January 26, 2004

IETF roiled over NAT

Author: Joab Jackson

If there is one topic that can get the members of the Internet
Engineering Task Force worked up, such as they were once again
last week, it is the topic of network address translation, or NAT.
Here's a snapshot of the debates over the use of NAT as a hindrance to the implementation of IPv6, as evidenced by posts to the IETF discussion list.

David Putzolu asked, "I wonder if NAT is to [IETF] discussions as Nazis was to Usenet discussions. That is, will every heated IETF debate eventually lead to invoking the NAT bogyman?"

NAT allows administrators to set up a gateway between a local area
network and the Internet. When packets go in and out the gateway, it is
the NAT box that keeps tracks of which internal computer ordered which
packets from the outside.

NAT critics claim that NAT as a kludge, a work-around. They say it is something
that has never worked well, causes security problems, and breaks or
complicates Internet applications. It grew in popularity only because
of the growing scarcity of Internet addresses: a commodity which, at least back
in 1995, when the Net appeared to be doubling in size every 12 months,
seemed to be in short supply.

The shortage of new Internet numbers was the original driving need for
IPv6, which the IETF is developing. The version of IP now widely in use
across the Internet, version 4 uses a 32-bit addressing scheme, which
can provide a total of about four billion addresses. In contrast, IPv6
has 128-bit addresses, which should provide about 35 trillion
addresses enough to hand every person, place and thing in the world its
own IP number.

In development since the mid-90s, IPv6 is almost ready ready for mass
deployment. The U.S. Defense Department, for instance, indicated last
June that it wishes to move to IPv6 for some of its networks by 2008.

But part of the problem the keepers of the Internet standards are now
experiencing is getting software and hardware makers and Internet
service providers, DoD aside, to adopt IPv6. Kludges that they may be,
NATs may also be sapping the very need for these parties to use IPv6.
"I'm a bit confused as to why enterprises would be interested in v6,"
wrote Soliman Hesham.

And NAT may also be providing an additional useful function to the
Internet at large beyond just saving IP addresses. It also keeps
security-oblivious users, those services by broadband providers and
ISPs, tucked behind a gateway. Widespread NAT use by Internet service
providers raise the question--does everybody actually need their own
Internet address? Will Internet service providers even let Joe Sixpack
have his own IP address?

Recently, IETF discussions over NAT have been so fierce that they have
forced the debates over the very necessity of IPv6 . The debates have
also called into question the mission of the group itself: Should the
IETF be "architecturally fundamentalist" as one member put it, and
stick to its vision of one IP numbering system everywhere? Or is its
mission only to provide standards for the Internet users for whatever
applications they may use, no matter how inelegant ?

NATs represent "one particular area where there's a clear and growing
divide between this community and the network administrator community
(particularly enterprise and residential)," wrote Melinda Shore on the
list in December. She added, "We've known about these problems for a very long time
and the argument that these problems are a serious impediment to network
-- have not been accepted by the people who deploy real networks."

She concluded, "In that context our arguments are sometimes perceived as condescending
and out-of-touch".


On a topic as controversial as NAT, one can plunge the pitchfork down
pretty much anywhere in the past few years of the IETF mailing list and
pull up some well-argued contention. Last month for instance, an
engineer had queried the list about NAT that set off a firestorm. He was
upgrading his organization's network and wanted to make an argument to
his management against the use of NATs. He knew NATs were problematic.
But were there any white papers or studies that documented the flaws?
There were none anyone could immediately name, though much grumbling
about NATs commenced nonetheless.

Last June, the Defense Department announcement of its move to IPv6 set
off a similar debate, with many of the same participants taking the
same sides.

Why the fuss? As Bob Braden wrote, "I think it would be more accurate to
say that a NAT contravenes the basic Internet principle of universal

The Internet, as envisioned by its founders, was one in which every node
on the network had direct availability to every other node.

NAT, on the other hand, hides end-users behind a gateway. And more than a
few participants on the list could see what that leads to.

