NAT won't save you from the need to switch to IPv6

NAT won't save you from the need to switch to IPv6

Summary: Naïve network users still think that NAT can save them from the need to switch to IPv6. Sorry, NAT is a band-aid on a spurting artery.

TOPICS: Networking

Once upon a time, anyone could get a static Internet Protocol (IP) Class C /24 address. That meant you got 256 addresses, well actually since .0 and .255 are set aside, and one address was assigned to your gateway you actually had 253 addresses. But that was more than enough for most small businesses. That was then. This is now.

Today, ISPs don't hand out Class C /24 addresses to just anyone. Instead, you'll need to ask for one, and you'll probably pay extra for it. Today's SOHO default seems to be a Class C /30. That will give you four hosts addresses, with only one of those IP address actually being assignable to a device. Yes, all your PCs and what-not on that network can get to the Internet via NAT (Network Address Translation), but NAT is no more a permanent fix than using duct tape to seal a gas tank leak.

Sure, it will work fine for you for today, but what about tomorrow when you need more addresses? In the long run, as John Curran, president and CEO of ARIN (American Registry for Internet Numbers) explained, "Although NAT works fine for a single enterprise, ISPs know that NAT can't be scaled indefinitely on the scale that they would require to continue to connect customers just via IPv4. This is why they're looking to IPv6 to connect new customers. And while some carrier-scale NAT (between IPv6 and IPv4) will be used during transition to IPv6, we need to focus on making public web sites IPv6 reachable in order to keep the Internet running over the long-term."

There are other reasons as well why NAT won't be enough in the future. Hurricane Electric's IPv6 Evangelist, Owen DeLong told me, "NAT was great as a stop-gap for a limited set of use-cases while we developed a protocol with a larger address space. Indeed, it has bought us a nice 10-12 year cushion on address exhaustion. However, unfortunately, a great deal of mythology has grown up around this 'savior of the day' technology. I think it is best to start by spelling out some of the myths and facts surrounding NAT."

"First," DeLong continued, "NAT introduces a number of problems. Many of these problems have been made invisible to the end user and even to the network administrator deploying NAT, but, if you ask any software vendor that has had to develop software that works in spite of NAT, you'll rapidly find out that it's making software much more expensive, complex, and even larger than it needs to be."

In addition, "NAT makes it hard for users stuck behind NAT to offer any form of service(s) from their machines. While I realize there are those that argue this is a good thing, I will maintain the position that the choice to offer a service to the Internet or not should rest with the owner of the machine in question in most cases. In the cases where it should not, well, a good firewall can still solve the problem without the need for NAT."

Even some of what people see as NAT's advantages don't hold up on closer examination. "NAT does nothing for security," said DeLong. "The entire security benefit most people attribute to NAT actually comes from the stateful inspection of packets that is required in order to maintain state tables for NAT to be able to reverse translations on reply traffic. There are those that argue NAT fails 'closed' and is therefore more secure. A properly designed stateful firewall fails equally 'closed.'"

"So, he continued, "at its core, NAT offers one and only one truly useful feature to the Internet. It allows lots of end-users to hide behind a small number of often one, address(es). However, this only helps end users. It doesn't help for servers, routers, or other infrastructure that must be globally identifiable on the network."

And, that's there the real trouble is coming. "Trying to scale NAT beyond its current state would involve running NAT at the carrier level. This introduces several new problems. One problem: Communications Assistance to Law Enforcement Act (CALEA) compliance with a carrier-level NAT gateway would require vast amounts of disk storage. (More than a petabyte per day for 7 years in some large providers according to some estimates)."

Why so much data? DeLong explained, "In order to identify a subscriber today, you can simply use the one public IP address that corresponds to that end-site's gateway. (Household/business granularity is usually considered sufficient). However, with carrier NAT, you now need the complete state table log and time details. You'll also need more information about the session being investigated, since you'll need the timestamps in order to identify the subscriber in question."

