Network Address Translation – A Black Mark on IPv4’s Name
Why do people use Network Address Translation?
Because they always have, that’s why. “That’s the way we’ve always done it” is one of the dumbest reasons we do things. It precludes continued thought and absolves us the responsibility to think about why we are doing something. Network Address Translation (NAT) has been a bellwether of the Internet world for so long that many of us can’t remember a time without it. Many in the business rally around its role as a mechanism of security in our networks, “hiding the internal network” from the outside world. When presented in such a light it certainly sounds compelling. Being hidden from the evil, nasty outside world? Yeah! I-want-to-go-to-there.
Alas, it’s a crock. A fib. And in the words of Don King, a falsitude. NAT exists for one single reason: To help alleviate the pressure on the IPv4 address space. Forced to conserve IP addresses we long ago began using “private” IP addressess on our internal networks. Private IP addresses, by design, are not routed by Internet routers. Its not that there is anything inherently wrong with the addresses. They’re just designated by RFC 1918 as being “private” and any packet on the Internet coming from or going to one of the addresses should be dropped by Internet routers (via ACL or via the lack of a route in the default-free routers). As a result, any node configured to use an RFC 1918 private IP address is doomed to a life without Internet connectivity. Now, enter your nemesis doing business as a friend: NAT. With a NAT device configured with a private IP address on the internal (private) interface and a public, internet routable, IP address on the external (Internet) interface we can translate the IP address of packets leaving the private on their way to the public. At this very moment there are billions of computers accessing the Internet via this exact mechanism (including the one I am using to write this). NAT and private IP addressessing are like peas and carrots, Bonnie and Clyde, chips and salsa, Lois and Clark, and Colin and awesomeness. They just go together.
NAT got lumped into the security mechanism category when it became normal to include NAT and firewalling capabilities in the same device. But hear me on this one very important point. THE FIREWALLING FUNCTION OF A DEVICE AND THE NAT FUNCTION OF A DEVICE HAVE NOTHING TO DO WITH ONE ANOTHER. They just happen to be taking place on the same device. The firewalling function controls what is allowed in and what is allowed out. In some cases it can also be used to control whether or not a packet will be NAT-ed. The NAT function occurs after the firewalling function has made an ALLOW decision. To summarize, the firewalling function protects the inside from the outside and the NAT function translates the addresses to allow the un-routable to become routable.
NAT-free Network – Global Unicast Addresses for Everybody!!! Bye-Bye NAT!
What happens where there is no longer any pressure on the IP address space? Imagine there are more addressess available than we can conceive uses for (famous last words, I know). If there is no pressure on the IP address space why do you need a device to translate the private to the public (and back again)? Uh, you don’t. So, no pressure on address space means no NAT necessary. We still need the firewall function, of course. The need to protect the inside from the outside will remain forever. And there is it, the future: IP version 6. IPv6 eliminates the pressure on the IP address space. Everybody on this planet will have enough IP addresses available to them that they will never again have to worry about whether or not there are enough IP addresses. Well good. That’s one less thing to worry about, right? All that remains is the need to firewall. And that is all that needs to stand between your so-called private network and the Internet. And that’s the way it should be. For some of us that will be a new paradigm. Without that false sense of security we get from NAT there are many who will feel exposed with their internal nodes having public IP addresses and only a firewall (or two or three or four) to protect them from the nasties. Trust me, it’s going to be OK.