NATs are Evil But Inevitable
RIPE/NCC 2017.07.04 NAT
Network Address Translator
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 1 What is a NAT? • A way to hide a city behind a mouse hole • Lets you have a very large IP Address space ‘behind’ a very small allocation from your upstream • Translates ‘inside’ to ‘outside’
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 2 What does a NAT Do? • Translates source and/or destination addresses in every IP packet • Translates in one or multiple directions • May connect private IP network to public Internet, or between private IP networks • Domain and range of translation function may intersect
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 3 Example of a NAT
Inside Outside
S: 10.0.0.1 S: 64.23.14.19 D: 128.169.92.4 D: 128.169.92.4 ======XXXXXXXXX N XXXXXXXXX A
S: 128.169.92.4 S: 128.169.92.4 D: 10.0.0.1 T D: 64.23.14.19 ======XXXXXXXXX XXXXXXXXX
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 4 Dynamic State
• Each NAT maintains a table which maps addresses/ports from one address ‘realm’ to another • Mappings are created when the NAT guesses they are needed • Mappings are freed when the NAT guesses they are no longer needed • Hosts behind a dynamic NAT usually get their addresses via DHCP
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 5 But Some Packets Have IP Addresses in their Payload (think DNS)
So We Get
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 6 Application Layer Gateways
• Application-specific code embedded in a NAT • May translate addresses within payload (not just header) • May create/delete/reference translation entries • Separate code required for each application • NATs often provide ALGs for: FTP, DNS, SIP, RealAudio, H.323, SNMP • New ALGs are continually needed
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 7 NAT64 / DNS64
NAT with an IPv6 world on the ‘inside’ and the IPv4 (and IPv6) world on the ‘outside’
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 8 NAT64 / DNS64
Allows an Enterprise to be IPv6-only In an IPv4-World
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 9 But What About the End to End Principle?
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 10 Smart Edge & Stupid Core
• Traditional Voice has stupid edge devices, phone instruments, and a very smart expensive core • The Internet has a smart edge, computers with operating systems, applications, …, and a simple stupid core, which just does packet forwarding • Adding an entirely new Internet service is just a matter of distributing an application to a few consenting desktops (until NATs) • Compare that to adding a service to Voice
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 11 NAT vs Innovation • How long did it take telcos to deploy rotary dialing? Two decades at massive expense!
• How long did it take the telcos to convert to TouchTone dialing? They’re still doing it!
• E-mail was a service added to the ARPANET
• HTTP/HTTPS, i.e., “the web” would have taken a decade to deploy
• With NATs, tomorrow’s killer application will be difficult to deploy
• Today’s new applications are hard to deploy because they require ALGs 2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 12 Think About a World Where You Can Not Deploy New Protocols (e.g. SkypeNG) Without AT&T’s Lawyers’ Approval
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 13 Problems Caused by NATs
• Break global addressability • Break IP fragmentation/reassembly • Host-to-address bindings are not stable • Increasing difficulty in deploying new applications • Degrade network reliability and scalability • Make network management, fault detection and diagnosis more difficult
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 14 Security? • There is a belief that NATs provide security • Does changing my name badge stop a mugger? • Do NATs slow email viruses and worms? • Do NATs slow DDoS attacks? The opposite, DDoS crashes NATs • They just happen to be associated with Firewalls
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 15 Firewall?
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 16 The Long-Term Problem As your network grows over time, the costs of maintaining a complex NATted infrastructure grows super-linearly!
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 17 Do We Really Need NATs? • We are out of IPv4 Address Space! • Yes, we all need more, but there is none. Get Over It! • If I want to run an IPv6 internal network, I need NAT64/DNS64 so I can reach the Dual-Stack, 6&4, Internet • You need to run IPv4 and IPv6 • So NAT is here for a very long time
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 18 Can’t We Just Dump IPv4 And Let Everyone Use IPv6
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 19 Our Job is Internet Stewardship Not Religious War
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 20 Why Has the Transition to IPv6 Been Soooo Slow?
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 21 Is it the Vendors?
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 22 Is it Lazy Operators, as the IPv6 Idealists Complain?
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 23 Is it Lack of IPv6 Content?
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 24 Is it That Applications Do Not Support IPv6?
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 25 Is it CPE?
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 26 Is it the End User Host Stack?
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 27 Is it Because There Are Only 430 Transition Mechanisms?
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 28 Transition Depended on All of Those at the Same Time! a Recipe for Failure
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 29 But There is One Much Larger Problem
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 30 2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 31 IPv6 is On the Wire INCOMPATIBLE with IPv4
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 32 And it had a New Business Model and No Feature Parity with IPv4
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 33 It Was Not Transition, It Was a Leap!
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 34 We Are Trapped!
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 35 How Did This Happen?
Arrogance & Operational Cluelessness in the IETF
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 36 IPv6 is Incompatible With IPv4 and There Was No Realistic Transition Plan!
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 37 The Transition Was Supposed to be Dual Stack IPv6 Parallel to IPv4
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 38 But Dual Stack Requires As Many IPv4 Addresses as IPv6 Addresses
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 39 So That Just Ain’t Gonna Happen
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 40 But it is Too Late We Have No Alternative
We are Out of IPv4 Space
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 41 We have to be able to reach IPv6 and IPv4 Sites/Email/Cats/… for a Very Long Time
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 42 So On-the-Wire Incompatibility of IPv4 and IPv6, Transition Leaves No Choice but Translation and/or Encapsulation
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 43 IPv4 over IPv6
DS-Lite with A+P MAP (A+P) Configured Tunnels 4rd-E (RFC2473) DS-Lite Stateless 4over6 GRE SA46T-AS 4rd-T IPv4 over DS-Lite IPsec dIVI dIVI-pd L2TP LISP 4rd-U
Stateful Stateless
L2TP Automatic Tunnels GRE LISP (RFC1933) 6to4 6PE/6VPE Tunnel Broker (TSP) 6over4 BGP Tunneling 6rd IPSec ISATAP Teredo Configured Tunnels 6a44 (RFC1933)
IPv6 over IPv4
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 44 Work on Mechanisms Which are Actual Progress Toward IPv6
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 45 Prefer Mechanisms Which are Simple, Stateless, Use IPv6 not IPv4, …
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 46 Keep State at the Edge Not the Core
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 47 Use Mechanisms Which Preserve e2e and the Other Basic Principles as Much as Possible
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 48 Well-Known IPv6 Hater
• I am a well-known IPv6 Hater • This is why I work for IIJ, an international backbone ISP which deployed IPv6 in 1997, 20 years ago • This is why I raised a hissy fit when the IETF deprecated NAT/PT and got them to resurrect as NAT64/DNS/64 • This is why I want IPv6 to be Classless
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 49 We Made Some Bad Choices in the Design of IPv6
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 50 We have to Remove the Bad Choices We Can Remove
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 51 We Have to Live With and Work-Around Those We Can Not Fix
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 52 And NATs are One With Which We Have to Live
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 53 Probably for on the Order of Two More Decades
2017.07.05 RIPE NATs Creative Commons: Attribution & Share Alike 54