Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Why NAT is harmful to Internet Culture

By Highlander in Internet
Tue Apr 03, 2001 at 12:22:11 PM EST
Tags: Culture (all tags)
Culture

Many companies use NAT, address translation, on their networks. This means that all computers behind the gateway can share a single internet address.
Is this harmful to Internet Culture ?


In the beginning, every machine on the evolving internet had its own IP-address. With more and more machines getting connected to the internet, numbers were beginning to get scarce. A lot of the new machines are connected by using a single gateway to the internet, and the obvious solution was to make the gateway talk to the internet, and to forward the replies to the machines behind the gateway.

So, you are behind a firewall, that does adress translation for you. NAT works very well for you: For example, you connect to Kuro5hin on port 80, Kuro5hin sends the information back to you.

What you cannot do however, is set up your own webserver like Kuroshin, because clients outside would try to connect to your gateway at port 80, which would refuse the connection.

Even if it is possible to configure the gateway to forward the connections to your computer on the local network, this means nobody else on your local network will be able to run a webserver on the standard port 80, because all connections get forwarded to you.

While this may seem to be a small problem, it is a big break with the tradition that started the internet: everyone is suddenly able to run their own www, mud, irc, xpilot, game or news server, the source for which they had downloaded from the internet. The toying with these servers turned many into competent sysadmins and the availability of the source turned many into programmers - many of these people never would have ended in this business, if it was not for these "toys".

The effect of not allowing people to run servers is that the internet is falling prey to businesses, which compete with other businesses on the always same market, for example instant messaging. This would be ok, if not for the problem that the human resources, the hackers, are getting rare, because one magnet, the running of servers, is gone. How else can you explain that internet businesses go bankrupt, while even before commercialisation, equally complex servers and services where available at low cost ?

It is really saddening to me to see this. The tilting of the balance of the internet towards a ratio of a few servers and a lot of clients has become so bad that nowadays, the mere implementation of a peer-to-peer network is a marketing plus, and any application of a peer-to-peer network to a server application is considered patentable !
Folks, the entire internet was supposed to be peer-to-peer !

There are two things you can do: Ask your internet service provider for your own stable internet address, and promote amended internet protocols like IPv6 !

Someone said I was wrong, considering the technical consequences of NAT. I look forward to your comments.

References:
RFC1918 on NAT
ipv6.org

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
NAT is bad because:
o You have explain to your wife why you connect to port 6969 on server 666.gate.net 4%
o The guy in the next cubicle may continue the conversation you had with your wife 12%
o Your connection to the naked news stops, because a portscanner accidently queues packets into your connection 12%
o A few portscans can dos your firewall. 9%
o The FBI may come to you since you are using the same firewall as their prime crime suspect for running port scans. 19%
o You cannot run a napster server with a stable port. 9%
o You cannot host a direct play game while any other guy in the company is hosting one. 19%
o You cannot run a halflife server with a standard port. 13%

Votes: 66
Results | Other Polls

Related Links
o Kuro5hin
o RFC1918 on NAT
o ipv6.org
o Also by Highlander


Display: Sort:
Why NAT is harmful to Internet Culture | 57 comments (55 topical, 2 editorial, 0 hidden)
'nother reason to want ipv6 ... (4.20 / 5) (#1)
by akb on Sat Mar 31, 2001 at 11:15:38 AM EST

... its multicast native, unlike the current ipv4 internet which only supports multicast in small patches. Why is this a big deal? Multicast lets anyone stream to an unlimited number of live users.

How much it cost to stream live on unicast now? Well, you can do 1 high quality or 8 crappy quality streams on a consumer grade connection for the $40/month you get for 128kbps upstream on DSL/cable. Commercial streaming services will run you about $50 a listener. To reach thousands of people, you have to pay tens of thousands of dollars.

With multicast you can stream live to an unlimited numbers of end users. Talk about a democratic medium. This functionality isn't built in by default to the current Internet, its up to your ISP whether to be part of the <a href=http://www.cs.columbia.edu/~hgs/internet/mbone-faq.html>MBONE. Though ipv6 is multicast native, there's no ETA it will probably be many years before the Internet becomes ipv6. So don't wait, ask your isp about getting on the MBONE.

