ietf
[Top] [All Lists]

Re: The gaps that NAT is filling

2004-11-23 05:08:51

Hi All,

It will probably come as no surprise to many of you that I have spent quite a bit of time over the last few years trying to understand why people use NATs and how they could be replaced with more architecturally harmonious mechanisms. I have been completely convinced for several years that IPv6 will not eliminate the (real or perceived) need for NATs, at least not without significant follow-on work from the IETF.

We won't be able to eliminate or substantially reduce the use of NAT in the Internet architecture unless we come up with better ways to address the problems that NAT is being used to solve, where better is defined from the user's perspective not from an architectural perspective.

The average Internet user (home user or enterprise administrator) does not care about the end-to-end principle or the architectural purity of the Internet. These users care about ease of deployment, cost and avoiding unscheduled outages (whether due to security issues or ISP changes). Home users primarily care about client access to the Web, and enterprise administrators primarily care about keeping internal network connectivity as stable as possible.

IMO, Internet users are primarily using NATs to solve four problems that the IETF has not reasonably addressed: (1) free IP address space for use on VPNs or other private networks, (2) stable, provider-independent IP addressing, (3) one-way connectivity to provide protection for "client-only" nodes, and (4) zero-configuration home and small office networking.

Let me consider each of these problems separately:

(1) Current ISP business models are tied to IP address allocation, and that will need to change to remove the economic/business incentives for enterprises to limit their use of IP addresses. There might be similar changes needed to registry policies and business models. Given that there are some rather large political and financial forces involved, I don't have any idea how/if these changes will come about. In the meantime, the only alternative for the IETF is define portions of the address space that can be used for private addressing on VPNs and other private networks.

(2) One-way connectivity could be provided via stateful firewalls instead of via NAT. Since these firewalls wouldn't involve translation, they would avoid some (but not all) of the problems with NAT. However, they would still involve storing per-connection state in the middle of the network, so they will have some of the brittleness and reachability problems associated with NATs. AFAIK, the IETF doesn't need to do anything to make these stateful firewalls possible, and they may replace this aspect of NAT in home/small office gateways if ISPs actually do offer /48 prefixes to subscribers. Is there a better way to replace the security properties of NAT? Is there work that the IETF should be doing in this area?

There does seem to be some fundamental disconnect between the idea of a selectively reachable Internet and the DNS system. In an enterprise situation, this is typically resolved using split DNS or an independent enterprise-level naming system, and in home networks this is typically avoided by not assigning DNS names to home nodes. Is there a better way for an Internet with multiple levels of reachability to be reflected in the DNS?

(3) There is work ongoing in the multi6 and hip WGs to address one of the reasons why enterprises want provider-independent address space -- enterprise-level multihoming. However, the solutions being considered there will not eliminate the other primary reason why enterprises want provider-independence -- avoiding dependence on a particular ISP, which can lead to lock-in, higher prices and/or unplanned renumbering events due to provider network changes, failures, mergers, etc.

To offer true provider-independence, we would need to offer long-term, renewable assignments of IP address prefixes directly to enterprises, similar to the "swamp space" in IPv4, but perhaps with an annual fee required to allow recapturing unused prefixes. Although this appears ont he surface to be a policy issue, the reason that we don't do this today is that it would cause unchecked growth of the global routing tables and the eventual collapse of the Internet. To avoid this technical problem, we would need to find a way to individually route a very large number of prefixes. At the moment, though, we don't have a generally accepted solution to this problem. So, enterprises are forced to use NAT to gain provider independence -- a trait that they obviously (based on the wide-spread deployment of NAT for this purpose) value above end-to-end connectivity for their internal nodes.

(4) NATs are also currently used as an element of zero-configuration home networking solutions. While it is probably possible to build a low-cost, zero configuration home gateway without using NATs or scoped addressing (which I consider to be almost as bad as NAT), we don't seem to be working on this problem in the IETF. Should we be?

Without solutions to these four problems on the horizon, I can't voice any enthusiasm that the larger address space in IPv6 will eliminate NAT in home or enterprise networks.

Margaret



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf


<Prev in Thread] Current Thread [Next in Thread>