Derived From: GAO, Internet Protocol version 6, Federal Agencies Need to Plan for Transition and Manage Security Risks, p. 7 (May 2005)
Limited IPv4 address space prompted organizations that need large amounts of IP addresses to implement technical solutions to compensate. For example, network administrators began to use one unique IP address to represent a large number of users. By employing network address translation, an enterprise such as a federal agency or a company could have large numbers of internal IP addresses, but still use a single unique address that can be reached from the Internet. In other words, all computers behind the network address translation router appear to have the same address to
the outside world. Figure 3 depicts this type of network configuration.
While network address translation has enabled organizations to compensate for the limited number of globally unique IP addresses available with IPv4, the resulting network structure has eliminated the original end-to-end communications model of the Internet. Network address translation complicates the delivery of real-time communications over the Internet.
Derived From: NTIA Report: Technical and Economic Assessment of IPv6, p. 14 July 2004
Finally, the massive increase in IP addresses made available by IPv6 deployment could reduce the need for NATs. A NAT is a hardware device often placed between a private network and the Internet to allow a large number of hosts on the private network to share a smaller number of globally routable, “public” IP addresses for communications over the Internet.49 For internal communication, each host is assigned a locally unique private IP address (see Figure 2-1). As the term implies, a NAT converts the private source address in outgoing communications to a globally routable IP address. In many implementations, an external address is assigned only for the duration of a communications session originated by an internal host, and the internal host cannot receive communications originated from the outside. Because NATs are an effective way for many hosts to share a single or a small group of public IPv4 addresses, they have proven to be a popular way to slow the consumption of IPv4 addresses. Because adoption of IPv6 would eliminate concerns about address conservation, NATs would not be needed for that purpose in an IPv6 environment.50
Although NATs provide benefits for end users, as discussed below, they also complicate the use and development of new E2E networking applications.51 Without NATs, applications such as Voice-over IP (VoIP) and real-time videoconferencing could be implemented much more simply, because a direct connection (i.e., IP address to IP address) could be initiated to any host, without the need to establish additional protocols and procedures to traverse one or more NAT devices. Some commenters assert that without NATs, various features of IPv6 (such as connectivity via a wider range of media and delivery mechanisms, the ability to maintain several simultaneous access paths for multiple parties without manual intervention, improved speed, and quality of connections) could spur the deployment of new E2E applications.52
Indeed, advocates contend that widespread deployment of IPv6 (and removal of NATs) would permit a return to the original “open scheme” of the Internet, based on E2E connectivity.
. . . . .
Although NATs may frustrate application designers and service providers, users and network administrators often realize economic and security-related benefits from using NATs in their networks. By reducing the number of “public” Internet addresses that an organization may need, use of NATs can reduce that organization’s payments to Internet service providers (ISPs) for address space. Moreover, although it was not their original purpose, NATs are often used to provide anonymity for a network and its hosts. In effect, NATs provide a form of “security through obscurity,” thereby enabling network operators to block externally initiated contacts and to hide internal hosts.71 Networks that adopt IPv6 may therefore be reluctant to dispose of their NATs, even if address conservation is no longer a concern.
Derived From: NIST, Security Considerations for VoIP Systems, 800-58 p. 47 (April 2004)
Network Address Translation (NAT) is a powerful tool that can be used to provide security and enable several endpoints within a LAN to share the same IP address. For the purposes of this document, NAT actually refers to Network Address and Port Translation (NAPT). In NAT as it is literally defined, outgoing IP headers are changed from private LAN addresses to the router’s global IP. In NAPT, the TCP/UDP headers themselves are converted. This allows several computers to simultaneously share the router’s global IP address. Also, machines that do not need to access the Internet can still be assigned local addresses on the intranet without producing conflicts or needlessly taking up an IP address. With the shortages of IP addresses in many regions, this is an extremely useful functionality.
NATs also indirectly provide an added layer of security for a LAN, making internal IP addresses inaccessible on the public Internet. Thus, all attacks against the network must be focused at the NAT router itself. Like firewalls, this provides security because only one point of access must be protected, and the router will generally be far more secure than a PC directly connected to the Internet (less likelihood of open ports, malicious programs, etc.). The abstraction of the LAN from the Internet through a NAT also simplifies network management. For instance, if one decided to change their ISP, only the external router configuration would need to be changed. The internal network and addressing scheme could be left untouched .
. . . . .
All of these benefits of NATs come at a price. NATs “violate the fundamental semantic of the IP address, that it is a globally reachable point for communications” . This design has significant implications for VOIP. For one thing, an attempt to make a call into the network becomes very complex when a NAT is introduced. The situation is analogous to a phone network where several phones have the same phone number, such as in a house with multiple phones on one line (see Figure 9). There are also several issues associated with the transmission of the media itself across the NAT, including an incompatibility with IPsec detailed in section 8.4.
Conceptually, the easiest solution to these incompatibilities is to do away with NATs entirely, but NATs have benefits and even if IPv6 and its expanded address space were implemented today and enough IP addresses were available for everyone to have their own unique IP’s, there would still be a need for NATs. Some ISPs use a scheme where users are assigned static IP addresses, one per user. It is unlikely that an ISP would completely overhaul its system and move to a dynamic IP assignment (i.e. DHCP) just because a wealth of new addresses is available to IPv6. This would undermine their whole network and lead to vulnerabilities and opportunities for malicious users to steal Internet access. But many users will still want to connect multiple machines to the Internet using a single IP address, and so the use of NATs will continue. There are many scenarios analogous to this one where NATs are both the cheapest, easiest, and most efficient solution, so NATs are not likely to be abandoned.
- Large Scale Network Address Translation
A Broadband Internet Technical Advisory Group Technical Working Group Report
- IETF roiled over NAT NewsForge 2004
- Informational RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations (August 1999)
- Analysis: AT&T Broadband says no to NAT, NWFusion 1/30/02
- Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. De Groot, E. Lear, Address Allocation for Private Internets , IETF RFC 1918 (Feb. 1996)
- Lljitsch van Beijnum, NAT - in Depth , Ipv6.com (2008)