Of course, NAT at that level is also very expensive to deploy and it doesn't scale worth a damn. Worse still, "NAT at the carrier level will also break many of the now common NAT traversal solutions (programs that let you use software that doesn't work well with NAT such as Voice-over-Internet Protocol), resulting in applications that work in the current environment failing in this proposed future environment."

In short, as DeLong concluded, "Yes, there are some unknowns and some other challenges with the migration towards dual stack and eventually the replacement of IPv4. However, there are many more unknowns and a much larger set of challenges contained in doing NAT at the provider level."

And, I might add, with fewer IP address ranges to go around, end-users will soon feel the pain as well in the form of higher ISP fees both for simple connections and for Web hosting. You can use NAT all you want, but in the end you'll be paying more. The days of IPv4 and NAT are numbered.

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: NAT won't save you from the need to switch to IPv6

    Bring on the IPv6! I'm ready for it.
    Loverock Davidson
    • RE: NAT won't save you from the need to switch to IPv6

      @Loverock Davidson,

      I hope I'm not going to be expected to remember IPv6 addresses


      is ugly.
  • RE: NAT won't save you from the need to switch to IPv6

    I have read story after story about the need to migrate to IPv6 - but I have yet to hear a compelling business case. The amount of time, money, and effort required to transition to IPv6 behind the firewall just doesn't add up. How big does your company have to be to get funding and project approval to invest in such an effort, and how do you justify the ROI?
    • Why IPv6

      @jdbarney@... It's more a matter of people 'having' to switch from trains to cars. Trains still, for a while, went everywhere, but the infrastructure dollars went to building roads instead of railroads. That's not a great analogy--part of our problem now is we can't build any more Internet railroads even if we wanted to--but I hope it gets the idea across. We don't have any choice. We never did really. We've just managed to delay the change-over.
      • RE: NAT won't save you from the need to switch to IPv6

        @sjvn@... That's a funny analogy, seeing the "Progressives" are pushing for more and more light rail, vilifying the car drivers, and sinking funds into projects that will actually increase road congestion. Maybe you could help them realize the error of their ways... :o)
    • If we blind ourselves to money, then the myopia will consume us

      @jdbarney@... Only doing something because it is "profitable" will ultimately backfire. Humans are the ones deciding what is "valuable" and "profitable". And what's profitable isn't always the right or good thing to do, and then when the brick wall is hit, it often costs far more money to change things around. "Compelling business cases" only see short-term balance sheet modifications. Not long-term stability, or long-term anything. That is not logical for a stable paradigm, economical, ecological, or otherwise with an "-al" suffix at the end.
      • History proves you wrong

        humans acting out of obtaining profit are the ones who have provided pretty much everything you enjoy today. The disasters have always come when central planners, who think they know more than the common man decide what should and should not be done.
    • Really. No Business case?


      You had one in this article (cheaper, smaller, simpler software). here are a few more.

      No more DHCP, the methode used the IPv6 has limitless scaling and redundancy.

      Connectivity redundancy, baked right in.
      IPSec baked right in
      NAT IS expensive, IPv6 doesn't require NAT and in fact IPv6 doesn't even really support it (because whats the point?)

      I frankly cannot wait for IPv6, it would lower my customers support fee's substantially.

      IPv6 IS worth the money, any (knowledgeable) networking guy will tell you. Too bad we just aren't ready yet.
      • If it was worth the money, people would be implementing

        it like crazy right now. The fact that they aren't means it is currently not worth the money. Welcome to the real world.
      • DHCP has other advantages...

        like management, hence DHCPv6.<br><br>Dual IPv4/IPv6 stacks for internet facing devices will be required.<br><br>Many of your customers will take a long time to transition from IPv4 to IPv6 for their LAN. For this reason IPv4 IP will continue to be very valuable (IPv4-mapped IPv6 address).<br><br>Advice from a knowledgeable networking guy!<br><br>Which of your customer support fees will be lowered by operating a dual stack?
        Richard Flude
    • RE: NAT won't save you from the need to switch to IPv6