Trying to make NATs work is "the modern task of Sisyphus," Keith Moore
remarked. Applications such as Internet telephony or IPsec security
protocol were difficult to set up to work with NAT.

"Not only are we [losing] existing applications, there are untold new
things that are not making it to market. These new applications are
unable to generate the critical mass they need to make any marketing
noise because the NAT rich environment is too difficult for Joe Sixpack
to deal with," Tony Hain wrote earlier this month.

Melinda Shore pointed that FTP clients, as originally written, would not
work with NAT. Neither would video conference applications. "NAT has a
surprisingly wide ripple effect that's almost completely negative," she

"If these applications work 'out of the box' it means effort has be put
into developing NAT traversal solutions. While this effort is necessary,
it is sad that effort had to be expended. The developers could have been
adding extra features, rather than working around a common network
infrastructure limitation," Mark Smith wrote earlier this month.

That NATs themselves are used as security devices -- in place of
firewalls -- led to more problems. It was not a role they were designed to

"I can tell a firewall to get out of the way ... and the application
protocols will function as designed and expected. I cannot tell a NAT to
do that, but instead must first educate the vendor about the protocol
that's being blocked, wait for them to do their market research and/or
prioritize the application among their Great List of Applications They
Have Broken, and then maybe one day get a patch that actually spoofs the
protocol well enough for it to work with a middlebox in the way," Eric
Hall wrote.

NATs also have security issues. Since NAT boxes must forward packets
from the outside IP addresses to internal ones, it must change
forwarding information. "Basically, once you've committed to rewriting
the forwarding information in an IP datagram, then it's open season on
all manner of horrible opportunities for intermediaries to engage in
Internet abuse," wrote James Woodyatt.

Distributed Denial of Service attacks are one such form of abuse. That
IP addresses of the machines inside a NAT network are not identifiable
outside the network has led to DDoS attacks, where the end points can
not be determined, Moore said.

All of these shortcomings have generated little sympathy amongst certain
IETF members, Moore being the most verbal critic.

"The NAT vendors are the irresponsible ones. they create a mess out of
the network and then expect IETF to clean it up, then claim that IETF is
in denial for not doing so. [A]nd of course IETF has tried to do so,
more than once, and failed. Not for lack of effort, but because it's
simply not possible to fix NAT," Moore wrote.


So if NAT sucks so badly, then why is it so widely used? This is the
question that haunts IETF.

"The market has clearly decided that IPv4+NAT is the most cost-effective
solution to providing them. The IETF really needs to sit and ponder the
implications of that," J. Noel Chiappa wrote.

Ronald van der Pol suggested that NATs should be "seen for what they
really are, an essential and important part of the Internet
infrastructure," he wrote, add that "NAT boxes and firewalls play an important
and necessary security role."

Perhaps the existence of NATs points to a larger architectural
flaw -- maybe the limits of the idea of universal connectivity itself. In
the Internet's younger days, all the parties were more or less
responsible and so could share resources. Is that the same today?

Other mailing list members pointed out potential problems with the
kind-of-end-to-end connectivity that IPv6 promises. Telemarketing, for
instance. Moore asked that if the telemarketers of tomorrow had the same
tool spammers today worked with, how often would we receive calls on our
Internet telephones for product pitches?

Security would be another issue.

"The end machines are simply too vulnerable. Without firewall and
service restriction, you'll have your entire network compromised very
quickly," wrote Eric Rescorl.

Others had suggested to continue using NATs along with IPv6 -- certainly it
can be done easily enough. But then this raises the question about the
deployment of IPv6 in the first place. If NATs will continue to be used,
why should large enterprises bother with the upgrade anyway?

That is the chicken and egg problem IETF faces, thanks to NAT. NAT may
be causing untold problems on the Net, problems IPv6 could go a long way
to solving. But NAT also reduced the drive to implement IPv6 in the
first place.

"If the Internet architecture provided i) plenty of addresses,
ii) locally allocatable addresses, and iii) the ability change providers
easily, there would be *no* NAT boxes," Chiappa wrote.

Click Here!