The Failing Crusade Against NAT

After watching the recent epic that was the comment thread on networkingnerd‘s NAT66 blog post from last year, I was initially persuaded to sit and watch from afar.

I’ve had the opportunity to work with IPv6 quite a bit, and though I’ve done a few IPv6-related posts on the site, I still feel like there’s always something missing. After all, much of IPv6 is still just talk (sadly) and not enough wide-spread adoption to really put it through it’s paces. The “network engineers” to whom the gods have gifted the great power of omniscience speak against IPv6 IN GENERAL on something as petty as NAT, keeping us as an industry from moving forward.

Here’s what we know. NAT is a band-aid. I don’t care if it’s baked into every Linksys device you buy your grandmother – I don’t care if it’s included in every curriculum and enforced at every internet boundary you’ve ever seen in your life. It started as a band-aid, and has resulted in a big fracking tourniquet.

We’ve known for a while that NAT was merely a stopgap, brought on purely by the explosive growth of the internet. Vint Cerf has said on multiple occasions, that he never intended the IPv4 address space to fulfill the requirements of a modern internet. The math (2^32) proves it, anyway.

Lets just play devil’s advocate then – what if NAT was not needed for this purpose? What if the internet didn’t grow like it has, and we didn’t require the use of it to make maximum use of the available address space? Can you imagine what the proposal for NAT would sound like then?

“Hey, what if we hack out the IP address manually out of the IP header and not worry about what it does to the other portions of the datagram? Damn the applications, man, this is war!”

mad scientist The Failing Crusade Against NAT

Clearly, this is the inventor of NAT

They would be laughed out of camp.

What does NAT truly accomplish? NAT binds a pool of addresses to a pool of addresses, or in address-starved cases (yes I know they’re common), to a pool of Layer 4 ports. NOWHERE in there am I checking anything in the packets to ensure that the packets flowing through these NAT translations are valid. This is a fundamental misunderstanding of NAT that perhaps is contributing to the confusion.

I don’t know if it’s a plethora of network engineers brain-dumping exams and not grasping the concepts, or maybe the definition for “network engineer” has changed in the short time since I even initially hit the job market, but of all the things NAT is, it is not a security mechanism. Please, please understand this. You are no more secure with NAT then without it. If you don’t believe me, would you kindly turn off the firewall functions of your internet-edge device, and I will show you.

From a compatibility perspective, we’ve known for a long time that NAT is harmful. Most don’t realize this, but for EVERY SINGLE PROTOCOL in existence that uses IP address information in the data portion of a packet, an Application-Layer Gateway must be created so that this information can also be rewritten in the same way. Most common use case: FTP. Nearly every NAT-capable router, SOHO included, has an FTP ALG built in, so you can do FTP from behind NAT. Do you really want application developers in an IPv6-enabled future to continue this madness?

Vint Cerf himself has said:

“Some of us feel NAT boxes are sort of an abomination because they really do mess about with the basic protocol architecture of the Internet.”

Now, about the rogue commenter on Tom’s blog – no, I don’t want to pick on him, but I do want to call out one paragraph:

I also wonder when the first time I will turn on the news and hear about some guy’s life being destroyed because his wifi handed a routed IP to someone who cracked his WEP key and hosted a kiddie porn site off the line. It’ll be inevitable. Well, I guess it’s his fault for not having a properly configured firewall and not being a network engineer, huh?

No, I didn’t make that up, I am incapable of making that up, please read for yourself.

Like I said, it’s not my goal to speak ill of anyone – I merely want to point out that this is an education problem. If we’re at the point where we’re coming up with paragraphs like this, it’s time for change.

Obviously, those of us that generally embrace the idea that NAT is bad are not recommending that it be stricken from history and never thought of again. Clearly there is a use case for it, and that is why I’ve decided to issue a proposal:

I submit to you, the SFW version of Rule 36:

If it exists, there is a use case for it.

Undoubtedly, there is a use case for NAT66, just as there (obviously) has been a use case for NAT44. There are even use cases for NAT64 if you really think about it. My issue with this whole debate is this: Are there really that many use cases? I mean, if we provide the tools necessary to do NAT66, does it just go to the one-off crazy guy that has that one unique situation that absolutely requires it? I’m not talking about today, we all know that IPv6 still has some wrinkles, I’m talking about long-term evolution of the networks our children and grandchildren have to support. The answer is no, if it exists, the general majority will flock to it, because it’s comfortable, it makes sense, and in their mind, makes them more secure.

