Re: The gaps that NAT is filling
2004-11-23 05:08:51
Hi All,
It will probably come as no surprise to many of you that I have spent
quite a bit of time over the last few years trying to understand why
people use NATs and how they could be replaced with more
architecturally harmonious mechanisms. I have been completely
convinced for several years that IPv6 will not eliminate the (real or
perceived) need for NATs, at least not without significant follow-on
work from the IETF.
We won't be able to eliminate or substantially reduce the use of NAT
in the Internet architecture unless we come up with better ways to
address the problems that NAT is being used to solve, where better is
defined from the user's perspective not from an architectural
perspective.
The average Internet user (home user or enterprise administrator)
does not care about the end-to-end principle or the architectural
purity of the Internet. These users care about ease of deployment,
cost and avoiding unscheduled outages (whether due to security issues
or ISP changes). Home users primarily care about client access to
the Web, and enterprise administrators primarily care about keeping
internal network connectivity as stable as possible.
IMO, Internet users are primarily using NATs to solve four problems
that the IETF has not reasonably addressed: (1) free IP address
space for use on VPNs or other private networks, (2) stable,
provider-independent IP addressing, (3) one-way connectivity to
provide protection for "client-only" nodes, and (4)
zero-configuration home and small office networking.
Let me consider each of these problems separately:
(1) Current ISP business models are tied to IP address allocation,
and that will need to change to remove the economic/business
incentives for enterprises to limit their use of IP addresses. There
might be similar changes needed to registry policies and business
models. Given that there are some rather large political and
financial forces involved, I don't have any idea how/if these changes
will come about. In the meantime, the only alternative for the IETF
is define portions of the address space that can be used for private
addressing on VPNs and other private networks.
(2) One-way connectivity could be provided via stateful firewalls
instead of via NAT. Since these firewalls wouldn't involve
translation, they would avoid some (but not all) of the problems with
NAT. However, they would still involve storing per-connection state
in the middle of the network, so they will have some of the
brittleness and reachability problems associated with NATs. AFAIK,
the IETF doesn't need to do anything to make these stateful firewalls
possible, and they may replace this aspect of NAT in home/small
office gateways if ISPs actually do offer /48 prefixes to
subscribers. Is there a better way to replace the security
properties of NAT? Is there work that the IETF should be doing in
this area?
There does seem to be some fundamental disconnect between the idea of
a selectively reachable Internet and the DNS system. In an
enterprise situation, this is typically resolved using split DNS or
an independent enterprise-level naming system, and in home networks
this is typically avoided by not assigning DNS names to home nodes.
Is there a better way for an Internet with multiple levels of
reachability to be reflected in the DNS?
(3) There is work ongoing in the multi6 and hip WGs to address one of
the reasons why enterprises want provider-independent address space
-- enterprise-level multihoming. However, the solutions being
considered there will not eliminate the other primary reason why
enterprises want provider-independence -- avoiding dependence on a
particular ISP, which can lead to lock-in, higher prices and/or
unplanned renumbering events due to provider network changes,
failures, mergers, etc.
To offer true provider-independence, we would need to offer
long-term, renewable assignments of IP address prefixes directly to
enterprises, similar to the "swamp space" in IPv4, but perhaps with
an annual fee required to allow recapturing unused prefixes.
Although this appears ont he surface to be a policy issue, the reason
that we don't do this today is that it would cause unchecked growth
of the global routing tables and the eventual collapse of the
Internet. To avoid this technical problem, we would need to find a
way to individually route a very large number of prefixes. At the
moment, though, we don't have a generally accepted solution to this
problem. So, enterprises are forced to use NAT to gain provider
independence -- a trait that they obviously (based on the wide-spread
deployment of NAT for this purpose) value above end-to-end
connectivity for their internal nodes.
(4) NATs are also currently used as an element of zero-configuration
home networking solutions. While it is probably possible to build a
low-cost, zero configuration home gateway without using NATs or
scoped addressing (which I consider to be almost as bad as NAT), we
don't seem to be working on this problem in the IETF. Should we be?
Without solutions to these four problems on the horizon, I can't
voice any enthusiasm that the larger address space in IPv6 will
eliminate NAT in home or enterprise networks.
Margaret
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
|
|