"J. Noel Chiappa" <jnc(_at_)ginger(_dot_)lcs(_dot_)mit(_dot_)edu> writes:
> From: "Perry E. Metzger" <perry(_at_)piermont(_dot_)com>
> Several layers of NAT has become common
This is have a hard time fathoming - not that I'm doubting that people do it,
mind.
Imagine a large number of companies talking to each other -- the sort of
situation you have when, say, you have a large clearing and settlement
operation on Wall Street that has decided to speak TCP/IP to its
clients. Now, imagine also that the clearing house doesn't have real
IP addresses -- after all, you're always told these days to use net 10
when you go to the registries and aren't going to be globally routing
your nets -- and that the other firms also use unregistered addresses
-- frequently, the same ones.
Well, you have to talk, so you use NAT.
Now, imagine that those clients have to access a service you are
reselling -- say, some sort of market data or specialized clearing
information. That service is also delivered over TCP/IP, and also over
unregistered addresses. Packets start having to traverse several
address zones, just within the network obvious to the clearing
organization.
Now, assume that there are a couple of address zones within the client
site for whatever reason, so they're using NAT internally.
Now, further assume that through various remote access schemes, you
have to provide access to this mess over the "real" internet. Another
layer of NAT gets added.
Are you starting to see the nightmare that has been created here?
None of this is theoretical. This stuff is really happening.
I mean, I can understand it is a temporary thing, e.g. if one company buys
another, and in gluing the networks together they temporarily leave the
bought company behind a NAT, but interface it to the world via the main
corporation's gateway/NAT.
Unfortunately, multiple organizations like to talk to each other over
their networks. Funny, that.
Now, you'd imagine if a Large Market Data Provider, say, went to ARIN
to ask for addresses, they'd get them, but they in practice don't --
they're told to use net 10 since their stuff isn't globally routed --
and of course all their customers use net 10 too...
But using a NAT box adds a ration of complexity (which is always bad
and a source of potential problems), and using layers of them
increases the complexity, with attendant complexity costs. I have a
hard time understanding why people would add that much complexity,
without a darned good reason.
They can't avoid it. They need to get their work done. They have no
way of getting registered addresses. They're told to use NAT by
organizations like ARIN, and so they do the only thing they can. Why
do you think we're seeing huge sales of routers but somehow we haven't
run out of v4 address blocks? It isn't because people are using those
routers as heating equipment. It isn't because those people wouldn't
prefer to get registered addresses, too.
Anyone notice how odd the growth charts look for the v4 allocation
space? It is because we've already run out of addresses, folks -- or
at least we're acting as though we have.
I've seen as many as four layers of NAT. (That was only once, and not
all the layers were within a single organization.) Two layers is
routine, three less so. I'm making assumptions here, of course -- you
don't know what's really going on inside the other organizations. For
all I know, the packets I think are coming in from the other guy's net
10 are originating behind another layer of NAT or two. Hard to tell.
It is impossible for *me* to try to figure out what is going on in
such situations without a diagram. Imagine what it is like for
ordinary NOC staff?
And consider that NAT boxes are stateful. When they go, they take out
long lived connections, unlike dead routers, which you can simply
route around.
And consider what happens when you suddenly discover that you need to
re-jigger your whole nightmarish rube goldberg network because
suddenly you have to make that net you never thought would have to
talk to the internet show up on the net and you only have a couple of
/24s you can get your hands on and have to push some of the stuff
that's globally routed back into the private world somehow...
None of this is theoretical. I've seen all of this. It is astonishing
how hard it has all become.
As I've said, millions are being spent a year by large organizations
dealing with failures and complexity attributable to NAT.
To the routing heads out there, v6 is a total failure because it
doesn't solve the routing problem. I hear people like Sean Doran say
"NAT is fine". That's because to the routing people and ISPs, the ugly
stuff that happens at the endpoints of the networks is
immaterial. ISPs get the global address blocks they want -- why do
they care about the rest?
Well, as things stand, we're having serious bad trouble happening at
the edges of the net. NAT being a major source of operational trouble,
failure and cost is not a future problem. It is here now.
You may ask why these end users aren't demanding v6. Well, they can't
go to their provider and buy v6. They don't even know about v6.
So they struggle along in NATworld. After all, everyone else is doing
the same thing.
--
Perry E. Metzger perry(_at_)wasabisystems(_dot_)com
--
Quality NetBSD CDs, Support & Service. http://www.wasabisystems.com/