
An Opinion in Defence of NATs - fanf2
http://www.potaroo.net/ispcol/2017-09/natdefence.html
======
silotis
> the applications that they value, appear to operate perfectly well in a
> NATed environment

The key word here is "appear". There are two main factors which maintain this
appearance:

1\. Any technology which does not play well with NAT is guaranteed to be DOA
with respect to the consumer market, so few resources get spent on them. This
is a classic chicken and egg problem.

2\. A tremendous ongoing effort by network device and application developers
to implement whatever kludges are necessary to keep their products working
with NAT.

Both of these costs are largely hidden from consumers, so of course there is
little outcry about them. That doesn't mean the world wouldn't be much better
off if NAT went away.

~~~
drzaiusapelord
Or worse, NAT unfriendly technologies end up adopted but bring in technical
issues constantly. Look at how many SIP or VOIP forum questions end up with
hard to diagnose issues eventually being found out to be NAT issues. Or the
firewall rules to get 'simple' FTP to work in a NAT environment, even with
passive mode. Or just how much time is wasted in general wrestling NAT.

~~~
gerdesj
Welcome to my world mate. However, I happily have recipes that will make all
of those things work - IPv4 and IPv6.

However, as you say - a lot of time was lost making things work that should
not be too tricky.

------
yorwba
I guess what I don't like about NATs is the mandatory enforcement in consumer
networks because ISPs still only hand out one IP.

There's something wrong with the internet when two devices that want to talk
to each other need to trick the NAT with a hole-punching server before they
can communicate.

~~~
SadWebDeveloper
> There's something wrong with the internet...

When you need an 3rd-party provider to "get in" the internet. FTFY.

~~~
alethiophile
How would it ever work any other way?

Someone needs to run the trunk lines, and you will always need to talk to
these people to get yourself connected.

------
pc2g4d
So NAT is virtuous because it (in effect) expands the address space and makes
address assignment (partly) dynamic (because the above-32-bit address
components are assigned at connection time).

But I think the article is ignorant of the real problems that NAT traversal
cause in many situations. Yes, we have a system that largely works. But that
in itself doesn't prove the current system is equivalent to the IPv6
alternative. In fact, there are good reasons to believe an IPv6 world will
make the Internet significantly more dynamic and peer-to-peer friendly.

~~~
gerdesj
Try putting in multiple internet connections each with its own IPv6 space! I
have five at work but cannot really afford PI addressing (say £3000 per year)
and certainly would not be able to get the four FTTC (VDSL) ISPs to route it.
I also have a 100Mb leased line with yet another /56 prefix. That's five of
the bloody things. Each PC/server/printer/whatever now has at least five
globally unique IPv6 addresses. Now most of those devices also want to do
various versions of each prefix - an algorithmic ally derived on based on MAC
address, a randomish one (for privacy) etc. Add in link local and perhaps a
few DHCPv6 addresses for good measure and it rapidly gets quite complicated.

Now how does that lot get to and from the internet? For a PC to get to a web
server it has to use the correct "local" address to get to the other end via
the relevant ISP connection. However the PC can't know which internet
connections are working without some form of routing protocol telling it what
is going on upstream. So all my PCs, servers, printers and even IP cameras
need to be routers rather than simply having a default gateway!

As you can probably guess, that is not what I will actually do when I flick
the IPv6 switch for real at work (home has been dual stack with one link for
several years now).

My current plan is ULA (a bit like IPv4 RFC 1918 - 192.168., 172.16. 10.) with
Network Prefix Translation. That way my DNS servers, AD DCs (I think of those
merely as KDCs but apparently they do other jobs) and other handy things wont
renumber themselves every time a link goes down. The real joy of all this is
I'll also get to manage _two_ lots of firewall rules per VLAN. Can you imagine
how busy a DNS server would get in the event of a flapping internet connection
if it had to do dynamic DNS updates?

Don't get hung up over NAT, the world of fully tooled up IPv6 is going to be
far more "interesting", especially when you are not a big institution with a
huge budget but want a bit more connectivity than one ISP connection provides.

~~~
magila
With five upstream providers you're at the point where you _really_ should
have a proper router with it's own address block in front of your network.

