
Peer-to-peer applications that would have trouble establishing
communications if both hosts lay behind Nat use a variety of
mechanisms (usually rendezvous servers on the internet) to relay
information.
So why is Nat vilified by some? The answer is that application
developers do not enjoy implementing these sometimes complex Nat
workarounds. Their employers would prefer that they didn't have to
deploy rendezvous servers or spend time on coding Nat traversal
routines.
Microsoft, in particular, is a vocal critic of Nat, largely
because of its Xbox gaming platform. Most Xbox consoles are network
connected to enable users to take part in multiplayer games.
Because most home users employ Nat to allow the connection of
multiple hosts while using a single public IP address, most Xbox
units are behind Nat.
This makes coding multiplayer games for the Xbox more difficult
and costs Microsoft money. For one thing, developer time is not
free. For another, game developers such as Microsoft typically need
to deploy rendezvous servers to allow Nat gamers to "meet" and
establish games rather than simply proceeding in a fully
peer-to-peer manner.
Microsoft is not the only developer with this view. Many
peer-to-peer applications are emerging, and their development and
implementation are invariably complicated by the prevalence of Nat.
These applications include instant messaging, file sharing and
collaboration applications. Their developers speak wistfully of an
end-to-end internet, a network without Nat. To them, it would be a
better internet.
If Nat is an evil for some, it is an absolute necessity for
others. Leaving aside the issue of helping to conserve address
space, one must examine the other primary driver for Nat deployment
- security.
Nat helps to obscure the interior of a private network, making
network scanning difficult, and it functions as a poor man's
firewall. Nat opponents claim that a properly designed and
implemented stateful firewall will serve the same purpose.
This may be true, but Nat has significant advantages over
firewalls, including ease of implementation, low cost, and
essentially foolproof operation.
Most consumers with home routers have deployed Nat without even
needing to be aware of its existence. Such things cannot be said
for any high-quality firewall.
Ironically, Microsoft, one of Nat's greatest opponents (and
therefore an IPv6 proponent), is the primary reason Nat is
necessary. The Windows operating system is fertile soil for
hackers.
Numerous experiments have shown that an internet-connected but
unprotected Windows workstation will not last long against regular
port scans and penetration attempts. The simple expedient of
placing a Windows PC behind a Nat router changes the equation
considerably, giving even unsecured Windows PCs an environment in
which they can operate safely.
As long as Windows is the primary operating system for
internet-connected hosts (a condition that is unlikely to change
any time soon), Nat will be an important part of most users'
security perimeters.
Peer-to-peer application developers will continue to write Nat
traversal code, and their companies will deploy rendezvous servers,
just as they have been doing.
If this is an evil, then it is a small one compared to the idea
of an internet without Nat. Bowing to this reality, the Internet
Engineering Task Force (IETF) has set aside a series of private
IPv6 addresses, known as Unique Local IPv6 Unicast Addresses, whose
intended application is obviously Nat (IETF RFC 4193).
It was clear to the IETF that Nat is not going away soon, and
that the lack of Nat was a disincentive to IPv6 deployment, rather
than a benefit.
The application developers who complained the loudest about Nat
are a small proportion of internet users, and their voices are
clearly drowned out by those with valid concerns about internet
security.
The elimination of Nat is not a reason to move to IPv6 - that
elimination is neither desirable nor mandated in IPv6 as currently
specified.
Nat is far from an unmitigated evil, even though some like to
portray it that way. In fact, it is a significant contributor to
many network security solutions.
Daniel Golding is a senior analyst at Burton Group