Transcript Carrier Grade NATs - Labs

Carrier Grade NATs
Geoff Huston
APNIC
What’s the Problem
• While hard numbers are hard to come by, its likely that
more than 90% of the Internet clients using the IPv4
Internet do so from behind a NAT.
• 5% sit behind CGNs that morph the end user IP address
within 10 seconds
• Nats have been prevalent for the past decade, so it’s a
little late to try and say “stop!” at this point in time
• So in some sense criticizing NATs and saying that
they’re bad is like criticizing reality, and the pragmatic
approach is to get over it and move on
• But…
Why NATs are a problem
• There is a mindset and a regulatory approach
to communications that does not mesh with
this form of NAT use on the Internet
• Lets look at the phone network:
– Every handset has a phone number
– This association is stable and long lived
– Telephone numbers identify endpoints to
conversations that occur on the network
Why are NATs a Problem
• We used to run the Internet this way
• But we started running out of addresses, so we started
sharing them
• So we divided the Internet into clients and servers
– Servers have stable IP addresses
– Clients do not
•
•
•
•
Clients borrow an address for a conversation
Different conversations use different addresses
The same IP address can be used by many clients at the same time
Clients are not identifiable by the network
• And we said its just TCP and UDP and no more
The NATted Internet
• Addresses are not end point identification
tokens
• They are ephemeral conversation tokens that
have no lasting significance
• So what?
Implications
• Network level Data Retention is an exercise in futility when NATs are present
– Implications for LEAs, security agencies and similar
– There are opaque communications environments, and certainly environments
that use header address transforms aid in this opacity
• Viewed from the perspective of the application designer, the Network is
increasingly untrustable
– Applications are forced to use different approaches for persistent end point
identity
• And hide them from the network
– Applications hide their true behaviour and masquerade into NAT-friendly
behaviours
TCP Muxing, payload encryption
Application behaviour is moderated by gateways, helpers and middleware
fragility
barriers to entry
no longer an open and accessible marketplace for new approaches and
technologies
Where and How does this stop
• In Theory the universal adoption of IPv6
would allow NATs to be dismantled
• But we have no idea when or how we get to
that point
• And each day the network grows, and that
growth can only be absorbed by even further
deployment of NATs