A View From The Ivory Tower: What’s Wrong With NAT?
Categories: Rants, Technology | January 30th, 2010 | by breandan | no commentsI have long espoused a theory about network design that gets me laughed at, especially in smaller organizations. This theory is that Network Address Translation, or NAT, is a fundamentally broken technology and it makes everyone on the Internet suffer. A lot of people think I’m crazy – NAT is the tool that allows a house with cable modem to have more than one computer online at a time. In short, NAT takes the single, public IP address given to you by your ISP, and hides any number of computers behind it. It assigns IP addresses from one of the three ‘private’ address ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) to each computer, and everything works as expected.
The problem is that this breaks one of the original visions of the Internet – where everyone is an equal consumer and producer. Wasn’t the Internet supposed to set us free? Decentralize communication, so the flow of information was between peers, and not coming from The One Blessed Source? NAT makes that impossible, as it is a single-direction filter. A computer behind a NAT isn’t accessible from the rest of the Internet at large. It makes huge chunks of computers act only as consumers of media. This, coupled with the fact that most Internet connections are optimized for downloads and severely limited for uploads makes publishing content on the Internet even more costly to the end user. It limits connections, freedoms and slowly moves the whole Internet back into the control of the people at the top. The whole point of the Internet was the lack of “someone” at the top – it was designed for communications after nuclear attacks, after all – but we’re moving steadily in that direction.
To compound matters, many companies use NAT for ‘security’. The idea is that most users aren’t aware of how to safely run servers, so if they are hidden behind a NAT, they simply can’t. (The people who say NAT makes things secure in other ways is selling something – most likely network security equipment.) The job of network security really should be left to things like perimeter firewalls, intrusion detection/prevention devices, and hardened servers and hosts. This includes running anti-virus software on platforms that need it, and possibly on those that don’t, as well as turning off sharing services that aren’t being used, and enabling host-based firewalls. That is a real security policy. NAT isn’t.
The real problem, the one NAT is actually solving these days, is the shortage of IPv4 addresses. When TCP/IP was released on the world in 1980, there were thousands of hosts on the Internet, so the address space of just over 4 billion IP addresses seemed rather large enough. Hundreds of millions of addresses were set aside for private networks and special research projects. The network address that is reserved for each computer to talk to itself, called the loopback, is often referred to by the first address in the network: 127.0.0.1. A lot of system administrators don’t know that the rest of that network – 16 million addresses – are also set aside in this network, never to be used for any kind of real purpose.
Now, 30 years after IPv4 was adopted, the Internet is coming close to running out of addresses. Current estimates suggest the address space will be fully assigned by the middle of 2011. It doesn’t mean the internet is going to stop working, just that it will be harder and harder to get IPv4 addresses that can be seen anywhere else in the world. As more and more houses get always-on internet connections, and more businesses wire themselves to the internet, it will be harder to get access to the public Internet. A lot of people address this shortage with NAT, but the real solution is IPv6 addressing, which has been in the works for over 12 years. It provides 3.4×10^38 addresses – which (at this point) should hold us for quite some time.