My plea to the industry – do your homework. You say you’ve heard NAT keeps you safe. Do you know that? Have you fought off the dragons of the internet with the sword named NAT? Get off your ass and challenge these ideas yourself – don’t just read from a book and take it for granted.

If we’re going to move forward as an industry, we need engineers that are willing to do the research to make the internet better, not just scream and shout when things don’t go our way.

</rant>

 The Failing Crusade Against NAT

Matt Oswalt

Matt Oswalt is an all-around technology nerd, currently focusing on networking, open source, and everything in between. He is at his happiest in front of a keyboard, next to a brewing kettle, or wielding his silo-smashing sledgehammer. He deploys networking technologies around the world, and likes to blog about his experiences when he comes up for air. You can follow him on Twitter, Google Plus, or LinkedIN!

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Comments

  1. Seriously? says:

    So you generally believe then that all routers shipped to consumers will be properly configured? How do you think this feat of magic will occur (since ipv6 routers are already shipping with no default firewall)?

    • Where are you getting your information?

      • From your post, as you believe it’s unlike someone’s wifi will be hacked and used for nefarious activities. In order to prevent those incoming connections (to port 80 and such), the firewall would need to be in a default deny configuration. This would mean, either the manufacturer would set that up by default (unlikely), or the consumer would need to do what “networkingnerd” said they’re already incapable of; which is logging into a web interface to change their network settings and understanding what those network settings mean (but he said they were incapable of doing that with NAT, apparently doing the same thing, but for ipv6, will magically make the same thing (same interfaces, same login prompts, same buttons), different…….. some how……).

        • Further, I thought I would add these links. As what i originally described is already happening in IPv4. But with everyone having an inexhaustible allotment of ip addresses for every house with full routing….. It will be even worse as it will be people hosting content, not downloading it.

          http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-pornography-innocent_n_852996.html

          http://content.usatoday.com/communities/ondeadline/post/2011/04/is-a-neighbor-downloading-porn-on-your-unsecured-wi-fi-signal/1#.ULbml9fFU0E

          http://arstechnica.com/tech-policy/2011/04/fbi-child-porn-raid-a-strong-argument-for-locking-down-wifi-networks/

          I guess it’s all their own fault for not being networking engineers and knowing someone was hacking their wifi, huh? They deserved to have police bust down their doors pointing assault rifles at their families. I mean, what kind of idiot doesn’t secure their network, right?

          People should be able to drive their cars without needing to know how to rebuild an engine. People should be able to use their computers without fear that a cop is going to bust in the front door, throw them to the floor, pointing a gun at their head while simultaneously calling them a pedophile.

          • Considering it a bit more, I think I would be fine with ipv6 without nat, if there was some sort of penalty/liability on the hardware manufacturer for shipping hardware in other than a default deny configuration for any subnet issued to the device by the uplink. It would be at most a single rule, if they can’t apply that correctly, they should not be shipping consumer hardware.

          • What you’re describing in that last comment is exactly what you get in the presence of a stateful firewall – IPv6 or IPv4. No one ever suggested that be removed. The functions of routing and firewall inspection are functions that should always exist in SOHO equipment. The point is that NAT has only commonly been associated with those functions because of the IPv4 address space limitation and in IPv6 IT DOES NOT HAVE TO BE ANYMORE. By removing NAT from a routing device, you’re only removing the function of a router to take a source IP address in a datgram and hack it into something that it’s not.

            Without NAT, will you have to stop inspecting traffic as it tries to enter your network? Will you have to “have everything exposed to the web” as many folks have been saying? Absolutely not. The point is exactly that – NAT is not offering you the security you think it is. Those functions are performed elsewhere, and NAT is largely harmful despite it’s overwhelmingly useful use case in a dwindling 32 bit address space.

            “Further, I thought I would add these links. As what i originally described is already happening in IPv4. But with everyone having an inexhaustible allotment of ip addresses for every house with full routing….. It will be even worse as it will be people hosting content, not downloading it.”