Collaborative Video Blog demandmedia.net

NAT is mostly for corporate use (3.85 / 7) (#3)
by LukeyBoy on Sat Mar 31, 2001 at 12:00:28 PM EST

The only time I'm stuck behind a NAT firewall is at work. At my place I have Rogers @Home, and an IP address that hasn't changed since I first signed up for the service six months ago. I can still run an FTP server, web server, IRC daemon, whatever - with no bad consequences. And everyone I know behind DSL and dialup connections still get their own IP address.

I can't however run these at work without the port redirection crap in the firewall. However, I shouldn't be running these at work at all, it's just not appropriate. I don't wanna serve my l33t pr0n from a software company, it's not kosher.



Rumour has it... (4.50 / 2) (#11)
by Sunir on Sat Mar 31, 2001 at 01:48:50 PM EST

that Rogers@HOME is switching to dynamic IPs. Remember, the static IP you have is only an artifact of their current network configuration. You're supposed to be running Win98, DHCP everything. And while the IP they serve you is the same every time right now, that's apparently going to change. Bell ADSL already has their own magical DHCP system, so don't think of switching.

*gripe* *gripe* Of course, I'm amazed you actually managed to post that comment. Rogers must have been working for more than 10 seconds today. *gripe* *gripe*

"Look! You're free! Go, and be free!" and everyone hated it for that. --r
[ Parent ]

You may be interested in... (2.00 / 1) (#20)
by spacejack on Sat Mar 31, 2001 at 03:44:38 PM EST

DSL Inc. Some of my friends got it.

[ Parent ]
Technically It Is (5.00 / 1) (#25)
by LukeyBoy on Sat Mar 31, 2001 at 10:24:46 PM EST

Rogers supposedly already uses DHCP. I can force a lease expire on my IP address and I should get a new one. But dynamic IP assignment still means I have my own IP address - and I'm still not behind a NAT firewall system.

[ Parent ]
Ridiculous premise (3.16 / 6) (#4)
by B'Trey on Sat Mar 31, 2001 at 12:23:24 PM EST

Most people who are behind NAT are on a corporate network, where running servers is not allowed anyway. At home, they don't have dedicated IPs anyway. They're connecting via a dial-up account with a dynamic IP. This is changing somewhat with the advent of broadband (cable modems, DSL, etc.) but is still a long way from ubiquitous. Next, most people would have no clue how to set up a server given their own machine with a static IP. The days of the internet as a geek playground are long over. The number of people who would like to set up a server but can't because they're behind NAT is probably in single digits.

Dynamic IP's fading? (4.33 / 3) (#7)
by tankgirl on Sat Mar 31, 2001 at 01:08:26 PM EST

From what I've seen, they're getting more prevelent and their implementation is getting more and more convoluted. In USWest country, before they merged with Qwest), they tried to implement, and were excited about, a _very_ convoluted form of it on their low end DSL offering.

For $39.95 per month (this was a promo last year before it's implementation failed) when your browser launches you get an IP address assignment. When you close the browser you close the Internet connection...but what about shell access, email, and all the other stuff? I did mention that this implementation failed, right? It has since been tweaked into something equally convoluted but workable in a consumer environment...Anyway, it was sort of an AOL of DSL, proprietary

Anyway, it's the mass market that's moving towards DHCP for _everything_. You wouldn't believe some of the trouble these ISP's will go to in an effort to 'dumb down' networking technology for the masses. It makes my head hurt just to think about how ugly the implementations are. Yuck.

jeri
"I'm afraid of Americans. I'm afraid of the world. I'm afraid I can't help it." -David Bowie
[ Parent ]
Not by choice (4.00 / 1) (#13)
by aphrael on Sat Mar 31, 2001 at 01:56:40 PM EST

At home, they don't have dedicated IPs anyway. They're connecting via a dial-up account with a dynamic IP.

This isn't entirely by choice, mind you. I run DSL with a single static IP; I had a hell of a time finding someone who didn't want to charge me *four times* as much for a static IP as for a dynamic, and I couldn't find anyone who didn't want to charge me 3-4 times the base rate in order to have multiple statics.

Why this is I don't understand; I think ISPs are using dynamic-vs-static and multiple-vs-single to differentiate between small business users and home users, which is irritating.

[ Parent ]

I think you're underestimating bandwidth prices... (4.00 / 1) (#15)
by tankgirl on Sat Mar 31, 2001 at 02:39:21 PM EST

...you're not just paying three to four times more for the IP's (usually). The entry level consumer price for most cable and DSL is $40. Only $10 goes to the ISP (the rest goes to the telco), that gets stretched across all ISP expenses- overhead to bandwidth.

