Sydney Staff SRE or something.

IPv4 and NAT, the future

· by Robert Mibus · Read in about 3 min · (438 Words)

A discussion came up during lunch at the IPv6 Roadshow… is NAT robust and well understood?

Since this is kind-of an opinion piece, I’m not going to cite evidence; it’s just random experience and anecdote that (to me) makes a lot of sense.

NAT is robust: NAT, for the sake of NAT - sure, maybe it’s robust (or “robust enough”). But even if you argue that NAT itself is robust, it in turn breaks a host of other things. Off the top of my head, some examples are:

IP Reputation: Any sizable NAT endpoint (like 3G carriers) has a rubbish IP Reputation. Want to send mail directly to the internet, instead your 3G provider’s server? Simply not going to work reliably.

Rate limiting: Any thing that rate-limits by IP (say, to block obvious DoS attacks) is going to get triggered by heavy use from a NAT. Similar for things that limit the number of simultaneous connections by IP.

ALGs: ALGs in CPE are a crufty workaround that just as often as not, break the protocol they’re trying to fix. (Like rewriting SIP packets and messing things up). Likewise

Any P2P technology (Torrent, Skype, etc): If you don’t have a public IP just for yourself, these are either going to not work, or they’re going to increase in latency compared to the ideal. The common ways of making this stuff work (port forwarding, UPnP IGD) just isn’t likely to be supported at the carrier level (IMHO). More dependencies of routing through third-party servers, and more off-net traffic for carriers. There is a thing called PCP that may allow port forwarding in a CGNAT world, but I’m not holding my breath.

Timeouts: If your carrier going forwards needs to maintain a NAT entry for every connection, they’re going to have to time it out at some point. You’re going to be absolutely forced to use keepalives in every protocol that you don’t want summarily disconnected. And I hope those NAT tables are replicated to other gateways for if they fail…

Summary: There are challenges with this stuff in IPv6 - eg. you don’t want each /128 to have its own reputation - but the sort of wide-scale NAT that the future may hold is going to really mess up a lot of things and make them worse… but only over IPv4.

But it’s well understood - Actually, I’d also disagree that NAT is all that “well understood” - amongst sysadmins, do we all understand the different types of NAT (symmetric, full-cone; 1:1/1:N, NAT+PAT vs just NAT, etc) and the implications of each of those on every end-user applications we support?