To put it bluntly, people like you are the reason why the IETF resisted
standardizing any form of NAT for IPv6. They know that if there's a half-assed
solution to a problem which makes the immediate pain go away but imposes
negative externalities on the network as a whole, lots of people are going to
take it.

~~~
gerdesj
I actually have two routers with CARP (Dell R320s with 10 NICs) but I don't
have an unlimited budget. That is where the real problem lies: the cost of PI.

However PI implies an additional internet routing entry (BGP) and of course
that implies routing fragmentation. One of the goals of IPv6 was routing
simplicity.

To reply, rather bluntly to _people like you_ , I am a sysadmin and a business
owner who does not have an unlimited budget. I almost certainly have more
experience with IPv6 than you, judging by your remarks. I am not combative by
nature but please tell me what is the most effective way in your opinion of
making best use of IPv6 with multiple links to the internet.

~~~
magila
If you think PI is too expensive, that is an issue between you and your
service providers. As a developer of network applications, I have no interest
in subsidizing your network management by going through the trouble of
supporting NAT or NPTv6.

Yes, if everyone used PI it would bloat the routing table, but the vast
majority of businesses have no good reason to use PI. Having five providers
makes you a special case, one where PI is clearly justified.

~~~
yardstick
What about a small business with Fibre, and a cellular backup? Both IPv6. How
do I ensure my PCs only use the Fibre link until its not working, and only
then use Cellular? Right now that just works out of the box with IPv4 and NAT.

IPv6 also makes it difficult to plug and play new devices and install new
networks. Example: The business needs to separate their Office PCs and their
payment terminals (PCI DSS). Easiest way is to plug a firewall behind the
existing LAN, and hang the terminals off the new firewall. You can't do that
with IPv6 without the original router supporting DHCP6-PD, which it likely
won't; or the ISP hasn't routed a large enough subnet to it to delegate
smaller chunks. This is a mom and pop business that knows next to nothing
about IT and shouldn't be penalised for that.

In an ideal world where everyone has full knowledge of their systems and
networks and can work with their providers to precisely accommodate their
networking needs, IPv6 would work. I don't believe with the limited time,
resources, and money we have that it is possible.

Ultimately it's down to who caves in first. If the ideal solution requires
£$€3000/yr more than another solution, and the other solution solves all the
issues the business cares about, why would they spend the money to remove NAT?

------
djrogers
FTA: "More address bits? Well perhaps not all that much. The space created by
NATs operates from within a 96-bit vector of address and port components, and
the usable space may well approach the equivalent of a 50-bit conventional
address architecture. On the other hand, the IPv6 address architecture has
stripped off some 64 bits for an interface identifier and conventionally uses
a further 16 bits as a site identifier. The resulting space is of the order of
52 bits. It’s not clear that the two pools of address tokens are all that much
different in size."

Well, if you want to ignore the fact that IPv6 can utilize the same port
combinations as IPv4, then your math works. If you actually compare apples to
apples though, it's fundamentally flawed.

That said, I happen to be a fan of NAT - just not for the reasons outlined
here.

~~~
sp332
IPv6 doesn't officially support NAT, so it's a stretch to include the port
numbers as host identifiers the way IPv4 NAT can.

~~~
gerdesj
Not sure what you are on about. IPv6 has Unique Local Addressing (RFC 42193)
and Network Prefix Translation (RFC 6296). Care to guess what those do when
combined?

Now given that the smallest subnet in IPv6 is /64 then you are unlikely to
need to bother with port mapping as well. I will grant you that putting 65000
odd IPs on a system may not be the most efficient way of doing things. Anyway
at least you get a choice in the matter. Many problems with, for example, VoIP
are fixed with symmetric NAT which falls out of this scheme right away.

My problem with IPv6 is how you get "tied" to your initial ISP in an intimate
way due to getting all your IP addressing from them. SLAAC does go a long way
to fix this but it is a little like ISP assigned email addresses stopping
people from moving away.

Also, consider what happens when you have multiple internet connections
perhaps for redundancy/backup. You actually need NPT to get that to work in
any meaningful way unless you pay for private address space and take a deep
dive into BGP etc.