          • What you’re describing in that last comment is exactly what you get in the presence of a stateful firewall – IPv6 or IPv4. No one ever suggested that be removed. The functions of routing and firewall inspection are functions that should always exist in SOHO equipment. The point is that NAT has only commonly been associated with those functions because of the IPv4 address space limitation and in IPv6 IT DOES NOT HAVE TO BE ANYMORE. By removing NAT from a routing device, you’re only removing the function of a router to take a source IP address in a datagram and hack it into something else.

            Without NAT, will you have to stop inspecting traffic as it tries to enter your network? Will you have to “have everything exposed to the web” as many folks have been saying? Absolutely not. The point is exactly that – NAT is not offering you the security you think it is. Those functions are performed elsewhere, and NAT is largely harmful despite it’s overwhelmingly useful use case in a dwindling 32 bit address space.

            You say:

            “…you believe it’s unlike someone’s wifi will be hacked and used for nefarious activities. In order to prevent those incoming connections (to port 80 and such), the firewall would need to be in a default deny configuration.”

            That first part is completely false. Never did I indicate that I think it’s unlikely that someone’s wifi will be hacked and used for purposes like that. It’s clearly happening all the time, whether it’s IPv4 or IPv6. Wireless has nothing to do with this, or the ability to prevent outside traffic from getting in. Wireless vulnerabilities occur behind the network boundary in a SOHO and will unfortunately always exist.

            As I mentioned above, I’m obviously in agreement with you that all outside traffic entering a SOHO device, whether it’s IPv4 or IPv6, is denied by default. However, it’s not the job of NAT to perform this – by removing NAT, you’re not removing the ability for a device to perform this “deny by default”. That’s what firewalls do – and they don’t need NAT to do this.

            Nowhere in my article (or in anyone elses) is it suggested that we screw over the non powerusers and force them to be knowledgeable about adminstering their own gear else they go to jail for hosting child porn. It is a fundamental misunderstanding of what NAT does and does not do. Consumer hardware can easily exclude NAT66 from common IPv6-supporting products and do proper firewall inspection (and deny by default) for all traffic, and still provide the same level of ease that IPv4 devices do.

            Nothing about the transition to IPv6 or the abandonment of NAT is aimed at making things more complicated for the end-user; it is the opposite, in fact.

          • Seriously? says:

            My point was just that, Some devices are already being shipped with no default firewalls. All windows 7+ machines have teredo installed by default with only windows firewall protecting the machine. If devices are shipped that do not have a default deny configuration, it will make the wireless (and other hacking/virus/malware) problems worse than they are now. Instead of just being able to use the hacked wireless/machine for mainly downloading illicit materials, port scanning, hacking (e.g. outbound initiated connections due to NAT). It opens up for the first time the ability to have botnets of unmeasurable size with no single point of failure, spam networks, and HOSTING content off hacked wireless/computers. These sort of virii/backdoors/trojans would be nearly impossible to remove from the internet (as already evidenced by failure of many isps to block P2P traffic without breaking the internet completely). Botnets are a problem now, but they all still have single or mildly redundant points of failure due to their incapability to transit NAT, needing central servers to communicate with their masters. A single honey pot left open could obtain the necessary information to go after and shut down the hub nodes of a botnet. With a peer 2 peer style system using DHT, you would need to shut down every node. A seemingly impossible task. That is why I found the idea of a penalty/liability on the hardware manufacturer to ship any and all consumer grade hardware in a default deny all configuration appealing. If the hardware manufacturer had to pay 100K for every device shipped without being in default deny (or face a ban on sales), you can bet they will be sure all devices are set, and tested, as default deny. I would also like to see wireless manufacturers stop putting wep in their firmwares forcing latest gen WPA adoption. Every device should also have a randomized 16 char password for the administration interface with a unique administration username for the device. There should also be an auto-generated wireless configuration (if device has wireless capabilities) with a different 16 char password. Administration interfaces should only be open to lan side ports.

            It’s bad enough that these kind of activities have been allowed to continue this long. It will only get worse in IPv6 without properly configured home routers. NAT, while a stop gap measure to prevent IPv4 exhaustion does create barriers for programmers/designers of not just legitimate programs, but nefarious ones as well. I believe that most people dismiss these security issues as it’s not *that* big of a problem today, but in the IPv6 world, things can, and probably will get a lot worse than they are today. Something needs to be done to ensure basic security precautions are taken so people can use their connection without fear.

