Nats Are Evil but Inevitable

NATs are Evil But Inevitable

BhutanNOG / Thimphu 2017.06.05 NAT

Network Address Translator

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 1 What is a NAT? • A way to hide a city behind a mouse hole • Lets you have a very large IP Address space ‘behind’ a very small allocation from your upstream • Translates ‘inside’ to ‘outside’

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 2 What does a NAT Do? • Translates source and/or destination addresses in every IP packet • Translates in one or multiple directions • May connect private IP network to public Internet, or between private IP networks • Domain and range of translation function may intersect

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 3 Example of a NAT

Inside Outside

S: 10.0.0.1 S: 64.23.14.19 D: 128.169.92.4 D: 128.169.92.4 ======XXXXXXXXX N XXXXXXXXX A

S: 128.169.92.4 S: 128.169.92.4 D: 10.0.0.1 T D: 64.23.14.19 ======XXXXXXXXX XXXXXXXXX

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 4 Dynamic Assignment

• Each NAT maintains a table which maps addresses/ports from one address ‘realm’ to another • Mappings are created when the NAT guesses they are needed • Mappings are freed when the NAT guesses they are no longer needed • Hosts behind a dynamic NAT usually get their addresses via DHCP

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 5 But Some Packets Have IP Addresses in their Payload (think DNS)

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 6 Application Layer Gateways

• Application-specific code embedded in a NAT • May translate addresses within payload (not just header) • May create/delete/reference translation entries • Separate code required for each application • NATs often provide ALGs for: FTP, DNS, SIP, RealAudio, H.323, SNMP • New ALGs are continually needed

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 7 Smart Edge & Stupid Core

• Traditional Voice has stupid edge devices, phone instruments, and a very smart expensive core • The Internet has a smart edge, computers with operating systems, applications, …, and a simple stupid core, which just does packet forwarding • Adding an entirely new Internet service is just a matter of distributing an application to a few consenting desktops (until NATs) • Compare that to adding a service to Voice

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 8 NAT vs Innovation • How long did it take telcos to deploy rotary dialing? Two decades at massive expense!

• How long did it take the telcos to convert to TouchTone dialing? They’re still doing it!

• E-mail was a service added to the ARPANET

• HTTP/HTTPS, i.e., “the web” would have taken a decade to deploy

• With NATs, tomorrow’s killer application will be difficult to deploy

• Today’s new applications are hard to deploy because they require ALGs 2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 9 Think About a World Where You Can Not Deploy New Protocols (e.g. Skype) Without AT&T’s Lawyers’ Approval

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 10 Problems Caused by NATs

• Break global addressability • Break IP fragmentation/reassembly • Host-to-address bindings are not stable • Increase difficulty in deploying new applications • Degrade network reliability and scalability • Make network management, fault detection and diagnosis more difficult

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 11 Security? • There is a belief that NATs provide security • Does changing my name badge stop a mugger? • Do NATs slow email viruses and worms? • Do NATs slow DDoS attacks? The opposite, DDoS crashes NATs • They just happen to be associated with Firewalls

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 12 The Long-Term Problem As your network grows over time, the costs of maintaining a complex NATted infrastructure grows super-linearly!

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 13 So, Why so Many NATs? • We are out of IPv4 Address Space! • Yes, we all need more, but there is none. Get Over It! • If I want to run an IPv6 internal network, I need NAT6//DNS64 so I can reach the Dual-Stack, 6&4, Internet • You need to run IPv4 and IPv6 • So NAT is here for a very long time

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 14 Why Has the Transition to IPv6 Been Soooo Slow?

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 15 Is it the Vendors?

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 16 Is it Lazy Operators, as the IPv6 Idealists Complain?

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 17 Is it Lack of Content?

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 18 Is it That Applications do not Support IPv6?

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 19 Is it CPE?

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 20 Is it the End User Host Stack?

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 21 Is it Because There Are Only 430 Transition Mechanisms?

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 22 Transition Depended on All of Those at the Same Time! a Recipe for Failure

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 23 But There is One Much Larger Problem

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 24 2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 25 IPv6 is On the Wire INCOMPATIBLE with IPv4

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 26 And it had a New Business Model and No Feature Parity with IPv4

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 27 It Was Not Transition, It Was a Leap!

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 28 How Did This Happen?

Arrogance & Operational Cluelessness in the IETF

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 29 IPv6 is Incompatible With IPv4 and There Was No Realistic Transition Plan!

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 30 But it is Too Late We Have No Alternative

We are Out of IPv4 Space

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 31 We have to be able to reach IPv6 and IPv4 sites/email/… for a very long time

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 32 But On-the-Wire Incompatibility of IPv4 and IPv6, Transition Leaves No Choice but Translation and/or Encapsulation

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 33 IPv4 over IPv6

DS-Lite with A+P MAP (A+P) Configured Tunnels 4rd-E (RFC2473) DS-Lite Stateless 4over6 GRE SA46T-AS 4rd-T IPv4 over DS-Lite IPsec dIVI dIVI-pd L2TP LISP 4rd-U

Stateful Stateless

L2TP Automatic Tunnels GRE LISP (RFC1933) 6to4 6PE/6VPE Tunnel Broker (TSP) 6over4 BGP Tunneling 6rd IPSec ISATAP Teredo Configured Tunnels 6a44 (RFC1933)

IPv6 over IPv4

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 34 Work on Mechanisms Which are Actual Progress Toward IPv6

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 35 Prefer Mechanisms Which are Simple, Stateless, Use IPv6 not IPv4, …

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 36 Keep State at the Edge Not the Core

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 37 Use Mechanisms Which Preserve e2e and the Other Basic Principles as Much as Possible

2017.06.05 bhutan nats Creative Commons: Attribution & Share Alike 38