A good argument about NAT:
Do we really need to have IPv6 when Nat conserves address space and aids security?
Daniel Golding
Tuesday 28 February 2006 09:28
Internet: Love it or hate it, Network Address Translation will not be going away soon.
It is a common belief that IP addresses are running out. Every device on a network needs to be uniquely identified by its IP address, and the problem is that there are simply not enough IPv4 addresses.
The key advantage of IPv6 is that its addresses are 128 bits in length, as opposed to the 32-bit length of IPv4 addresses. This results in a huge number of IP addresses.
The big question is are we really running out of IPv4 addresses? If so, IPv6 is certainly a reasonable solution. But thanks to Network Address Translation (Nat), IPv4 addresses are, in fact, far from depleted.
Nat offers the ability to share a single public, globally routable IP address among many internet hosts. This is valuable in the IPv4 world, where public IP addresses are, by necessity, conserved.
Address conservation would not be as necessary if IPv6 were deployed, and this has prompted Nat opponents to champion the adoption of the new protocol. They argue that adopting IPv6 (and eliminating Nat) will make the internet a better and safer place for all of us, enable exciting new technologies. They believe it will usher in the age of the "end-to-end" internet.
But is Nat really such a bad thing? And if it is, why are we so attached to it?
Nat is a technology that some people love to hate. Some dislike it because, early on, it tended to break some applications, in particular certain gaming, client- server and virtual private network technologies embedded their host's private IP address inside data packets, where Nat translators couldn't find it.
The result was that data from Nat hosts could reach servers, but the applications on those servers could not form a connection with the requestor because they tried to use the host's private address instead of their Nat gateway's public IP address
But the days of Nat breaking applications have long since gone. Today, applications are written with the assumption that Nat will be used. This means that embedding IP addresses inside data packets - always a violation of networking standards - is now considered a poor coding practice.
Peer-to-peer applications that would have trouble establishing communications if both hosts lay behind Nat use a variety of mechanisms (usually rendezvous servers on the internet) to relay information.
So why is Nat vilified by some? The answer is that application developers do not enjoy implementing these sometimes complex Nat workarounds. Their employers would prefer that they didn't have to deploy rendezvous servers or spend time on coding Nat traversal routines.
Microsoft, in particular, is a vocal critic of Nat, largely because of its Xbox gaming platform. Most Xbox consoles are network connected to enable users to take part in multiplayer games. Because most home users employ Nat to allow the connection of multiple hosts while using a single public IP address, most Xbox units are behind Nat.
This makes coding multiplayer games for the Xbox more difficult and costs Microsoft money. For one thing, developer time is not free. For another, game developers such as Microsoft typically need to deploy rendezvous servers to allow Nat gamers to "meet" and establish games rather than simply proceeding in a fully peer-to-peer manner.
Microsoft is not the only developer with this view. Many peer-to-peer applications are emerging, and their development and implementation are invariably complicated by the prevalence of Nat. These applications include instant messaging, file sharing and collaboration applications. Their developers speak wistfully of an end-to-end internet, a network without Nat. To them, it would be a better internet.
If Nat is an evil for some, it is an absolute necessity for others. Leaving aside the issue of helping to conserve address space, one must examine the other primary driver for Nat deployment - security.
Nat helps to obscure the interior of a private network, making network scanning difficult, and it functions as a poor man's firewall. Nat opponents claim that a properly designed and implemented stateful firewall will serve the same purpose.
This may be true, but Nat has significant advantages over firewalls, including ease of implementation, low cost, and essentially foolproof operation.
Most consumers with home routers have deployed Nat without even needing to be aware of its existence. Such things cannot be said for any high-quality firewall.
Ironically, Microsoft, one of Nat's greatest opponents (and therefore an IPv6 proponent), is the primary reason Nat is necessary. The Windows operating system is fertile soil for hackers.
Numerous experiments have shown that an internet-connected but unprotected Windows workstation will not last long against regular port scans and penetration attempts. The simple expedient of placing a Windows PC behind a Nat router changes the equation considerably, giving even unsecured Windows PCs an environment in which they can operate safely.
As long as Windows is the primary operating system for internet-connected hosts (a condition that is unlikely to change any time soon), Nat will be an important part of most users' security perimeters.
Peer-to-peer application developers will continue to write Nat traversal code, and their companies will deploy rendezvous servers, just as they have been doing.
If this is an evil, then it is a small one compared to the idea of an internet without Nat. Bowing to this reality, the Internet Engineering Task Force (IETF) has set aside a series of private IPv6 addresses, known as Unique Local IPv6 Unicast Addresses, whose intended application is obviously Nat (IETF RFC 4193).
It was clear to the IETF that Nat is not going away soon, and that the lack of Nat was a disincentive to IPv6 deployment, rather than a benefit.
The application developers who complained the loudest about Nat are a small proportion of internet users, and their voices are clearly drowned out by those with valid concerns about internet security.
The elimination of Nat is not a reason to move to IPv6 - that elimination is neither desirable nor mandated in IPv6 as currently specified.
Nat is far from an unmitigated evil, even though some like to portray it that way. In fact, it is a significant contributor to many network security solutions.
[ 本帖最后由 mohan29 于 29-11-2010 10:55 编辑 ] |