      @jdbarney@... The business case is simple, as IPv4 addresses run out, the price will go up. If you want to sell services on the internet eventually it will become too costly to provide them over IPv4. Moving forward, IP address use will skyrocket, next generation phones are looking at assigning an IP to every device, this is going to happen fast and the less prepared you are the more costly it will be to handle the transition.
  • RE: NAT won't save you from the need to switch to IPv6

    Hmmm, I don't get it. You say that NAT has to be moved to the carrier. But for enterprises that manage their own firewalls, it only requires an IPv6 to IPv4 NAT translation in the edge device. This is more than sufficient for small businesses that really can get by with the /30 address space. Consumers may have to switch but that only requires Win Vista/7 or other OS that supports IPv6 as almost all consumers have no clue what an IP Address is and they rely on DHCP from the DSL/Cable router....
    Freddy McGriff
    • 6to4 isn't NAT

      @Freddy McGriff

      XP/2003 Supports IPv6 as well
    • RE: NAT won't save you from the need to switch to IPv6

      @Freddy McGriff What happens when you can't get a /30 for your IPv4 external? The point here is that in less than a year, there won't be any more IPv4 addresses to give to new organizations for their firewalls.

      By moving NAT to the carrier, the theory (practice is much messier, but, I'll talk about theory) is that you can use RFC-1918 /30s outside the enterprise firewall and a second layer of ANT at the carrier to map those RFC-1918 addresses from several enterprises into a single IPv4 address.

      In reality, the cost effective alternative is to deploy IPv6. Yes, you'll need to run dual stack for some time and the longer you do, the longer it takes to realize the cost savings from IPv6.

      Any transition has costs associated with the transition.

      I would argue that the business case here is more along the lines of a parallel to the business case for any of the following:

      Y2K Compliance
      Disaster Recovery planning/DR sites

      It's not a question of making more money by going to IPv6, it's a question of being able to sustain your current business. In less than a year, if you don't have IPv6 capabilities on at least the public internet facing parts of your business, you're going to be at an increasing disadvantage compared to your competitors that do.

      If you're an ISP or your business is otherwise internet-centric, the costs of not going to IPv6 could include such effects as complete stagnation of your business (no new addresses = no new customers), increasing proportions of your customers getting a bad user experience reaching your site (up to and including utter inability to get to your services), etc.

      I hope that clarifies.

      Owen DeLong
      IPv6 Evangelist
      Hurricane Electric
  • Obligatory car analogies

    @sjvn, I think an apt analogy is that with IPv4, we can only build so many train stations, whereas with (IPv6) cars, they can drive wherever we need them to go.

    Minor slip-ip (originally a typo, but feels right), ITYM /29 rather than /30; a /30 would only allow for 4 IPs, -3 = 1. Painful, but useful in some odd scenarios.

    As an aside, CGN is a huge pain in the rear when the customers hope to run Internet-facing services on their connection. No such luck, you'll only be able to do that with IPv6, and then only to other IPv6 users. Sticky.
  • Keep beating the IPv6 Drum

    The sooner we move the better.

    I don't think many people factor in the cost of NAT, just because it's so ubiquitous in the IT field. But removing NAT makes EVERYTHING simpler; routing to application availability, the version of IP doesn't really matter (although there are numerous advantages to v6.

    Anyway, like you blog keep up the good work.
    - Sam
  • RE: NAT won't save you from the need to switch to IPv6

    A big problem, and ARIN doesn't seem to address it is, we pay so much each year for a block of IPv4 static addresses and it appears on ARIN's web site we'd need to pay the same amount for a block of IPv6 addresses. According to at least one RFC, IPv4 should be mapped into a specific range of IPv6. This would mean that if you bought an IPv4 block, it would also be an IPv6 block. but from I can see on the ARIN web site, this does not appear to be the case. Therefore, you need to buy 2 blocks instead of 1, double the price. For most businesses, that's a non-starter. They will hold onto IPv4 until the bitter end, when they will then do a massive switch-over to IPv6.