          • Seriously? says:

            I’m not sure how old you are. But if you used the internet between like 1990 to 1996, you should already know what I’m talking about. Before the adoption of wide scale nat, almost every system on the internet was directly plugged to the net and given a routed ip. No one took the time to setup firewalls for end users, servers, businesses. That’s why I call it the “wild west” days of the internet. It was just a free for all of do whatever you want, everything is trusted, “it’s the internet!”. I already know what that internet looks like, and it’s not pretty, I do not want to live there again. Hardware manufacturers and software designers cannot be trusted to properly default-configure consumer devices. It must be enforced. Maybe some sort of consumer protection “safety rating” system? Easiest way IMO to get the job done, is still just to fine the bastards if they don’t meet the minimum security requirements.

          • Seriously? says:

            Were you able to finally fully understand what my concerns are? I’ve said the
            same thing I think 3-4 different times now in different ways (here and the other blog). I would
            think by now you should understand if you aren’t intentionally ignoring the obvious and glaring problems with ipv6 consumer security.

            I could create a virus right now that would infect windows7/8 systems through IE or whatever other always consistently vulnerable software is out there. Once the system is hacked I can install a system service (from any user using known user level exploits) that would always be running in the background that 99% of consumers would not notice. I could manipulate the firewall and launch programs into the user space even from session 0 isolation (as if session 0 isolation ever did any good except annoy people who want to use gpu drivers legitimately from the system service). Once my virus is up and running, it could remove the ipv6 firewall from the teredo device. And, hello! what do you know! a computer with a fully routed ipv6 and no firewall. Then my virus can use the hash table i distributed with the virus to make initial connections over ipv6 teredo to other hacked/virii’d machines without worry of being blocked or needing central hub servers. The hash table is constantly updated by all peers. So as long as the hash table that is distributed with the virus contains at least 1 valid ip that can be connected to initially, it would be unstoppable. And all of this, is by default in windows and would completely bypass any existing NAT or network/hardware firewalls (unless they specifically block the teredo protocols). Native IPv6 would look much the same if routers are not shipped with default-deny configurations…. Users would only have the windows firewall to save them, and software level firewalls are easily disabled once access to the system is established through an exploit… Providing, essentially, no protection at all…

            IPv6 consumer devices MUST ship with default-deny. You do not want to see what the internet looks like with p2p botnets that have incalculable amounts of bandwidth (due to the advent of PONs and FTTH connections) that will likely be used to DDoS attack various networks and organizations.

            Oh, and teredo should not exist. It should be pulled immediately.

          • First – Teredo (and ISATAP and etc. etc.) SHOULD be gone. The great minds in the industry are generally in agreement with you there.

            I am also in agreement that WEP should be removed from firmwares starting now – if you’d asked me that question a few years ago, I would sadly admit that many consumer devices still don’t support anything but, however that has changed.

            Now, I said this before – IPv6 routers will be no more prone to omitting a “default deny” configuration than an IPv4 firewall will. Nothing about the IPv6 protocol suddenly opens up this vulnerability from the outside. I understand what happens when you don’t have a firewall, and assuming that there won’t be one present seems to be at least one of the key assumptions of your comments.

            I’m starting to wonder if by “default deny” you mean for the traffic that is leaving the consumer network and heading out to the internet, rather than vice versa. If so, are we expecting consumers to write firewall statements permitting the right amount of traffic now?

            As much as I agree with your idea that Teredo is a big part of the problem – it is not a problem with IPv6 – it is a problem with operating systems leaving tunneling mechanisms of any kind on by default, and the inability for edge security devices to inspect and filter this traffic properly.

            I have yet to hear from you what it is specifically about IPv6 that will cause this “apocalypse” you seem to be foretelling. If you think IPv6 will cause manufacturers to take steps backwards in functionality and security, you are mistaken. This is one of the big reasons why IPv6 has taken so long to roll out….no one wants to just throw it out there, we want it to be done right. Many of your fears are valid, but are in no way attributable to IPv6, or the idea of getting rid of NAT.

