What is NAT and why you don't want it
You may or may not have heard of NAT, Network Address Translation, here is how it works, why you don't want it and why you probably have to use it anyway.
How the Internet was supposed to work
The original idea of the internet was that every machine is reachable, can directly connect to other machines using nothing but their public address and also offer serveries. Which worked pretty well until …
Why the Internet community started NATing
… the Internet started running out of publicly reachable addresses. So everyone started assigning private IP-Addresses to their internal networks, trying to get the most out of the precious public address space.
Legacy NAT is simply swapping one IP-Address for another, with a 1:1 relationship between private and public addresses. Either statically assigned or on demand to a machine that wants to connect, so if you wanted to connect to the Internet you have to wait for a free Line (public Address) from a pool of available addresses (called a NAT Pool). Hello old dialup!
These are respectively called Static and Dynamic NAT.
Modern NAT - Port Address Translation (PAT)
Nowadays with 10s of devices per household with active connections to outside servers that Legacy approach of give a machine an IP when it needs one and recycle after doesn't work anymore.
But one can abuse the fact that most machines don't offer services for the public and therefore have a lot of outgoing and no incoming connections. So instead of assigning whole IP-Addresses we made our Routers translate combinations of Layer 4 ports and IP-Address.
If one now wants to connect to the server at
126.96.36.199 on port 443 from
192.168.0.10 from port 12345 via a router assigned
203.0.113.3 (it would with multiple public addresses, too) as its public address …
- The router tries to find a port on its public address using either the original source port or if already in use because someone else behind the NAT had the same idea of a great source port a port near the original port. Let's say we ended up with 12347.
- Now the router replaces the internal address with the public one and swaps out the port for the publicly reachable one and remembers the combination until the connection closes, there is a timeout.
- If now an answer arrives on
203.0.113.3port 12345 the NAT knows that the real destination is
192.168.0.10on port 12345 and vice versa.
For ICMP the identifiers can be used similar to port numbers. UDP based protocols need additional support from the NAT as UDP itself has no way of matching requests with replies.
With that setup one can support up to ~60000 concurrent TCP connections with a single public IP-Address, great isn't it?
Carrier grade NAT
Well, your provider most probably thinks that that is great because now they can serve a whole lot of customers and still only pay for a handful of public IPs. There is even the
100.64.0.0/10 network reserved in RFC 6598 for exactly this purpose.
Problems with NAT
The problem with this is now that your average client is behind two or even more layers of NAT, one at their provider, one built into their home-router. That comes with at least two problems:
- For real-time applications (Videochat,SIP) you want as direct of a connection as possible which is the opposite of what a NAT does.
- Long running connections (i.e. your chat or Mail-client waiting for realtime notifications or an ssh session) may get terminated because the NAT needs free ports because 60000 connections is surprisingly little scaling up.
Also NAT actively hinders innovation. Ever heared of SCTP, the Stream Control Transmission Protocol (RFC 9260)? One of the reasons you have probably never seen it in the wild is because old NATs (like Joe Averages router running outdated firmware) have no clue what to do with it. Same problem with QUIC (RFC 9000) which is based on UDP, because punching a hole into the NAT that has the right shape is usually difficult to impossible you probably won't find it in the wild.
NAT64 was a way to translate IPv6 adresses in the
64:ff9b::/96 network to IPv4 but it has been deprecated in favour of dualstack configurations. Probably because for that to work either direct application support is needed or a dns Server which has to translate IPv4 addresses to the NATable IPv6 ones.
Myths around NAT
Great I don't need a Firewall!
Yes you do! A NAT only denies incoming connections because no machine in the internal network currently punched a hole in it with UPnP. Your NAT is also waaay too complex for trusting it with denying unwanted connections. (Don't confuse it with a NAT built into a firewall)
I want IPv6 NAT because of Privacy!
If you have this kind of network access you can as well reassign random addresses using your favourite IPv6 address assignment mechanism.
Solving the NAT problems
So you don't like your NAT anymore? What if the Internet had an address space large enough for every device? Well its your lucky day the solution is called IPv6 and if in 2023 your ISP doesn't give you IPv6, ask them nicely why they are stuck in the past.