Why Not NAT?

NAT came into existence because of IPv4 address scarcity. With IPv6, that reason disappears. So, if we no longer need to multiplex addresses, should we retain NAT?

NAT does three things. It multiplexes few public addresses into many private addresses. As a side effect of that, NAT hides internal addresses. Also as a side effect, it acts like a packet filter, effectively one that does “allow anything out, allow established and related back in; block all else”.

On the downside, NAT introduces a performance loss, destroys end-to-end transparency, makes many protocols more complicated than they need to be, makes creating new protocols harder than it needs to be, requires the use of external rendezvous servers for peer-to-peer protocols, forces some protocols into tunnels, hampers the use of encryption, and hampers effective troubleshooting of network problems. There are more, but those are the main ones.

So should we retain NAT?

If we say “yes” in spite of all the downsides, then it must be because we regard either the address hiding property or the packet-filtering property as outweighing those downsides.

The packet-filtering property can be had far more simply by using an actual packet filter; using NAT to do it is pointless overhead. So the only remaining rational reason to say “yes”, would be because we see the address-hiding property alone as outweighing those downsides.

NAT’s address-hiding property is flimsy at best. Systems potentially expose their internal addresses with each outbound connection, especially web connections with Java or JavaScript enabled. Internal addresses, in the cast majority of cases, come from a very small set of RFC1918 address ranges, making them easy to predict. These two facts mean that an effective defence against unwanted inbound connections requires proxies for all outbound connections and/or good firewalling on all inbound traffic. NAT’s address-hiding property is irrelevant.

Boiled down to that, it seems clear to me that the benefits do not outweigh the costs. In fact, it seems to me that the disadvantages of NAT massively outweigh the benefits.

If NAT is not needed for address multiplexing, we should not keep it just for its (very weak) address-hiding properties.

[This article was copied from my personal blog, where it was originally posted on July 23, 2012]

Leave a Reply

Your email address will not be published. Required fields are marked *