            I DID use the internet between 1990 to 1996 and I distinctly remember what you’re talking about. There is a big difference between “directly plugged in to the internet” and “given a routed IP”. You have completely missed the entire point of my post and are – maybe subconsciously – linking these ideas together. At no point did anyone suggest that we compromise on security in order to roll out a better internet protocol. At no point will anyone suggest that consumers “plug directly into the internet” again. This idea is not the same thing as getting rid of NAT.

            I apologize if that’s not the answer you were looking for but frankly I think you’re misinformed. The argument is not about host security, or tunneling mechanisms, around which your points seem to be centrally focused. It’s about removing the function (not device) that is NAT so that we don’t carry an assumption (a bad one) from a previous generation of internetworking into the next one. That’s it.

          • Seriously? says:

            I will try to keep it as simple as possible.

            #1) IPv6 routers are shipping today with no default deny on incoming connections

            #2) 98-99% of people will NEVER login to their router to do anything, ever, under any circumstance. To think that they would, and to expect them to do so is a fantasy.

            What is the difference between an IPv6 router with no default deny on incoming connections giving routed ips to computers, and a computer being given a routed IPv4 with no default firewall or nat on either end? Nothing. Both allow incoming connections to the computer. I’m simply using the 1990-1996 timeframe to illustrate my point of what the internet looks like when people can connect directly to computers.

          • Seriously? says:

            I know you think you understand what you thought I said but I’m not sure you realize that what you heard is not what I meant. If you don’t understand my point after these last 2 posts I will just assume you’re completely ignoring the security issues intentionally. I’m not sure how else I can highlight the fact that consumers are receiving routers today that will end with their network being completely and utterly insecure, as well as that 98-99% of those people will never log in to correct these issues. For the 50th time, hardware manufactures cannot be trusted to default configure devices. NAT, while not ideal, is already implemented on all devices, it took over a decade to get everyone behind some sort of firewall. That will all be done in short order since ipv6 routers are shipping with no default deny on incoming connections.

          • Seriously? says:

            undone*

          • natsaregood says:

            You don’t get it. Even with IPv6 NAT you can still have routable addresses. So NAT will hide your addresses for outbound connections. Inbound connections to routable addresses will still work.

            This is what a firewall is for, to filter packets.

            Same thing applies to IPv4, the reason why (you think) computers behind a NAT can not be reached from the outside is because of the NAT, which is wrong. Its because of the unroutable addresses. And that’s still wrong. If you’re sitting at the nexthop router, just add a route for the unroutable addresses using the NAT device as nexthop and *bam* you’re able to reach every system behind the NAT from that system.

            You need a firewall. In any case. With or without NAT.

          • Seriously? says:

            I had that routing realization 20 years ago. I was able to drop the local loop back interface and it was taken to the next route up to the ISP’s access point. You entirely missed the point.

            My new youtube screen play… it’s a work in progress….

            IPv6 Supporter: Firewalls are good, IPv6 is good.
            Annoyed Troll: Your IPV6 router was not shipped with a default deny firewall configuration
            IPv6 Supporter: Yes, but firewalls are good, I have a firewall.
            Annoyed Troll: Yes but anyone can connect to your internal network through IPv6 without default deny
            IPv6 Supporter: Firewalls are good, nat is bad, I need security, I need firewall, I need IPv6
            Annoyed Troll: But the firewall won’t do any good if it’s not configured to block any thing.
            IPv6 Supporter: Firewalls are good, IPv6 is good.
            Annoyed Troll: I can connect to your windows computer directly. See my pings?
            IPv6 Supporter: Only because I allow it. I will block it now. Firewalls are good, IPv6 is good.
            Annoyed Troll: Ok, I am being blocked now. But what about 99 of 100 people who won’t do that at their home because they don’t have enough knowledge?
            IPv6 Supporter: Firewalls are good, IPv6 is good, I am protected.
            Annoyed Troll: So if someone hacks their network, it’s their fault?
            IPv6 Supporter: They should have a firewall. Firewalls are good, IPv6 is good.
            Annoyed Troll: So you should know how to build and maintain a car in order to drive one?
            IPv6 Supporter: My car has IPv6, My Car has firewall, I have 18 quintillion ips.
            Annoyed Troll: I just hacked your car and made your cruise control cause the throttle to max. You had no default deny on your firewall.
            IPv6 Supporter: Firewalls are good, IPv6 is good.

