http://www.circleid.com/posts/ip_or_nat_ip_mostly_ip/ IP or NAT IP: Mostly IP Feb 16, 2004 | Inside: IP Addressing By Pierre Beyssac Comments | Print | Email There seems to be a heated debate on this site [for example, here and here] about NAT (network-address translation). What came as a surprise to me is that a lot of the arguments seem to reside in ideological point of views which obscure the real issues at hand—IP addressing, IP security—and have little to do with NAT’s actual merits or drawbacks. NAT is not all good NAT breaks some protocols, those that have not been designed with NAT in mind. This can require tweaks in NAT implementations to support specific protocols. This is bad because it doesn’t scale well (there are too many protocols in the world to cope with) and obviously you can’t cope with protocols that haven’t been invented yet. Security-wise, NAT security is not much better than good IP filtering, and it’s much more limited in its versatility. If you want to be a server to the outside world, you need some sort of explicit configuration allowing inbound connections. It’s not always easy, it can’t even always be done, depending on the protocol you want to serve and your equipment. Finally, NAT breaks end-to-end connectivity. This is just a fancier and shorter way of saying some of the above. Breaking end-to-end connectivity is not pure evil, but it should always be done with great care about the implications. NAT is not all bad NAT is easy to implement: most entry-level NAT routers are just plug-and-play. It’s much easier than configuring equivalent security with IP filtering. In case of a network problem, NAT is easy to diagnose in most cases: if your computer has an address in 192.168.x.x or equivalent and you can still access the Internet, you know you are NATed somewhere. It’s much easier than diagnosing broken IP filtering. NAT saves addresses. Why require 4 or more globally-routable IP addresses from your provider if you only need one of these to be visible from the outside world and you will filter out the others anyway? It’s not only a problem of global address pool exhaustion: it also simplifies address handling both on the provider’s side and the user’s side, thus saving costs. In general this shows up on the monthly bill. For example subnet routing on ADSL connections is at a premium. NAT is not the only culprit in preventing servers run by end users. This responsiblity is shared with dynamic IP addressing. What we should really care about NAT is really just a tool. It’s not a plot by conglomerates to kill peer-to-peer networking, but it’s not the panacea either. The important thing is that users should have a choice, and not only regarding whether or not to use NAT. So the things we really should insist on are: encourage connectivity providers to not force NAT on their users. Most of them don’t, anyway. Let’s hope it stays that way: the choice should be the user’s, not the provider’s. encourage connectivity providers to provide static IP addresses to users who require these, as an option. There’s a small market for that and we shouldn’t let it shrink, or providers might drop this option from their connectivity packages. This means educating users on the real advantages of static IP addresses—for example, it’s almost required if you want to run your own DNS server. encourage connectivity providers to provide IP subnet routing to users, as an option. Same argument as above. encourage connectivity providers to not force IP security on their users, again leaving the final choice to the user: you can filter out something you don’t want, but you can’t unfilter something your provider filtered out without your consent. This means encouraging users to handle their security themselves. This in turn means using NAT where it’s easier, using IP filtering where it applies—perhaps by designing network gear that makes IP filtering as easy to configure as NAT currently is. Most of these points are not new and existed from day one of dialup connectivity, well before NAT was even an idea. I think that’s a better way of stating the real problems masked behind (pun not intended) NAT, and a clearer way of expressing what objectives really matter for the future: preserving users choice of a real (open, end-to-end) Internet connectivity where they want it, and allowing them to serve content as they see fit.