It’s interesting that one of the biggest reasons that people seem to have for not wanting to move to IPv6 is the lack of NAT – people just seem flabbergasted when they hear that there is no trace of NAT in IPv6. This is quite interesting to me – I can’t say NAT is something I ever liked in the slightest, having played around with running my own servers over a home internet connection in my youth, and getting frustrated with all the limitations it brought. But it seems that some people really do like it.
The biggest problem though is that the main thing people like about NAT is based on a dangerous misconception. Basically, the idea is that NAT adds some level of security. This is completely false. Let me emphasise this:
NAT does not provide any security
Not any security at all. None. If you think it does, then you’re probably shouldn’t be involved in running anything bigger than a home network.
What is NAT?
As I said before, the biggest misconception about NAT is that it has something to do with security. This is not at all the case. So what actually is it for?
NAT is simply a hack that was designed to stave off IP address space exhaustion by hiding the computers behind one public IP address, giving them private IPs, and then doing bodgy address translation at the router. The main thing it does is not let computers behind be reachable through any ports, except for ports that are explicitly forwarded. This breaks reachability if you want to run, say, two web servers on port 80 (only one can get through to the outside world). From a security standpoint, it basically gives you a very simple, badly configured firewall. You still need a firewall for proper security with NAT, and almost any firewall gives better security than NAT. I’ve read some people talking about NAT being another ‘layer’ so it’s increasing security, but it’s just not – the firewall does exactly the same thing and more, rendering any security from NAT unnecessary.
All home routers now contain a stateful firewall built in, and all operating systems have their own firewalls as well. There is absolutely no reason why NAT would need to be relied on for security in any modern network.
NAT breaks the Internet
A fundamental part of how the Internet is supposed to work assumes end-to-end routability – that is, that you should be able to route packets from any IP to any other IP. By hiding many networks of computers behind single public addresses, this is broken.
The other part is that a computer should be able to have the option to host services for others to consume – but with NAT, you are severely limited in this. With port forwarding you can only have one machine accessible on a given port, so you have to mess around with proxies and other extra hardware for no good reason. NAT just adds cost, bottlenecks, extra points of failure and unnecessary complexity.
Routability vs. Reachability
Just because an address is routable does not necessarily mean it is always reachable though. People seem to have the idea that as soon as NAT is gone and they have a public IP, they are completely open and at the mercy of the internet. This is what the firewall is for – all ports should be blocked by default, and only opened to an endpoint if that computer is hosting a service on that port. Given that there is a firewall both on the computer and on the router, adding NAT does nothing extra.
NAT is a hack that only breaks things, and I can’t wait to get rid of it. The fact that IPv6 totally does away with it is something that I’m very happy about, and one of the reasons why we need to drastically speed up our deployment of the next generation internet protocol.