    But since there is an RFC which maps IPv4 into IPv6, all web-services should have it enabled by default. This would make the web-servers both IPv4 and IPv6 compliant right away. It would then make the adoption of IPv6 from an ISP's point of view easier. Clients would get an IPv6 address and they'd be able to reach everywhere on the web they can now, a requirement for adoption. And for those who want to run servers, they pay extra for an IPv4 address.

    Because right now, the system is a mess. With both IPv4 and IPv6, it looks like this:
    A client has a DSL router/modem. The router/modem provides a 192.168.*.* IPv4 address and DHCP to the client. The client may have IPv6 enabled on their computer but they don't know anything about IP, and so they don't get an IPv6 address assigned to them by DHCP. Therefore, their IPv6 isn't going to work.

    A smart client may be able to set up an Ipv6 tunnel through IPv4 but for the average user, it's not going to happen.

    You might be able to get every computer user hooked to the router/modem to run their own PPPoE session and thus connect using IPv6, but again, this is not intuitive for the client user.

    But lets say each client does run their own PPPoE session over their router/modem. Now, we've overloaded the IPv4 address space just so we can make a proper IPv6 connection. So do we NAT the IPv4 and pass through the IPv6?

    What ICANN has not done is make the migration path easy. There is no clear migration strategy other than a complete mess.

    A simple message to ICANN:

    • RE: NAT won't save you from the need to switch to IPv6

      @mheartwood Let me clarify this a little bit...

      IPv4 Mapped addresses are _NOT_ IPv6 addresses for generic use. They are a way for applications developed for IPv6 to accept IPv4 connections without having to treat them differently from IPv6 connections on hosts which have both address families.

      In order to get IPv6 from ARIN as an end user, you will need to pay an IPv6 initial assignment fee one time. However, the annual maintenance fee you pay will remain at $100 for your combined IPv4 and IPv6 addresses. If you are an ISP, the fee situation is a little more complicated, but, in short your annual fee will be the larger of your IPv6 or IPv4 fees, which, in most cases, means you will not pay more for IPv4+IPv6 than you currently do for IPv4.

      The exception is very small ISPs that currently qualify as X-Small in IPv4 where the current ARIN policies make /32 the minimum ISP allocation which creates an increase in annual fees for those particular ISPs to adopt IPv6.

      THe RFC you are referring to does not work quite the way you are thinking it does. You will need to deploy real IPv6 addresses, not just IPv4 mapped addresses on your web servers to support IPv6 connections to your web servers. The RFC in question is a way to allow your IPv6 capable software to parse IPv4 connections on hosts with both protocol families.

      You are correct in that ISPs deploying IPv6 to the SOHO and residential markets will need to also do some router upgrades at the subscriber side in order to support IPv6. This is well known and is already in progress at a number of ISPs.

      As to tunnels, some (6to4 and Teredo, for example) are created automatically by the host in some circumstances (for better or worse).

      Having every user run PPPoE at the host is messy and I don't think anyone will do that. I think that native IPv6 will be the norm and that CPE routers will get upgraded accordingly.

      ICANN doesn't really have much to do with the migration. All ICANN does is provide a central registry that doles address blocks out to Regional Internet Registries (RIRs). IETF does the protocol engineering and they have provided a clear and simple migration path.

      The path is to add IPv6 to your IPv4 hosts. This probably requires upgrades to your routers and may require upgrades to your software and possibly even some of your other hardware.

      Part of the problem here is that much of the CPE equipment and most of the SOHO and residential ISPs aren't quite there yet.

      I hope that answers your questions.

      Owen DeLong
      IPv6 Evangelist
      Hurricane Electric
      (And a member of the ARIN advisory council)
  • RE: NAT won't save you from the need to switch to IPv6

    <blockquote>Today?s SOHO default seems to be a Class C /30.</blockquote>

    There's no such thing as a Class C /30. Class A, B, and C no longer exist thanks to classless inter-domain routing. By definition, /30 is smaller than the old Class C space.
  • RE: NAT won't save you from the need to switch to IPv6

    Wow this topic got pop quick :). @ Steven nice Job