~~~
sp332
With IPv4 you can have a load-balancing NAT where requests are routed round-
robin to different servers, and all the servers respond directly to the client
using the same source IP without going through the router. I don't really see
how those RFCs make that possible.

~~~
gerdesj
No, that is a proxy of some sort. HA Proxy, Squid, nginx, Apache int al for
application layer. IPv6 can do exactly the same - its actually nothing to do
with the IP stack (or even IP - you could use IPX/SPX or whatever)

At a lower layer, you can get a similar effect with VRRP/CARP. For example I
have two pfSense (FreeBSD) routers at work that present an additional set of
"virtual" IPs in a master/slave HA setup. I can reboot or power off either of
them and the virtual addresses will move to the other if needed, along with
all state entries - handy for system updates without loss of service.

I also have a couple of HA Proxy systems that are NATed through those virtual
addresses. Those proxies have multiple backends that actually serve content.

So: 1 IP -> two firewall/routers -> two HA proxies -> many app servers.

I can take out any one bit of each stage and still maintain service. Actually
its a bit more complex than that due to virtualisation.

If I only had one internet connection then that would be fine but I have five.

I think I've given a flavour here and in other comments I've left around here
that IPv6 isn't too hard and doing away with NAT is actually a good thing but
IPv6 is seriously rubbish when it comes to multi-link (ISP) and rapidly
becomes seriously hard and that actually a form of NAT in the form of ULA and
NPT is the "fix". ULA is analogous to say 192.168.0 and NPT makes one IPv6
prefix map to another one (which could include ULA) - that's NAT by another
name. You also have port mapping as well - just like IPv4 NAT.

I could buy what's know as PI address space at something like £3000 per year
and get that routed instead - I would then have multiple links for redundancy
but not for bandwidth utilisation and besides I would not get my four FTTC
(VDSL) providers to do it anyway.

IPv6 does not address the whole internet connectivity thing across the whole
stack - it is only concerned with logical addressing at one point and fixes
only a few problems. It does fix address exhaustion very nicely despite what
armchair commentators state. It will fix the rapid proliferation of routing
table entries on the global internet, except that PI addresses will screw that
up royally. It does do away with NAT, which really is a good thing. Except
multi link screws that up. SLAAC makes setting up a network really easy.
Except multi link screws that up. DHCPv6 - the darling of "enterprise" anally
retentives that don't get it will probably screw something else up.

Recently I decided to put a Lets Encrypt cert on my laptop. Now I do have a
block of eight IPv4 addresses at home but all of them (the six usable) were
already mapped on port 80 and 443/tcp to various things. I put in a AAAA
record on my DNS server (and an inbound firewall rule) and got a cert. Most
people have a single static IPv4 if they are lucky or a dynamic one which will
change (OK - dynamic DNS) However, if you have IPv6 at the ISP, you will
normally get the same prefix. At worse you get a /64, better a /56 and the
intended allowance of all was /48\. At worse you have billions of globally
routable addresses.

Security risk being globally routable? meh! every single home router I know of
(IPv4 and/or 6) defaults to deny inbound. They all have a firewall that
applies that policy. NAT is not a firewall and it does not give you any real,
tangible, additional security. Actually, many consumer router/firewalls try to
be helpful by providing UPnP support enabled out of the box - to make your
gaming/music streaming/whatever experience easy.

Hmmm, I'm really starting to waffle here - sorry - but I think if you have got
this far, you might have an idea that NAT is the least of your worries.

------
jschwartzi
Well, this starts to break down when you consider that NAT means that an
individual subscriber may only be able to open one connection at any one time.

~~~
shimon
How does NAT create this limitation? Maybe I'm confused by your use of
"connection" here but a device behind NAT can handle multiple connections just
fine, and the common techniques for poking through NAT are not limited to a
single connection either.

~~~
gerdesj
Try running two web servers behind a single IP address.

For example you want to run your own email system with webmail and Nextcloud
for file synchronisation. You want to secure them both with TLS. You have a
single static IPv4 address (if you are lucky, otherwise you have to use a
dynamic DNS service.

So you have two things that both want to use 443/tcp on the same "external" IP
address.

Options:

* Put one of them on a non standard port eg 8443 - rubbish but works (unless the app assumes and enforces 443 - some do)

* Put in a proxy, eg HA Proxy - cool! it can be used to fix up TLS crapness and get you that A+ score on the SSL labs test but it can be tricky to set up

* Get more IPv4 address space - RLY (for most of the world)?

* IPv6 - generally statically assigned and you have billions of globally routable addresses to play with

NAT creates a limitation inbound - in general outbound is fine unless you want
to use SIP n RTP or FTP, in which case you may have to become a network
engineer unless your router's ALGs work out of the box, if it has them, if
they work correctly, if they don't actually break things. NAT adds a lot of
complexity but it has become the norm.

------
SadWebDeveloper
Imagine the day everyone has an IPv6 and NAT has disappear from the map...
that day will be like hacking in the 90's, like MS03-026 days or even worst,
it will definitely be a disaster waiting to happen for the network engineers
and CISO's worldwide.

