NATs are Evil But Inevitable
BhutanNOG / Thimphu 2017.06.05 NAT
Network Address Translator
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 1 What is a NAT? • A way to hide a city behind a mouse hole • Lets you have a very large IP Address space ‘behind’ a very small allocation from your upstream • Translates ‘inside’ to ‘outside’
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 2 What does a NAT Do? • Translates source and/or destination addresses in every IP packet • Translates in one or multiple directions • May connect private IP network to public Internet, or between private IP networks • Domain and range of translation function may intersect
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 3 Example of a NAT
Inside Outside
S: 10.0.0.1 S: 64.23.14.19 D: 128.169.92.4 D: 128.169.92.4 ======XXXXXXXXX N XXXXXXXXX A
S: 128.169.92.4 S: 128.169.92.4 D: 10.0.0.1 T D: 64.23.14.19 ======XXXXXXXXX XXXXXXXXX
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 4 Dynamic Assignment
• Each NAT maintains a table which maps addresses/ports from one address ‘realm’ to another • Mappings are created when the NAT guesses they are needed • Mappings are freed when the NAT guesses they are no longer needed • Hosts behind a dynamic NAT usually get their addresses via DHCP
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 5 But Some Packets Have IP Addresses in their Payload (think DNS)
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 6 Application Layer Gateways
• Application-specific code embedded in a NAT • May translate addresses within payload (not just header) • May create/delete/reference translation entries • Separate code required for each application • NATs often provide ALGs for: FTP, DNS, SIP, RealAudio, H.323, SNMP • New ALGs are continually needed
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 7 Smart Edge & Stupid Core
• Traditional Voice has stupid edge devices, phone instruments, and a very smart expensive core • The Internet has a smart edge, computers with operating systems, applications, …, and a simple stupid core, which just does packet forwarding • Adding an entirely new Internet service is just a matter of distributing an application to a few consenting desktops (until NATs) • Compare that to adding a service to Voice
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 8 NAT vs Innovation • How long did it take telcos to deploy rotary dialing? Two decades at massive expense!
• How long did it take the telcos to convert to TouchTone dialing? They’re still doing it!
• E-mail was a service added to the ARPANET
• HTTP/HTTPS, i.e., “the web” would have taken a decade to deploy
• With NATs, tomorrow’s killer application will be difficult to deploy
• Today’s new applications are hard to deploy because they require ALGs 2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 9 Think About a World Where You Can Not Deploy New Protocols (e.g. Skype) Without AT&T’s Lawyers’ Approval
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 10 Problems Caused by NATs
• Break global addressability • Break IP fragmentation/reassembly • Host-to-address bindings are not stable • Increase difficulty in deploying new applications • Degrade network reliability and scalability • Make network management, fault detection and diagnosis more difficult
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 11 Security? • There is a belief that NATs provide security • Does changing my name badge stop a mugger? • Do NATs slow email viruses and worms? • Do NATs slow DDoS attacks? The opposite, DDoS crashes NATs • They just happen to be associated with Firewalls
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 12 The Long-Term Problem As your network grows over time, the costs of maintaining a complex NATted infrastructure grows super-linearly!
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 13 So, Why so Many NATs? • We are out of IPv4 Address Space! • Yes, we all need more, but there is none. Get Over It! • If I want to run an IPv6 internal network, I need NAT6//DNS64 so I can reach the Dual-Stack, 6&4, Internet • You need to run IPv4 and IPv6 • So NAT is here for a very long time
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 14 Why Has the Transition to IPv6 Been Soooo Slow?
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 15 Is it the Vendors?
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 16 Is it Lazy Operators, as the IPv6 Idealists Complain?
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 17 Is it Lack of Content?
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 18 Is it That Applications do not Support IPv6?
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 19 Is it CPE?
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 20 Is it the End User Host Stack?
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 21 Is it Because There Are Only 430 Transition Mechanisms?
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 22 Transition Depended on All of Those at the Same Time! a Recipe for Failure
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 23 But There is One Much Larger Problem
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 24 2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 25 IPv6 is On the Wire INCOMPATIBLE with IPv4
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 26 And it had a New Business Model and No Feature Parity with IPv4
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 27 It Was Not Transition, It Was a Leap!
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 28 How Did This Happen?
Arrogance & Operational Cluelessness in the IETF
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 29 IPv6 is Incompatible With IPv4 and There Was No Realistic Transition Plan!
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 30 But it is Too Late We Have No Alternative
We are Out of IPv4 Space
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 31 We have to be able to reach IPv6 and IPv4 sites/email/… for a very long time
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 32 But On-the-Wire Incompatibility of IPv4 and IPv6, Transition Leaves No Choice but Translation and/or Encapsulation
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 33 IPv4 over IPv6
DS-Lite with A+P MAP (A+P) Configured Tunnels 4rd-E (RFC2473) DS-Lite Stateless 4over6 GRE SA46T-AS 4rd-T IPv4 over DS-Lite IPsec dIVI dIVI-pd L2TP LISP 4rd-U
Stateful Stateless
L2TP Automatic Tunnels GRE LISP (RFC1933) 6to4 6PE/6VPE Tunnel Broker (TSP) 6over4 BGP Tunneling 6rd IPSec ISATAP Teredo Configured Tunnels 6a44 (RFC1933)
IPv6 over IPv4
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 34 Work on Mechanisms Which are Actual Progress Toward IPv6
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 35 Prefer Mechanisms Which are Simple, Stateless, Use IPv6 not IPv4, …
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 36 Keep State at the Edge Not the Core
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 37 Use Mechanisms Which Preserve e2e and the Other Basic Principles as Much as Possible
2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 38