            Sure, someone could route from my ISP’s side of my cable through my interface to the lan. But someone would not be able to route to my internal network from outside of 1 hop away. They might be able to make carefully designed packets to poke and prod and feel their way around behind a NAT. But generally speaking, unless someone of a high technological knowledge is willing to spend days/weeks attacking a single network, you’re safe. When you’re being chased by a bear, you don’t need to out run the bear, just the person next to you. There are easier targets on the internet, and easier ways to attempt to infect systems through their web browsers. NAT has made it no longer cost/time effective to attempt to directly target machines on the internet. If some of these routers shipping with no default deny, don’t start default denying, there could and probably will be some major issues as a result. But my main concern was always people being able to host content off of these lines. Today, it would be possible with NAT to host some content as long as the machine inside is the one that initiates the connection to the remote machine. But with IPv6 and no default deny, people would be able to start torrent trackers, seed machines, child porn sites, whatever, off other people’s networks and anyone would be able to easily connect to these with incoming connections. Further, because they’re running on standard connections with standard ports, google and others could possibly index this content, allowing a greater proliferation of general filth/illegal content.

            Of course the solution is to setup the firewall, so why don’t the manufacturers do that? Why are routers being shipped today with no default deny?

          • 1) What routers are shipping w/o default deny inbound? I just checked mine and it’s there…now to get native IPv6 service at my house.

            2) Most consumer ISPs block well known ports like WEB, FTP, SMTP, etc. for the very reasons your saying.

            Realistically if someone compromises a PC they will more than likely use default cred to login to the router/fw…thus being able to forward w/e port they like to the host. So…I’ll play my role in your YouTube script: “IPv6 Good, you need firewall have security, I’m secure”

  2. stupid question. since ipv6 is so abundant, can we just get a block from a RIR and effectively become our own ISP. Since we have the IP block, there is no theoretic need of an ISP, right? I’m a meganoob when it comes to Internet networking, because the LAN was always my main focus.

    • mstone7699 says:

      I’m afraid it doesn’t work like that. The Internet operates the same as any enterprise network just on a larger scale and with (typically) a different routing protocol (BGP over OSPF or EIGRP). So just like in your existing networks you can’t route IPv4 over a portion of your network that doesn’t support IPv4.

      So lets say you’re given a v6 allocation from your RIR. How do you route it across an ISP that doesn’t support v6? You can’t. The IPv6 traffic wouldn’t have any next hop and you’d just be able to reach the nodes connected directly to your network.

      Also just because you’re an ISP doesn’t mean you have no need for an upstream provider. You have basically two options if you serve Internet. 1) Be large enough that people want to peer with you in Internet Exchanges. 2) If you’re not large enough you must have an upstream provider to get you access to all points on the Internet. (ie. autonomous systems that don’t have have Open Peering inside of exchanges unlike youtube, facebook, google and others that do offer open peering.)

      • So one can be like in the old days when people dialed in to each other without ISPs, right?

        • mstone7699 says:

          Well you technically had an ISP then too. It was your phone company delivering voice service that we leveraged for data. Now we have ISPs that deliver data specific services like DSL or Ethernet etc. Which is far more efficient than using a voice medium for data.

          • mstone7699 says:

            Also worth noting that if you want IPv6 today and don’t have it you can uses one of the Hurricane Electric (HE) tunnels. It is unfortunately slower though. For instances when I used the HE tunnel and Netflix started supporting IPv6 it killed my Netflix completely. This doesn’t make you an ISP though. Nor do you have to get space from the RIR. HE gives you some of their space.

          • any good books that describe the anatomy of the Internet that you can recommend.

          • mstone7699 says:

            I’m unfortunately not aware of any books that speak to the design of the Internet. My posts here are based on my experience working for ISPs. My own personal knowledge came from a combination of studying for Cisco certifications and on-job experience. A good place to start would be just general networking books. Good ones include TCP/IP Illustrated, Routing TCP/IP, and the Cisco/Juniper/Etc. study guides for their exams.

Trackbacks

  1. […] to something like “please turn on Proxy ARP”? Take, for instance, the whole argument about IPv6 and NAT. It’s my (well-informed) opinion that the majority of those arguing to keep NAT around for […]

Speak Your Mind