Presentation on theme: "Carrier Grade NATs Geoff Huston APNIC. What’s the Problem While hard numbers are hard to come by, its likely that more than 90% of the Internet clients."— Presentation transcript:
What’s the Problem While hard numbers are hard to come by, its likely that more than 90% of the Internet clients using the IPv4 Internet do so from behind a NAT. 5% sit behind CGNs that morph the end user IP address within 10 seconds Nats have been prevalent for the past decade, so it’s a little late to try and say “stop!” at this point in time So in some sense criticizing NATs and saying that they’re bad is like criticizing reality, and the pragmatic approach is to get over it and move on But…
Why NATs are a problem There is a mindset and a regulatory approach to communications that does not mesh with this form of NAT use on the Internet Lets look at the phone network: – Every handset has a phone number – This association is stable and long lived – Telephone numbers identify endpoints to conversations that occur on the network
Why are NATs a Problem We used to run the Internet this way But we started running out of addresses, so we started sharing them So we divided the Internet into clients and servers – Servers have stable IP addresses – Clients do not Clients borrow an address for a conversation Different conversations use different addresses The same IP address can be used by many clients at the same time Clients are not identifiable by the network And we said its just TCP and UDP and no more
The NATted Internet Addresses are not end point identification tokens They are ephemeral conversation tokens that have no lasting significance So what?
Implications Network level Data Retention is an exercise in futility when NATs are present – Implications for LEAs, security agencies and similar – There are opaque communications environments, and certainly environments that use header address transforms aid in this opacity Viewed from the perspective of the application designer, the Network is increasingly untrustable – Applications are forced to use different approaches for persistent end point identity And hide them from the network – Applications hide their true behaviour and masquerade into NAT-friendly behaviours TCP Muxing, payload encryption Application behaviour is moderated by gateways, helpers and middleware fragility barriers to entry no longer an open and accessible marketplace for new approaches and technologies
Where and How does this stop In Theory the universal adoption of IPv6 would allow NATs to be dismantled But we have no idea when or how we get to that point And each day the network grows, and that growth can only be absorbed by even further deployment of NATs