~~~
solotronics
not sure if thats true, its hard to find things on IPv6 currently. Is there
any practical way to scan IPv6 ranges? its so large you cant really NMAP scan
around

~~~
SadWebDeveloper
[https://news.ycombinator.com/item?id=8804629](https://news.ycombinator.com/item?id=8804629)

There is no tool yet available but with IPv6 numbers going up it just matter
of time before it become a necessity.

~~~
gerdesj
IPv6 is not IPv4 (FFS.) Read up on multicast.

Do you actually have any experience of IPv6?

~~~
SadWebDeveloper
Do you actually have any experience scanning for devices on the internet? or
have a proper argument rather than "learn multicast"?... so many salty net-
engies on the internet, IPv6 will bring an era of chaos with every "IOT
device" not being well configured and allow external access or don't have a
firewall built-in.

------
nikanj
More than once, I've fixed connectivity problems by disabling IPv6. Never have
I ever fixed connectivity problems by enabling IPv6. I wonder if this will
ever change.

~~~
solotronics
routinely as a network engineer if a network device is offline on IPv4 we can
access via IPv6 before trying out of band

~~~
gerdesj
I'm with you mate.

However, disabling something that you don't understand and is enabled by
default on a system for which it probably wont work fully anyway isn't too bad
an approach.

That said, I will be using IPv6 to route around the sheer naffness of
192.168.0|1 at customer sites. Quite a few businesses have a networking
legacy, shall we say. I currently use OpenVPN and a 1:1 NAT (see
[https://doc.pfsense.org/index.php/OpenVPN_NAT_subnets_with_s...](https://doc.pfsense.org/index.php/OpenVPN_NAT_subnets_with_same_IP_range))
With IPv6 and a little DNS work I can make routing work again - smashing!

------
squozzer
I think what makes NATs a bit heterodox to internet ethos is that they insert
an element of hierarchy to a concept that was originally preached as
egalitarian.

So do routers, but the extent of their manipulation is merely to ensure a
packet reaches its desired destination. NATs act more aggressively.

~~~
rconti
But isn't a centrally-dictated RFC on IPv6 returning us to the dare-I-say-
hierarchical days of IP address allocation also a problem? As TFA points out,
CIDR+NAT has decoupled true endpoints from hierarchy, and its adoption was ad-
hoc and cooperative ('egalitarian') rather than dictated.

~~~
wmf
Wait, so having fewer IPs than devices is freedom and having more IPs than
devices is a form of oppression? I'm so confused.

~~~
topspin
freedom vs oppression.......

That is the sort of mentality that has always toxified this whole matter. This
is an engineering issue. NAT wasn't created to enslave anyone.

The author isn't arguing in favor of NAT. Only that NAT is much more than an
address scarcity kludge and is actually an expression of real requirements
that neither IPv4 and IPv6 can address well sans NAT. The concept of a fixed,
routable, global address number is possibly naive considering mobile hosts,
privacy, multi-homing, security and other issues. Maximum liberty may be to
decouple routing from any particular routing number scheme.

It's impossible to discuss any of this rationally; the anti-NAT camp has its
dogma and can't be engaged. Two decades of this myopia headed into three...

------
lend000
Imagine our current issues with poorly secured devices connected to the
internet (with default creds, for example), and then compare that with all of
the embedded devices secured behind a NAT. It's an important security layer.

~~~
yorwba
You don't need a NAT for that, it's a job for a firewall. You could have each
poorly secured device with their own IP, but still not reachable from the
outside.

~~~
kikoreis
Except NAT is dead simple, and requires basically zero configuration of the
CPE from the end-user perspective. Yeah, it complicates (though seldom
completely breaks) a host of important applications, but it's hard to think
you could replace it with a firewall with an off the shelf configuration and
have it work any better.

~~~
ktRolster
It's not dead simple, it just seems that way because the router already comes
configured for it. If you had a router already configured with a default
firewall, that would seem dead simple, too.

~~~
hueving
If it comes pre-configured with the same behavior as NAT (no unsolicited
ingress), what does that really solve over using NAT?

~~~
Avernar
When you get multiple devices that require the same inbound ports (game
consoles are a good example) you can open the same port for each device.