Remember your extra money goes to making the Internet infrastructure a better place to live. It also goes a long way in keeping your ISP from oversubscribing their internal network if they're able to invest in a better, more redundant infrastructure.

If you're running a web server, I think you should be willing to spend a little more money then my mom might, because you're using more resources.

Don't turn the Internet into another 'Tragedy of the Commons'.
jeri.
"I'm afraid of Americans. I'm afraid of the world. I'm afraid I can't help it." -David Bowie
[ Parent ]
I am aware (5.00 / 1) (#35)
by aphrael on Mon Apr 02, 2001 at 04:17:05 PM EST

that bandwidth, by and large, is underpriced; that's why NorthPoint went under. That isn't the issue here.

What I object to is that the ISP assumes that because I want to have four or five machines on the net *in my house* i'm necessarily going to be using more resources than a home user who only wants one. Aside from the additional entries in the routing table, i'm *not*; the bandwidth to my house and the bandwidth to that person's house is the same. And the added entries in the routing table are trivial.

What's happening is that ISPs are trying to attract customers by selling at below cost, and are then demanding that technical people with demands on ISPs which two or three years ago would have been considered standard (like me) subsidize the home user. I understand the economic reasons for it, but I still find it immensely irritating.

[ Parent ]

realistic point of view (none / 0) (#40)
by Highlander on Tue Apr 03, 2001 at 10:10:46 AM EST

I see this the same way: cheap flat-rate ISPs are dropping every day because they are building their business model this way: expecting to find customers who pay more for less. If a customer finds them that makes full use of the contract, they start to cheat or incorporate the cheating in new contracts, while their advertising still calls the service by the same name.

However, one point, if it was the other way around, you would be asking home users to subsidize you, the power user.

Maybe ISPs should offer fair contracts and accurate accounting, instead of trying to be slick.

The points to learn in the case of your own IP and ipV6 is, ISPs should offer these, but charge their own costs, instead of trying the lure/subsidize/power user straddle.

Moderation in moderation is a good thing.
[ Parent ]

Then what's a realistic price model? (4.00 / 1) (#41)
by tankgirl on Tue Apr 03, 2001 at 12:00:42 PM EST

...in your point of view. Aphreal seems to think $40 with static IP's is a reasonable amount, since that's what the home user is paying. I don't think that's a reasonable amount, period. Cosumers have been sold a load of bull, the reality is that no ISP/IAP can pay all it's bills if that's what they're charging.
Even Eaarthlink, PBI, and Verizon have realized this- the average DSL entry level offering from the natiowide ISP's is $50 as of this month.

I don't think anyone should be offering cut rate service, in _any_ industry. But it happens all the time. Why should the ISP industry be any different? I don't think the complaint should for lower poweruser prices. It should be for higher consumer prices.

BTW, prices for DSL through our coop start at $90 per month. We don't differentiate between business and residential. You buy a pipe, you get static IP's, email, web hosting, and all the other goodies that make the icing on the cake. We're just Internet plumbers making sure your pipe doesn't get backed up with packets.

cheers,
jeri.

jeri.

"I'm afraid of Americans. I'm afraid of the world. I'm afraid I can't help it." -David Bowie
[ Parent ]
You're misreading me (none / 0) (#42)
by aphrael on Tue Apr 03, 2001 at 02:40:48 PM EST

it's not that I think $40/mo is reasonable. It isn't; ISPs are selling at below cost. What I object to is that the price differential for static IP is effectively, in my area, another $40/mo; eg., my DSL providers claim that the cost of internet service *with* static IP is double that without, which is absurd. In essence, they're demanding that I subsidize their selling of DSL service below cost to home users.

[ Parent ]
So go with someone who knows the reality... (none / 0) (#43)
by tankgirl on Tue Apr 03, 2001 at 03:30:13 PM EST

...get a provider with clue. Support the intelligent ISP's. I admit this gets tougher to do in rural areas. BTW, sorry I misread you.

If your ISP is offering service $40 a month, it's customer base usually breaks down to 80/20. 80% of their subscribers go with the $40 option. The 20% that pay $80 don't generate enough income to actually subsidize the other 80% paying $40. The company, or parent company (e.g. PBI and SBC have setup going) is the one subsidizing that difference, not you. Your $80 simply covers the real costs of your DSL line.

I think we both actually agree. We've just got different world views :-)

So the question should be: would you feel better if your ISP stopped being stupid enough to offer the $40 'loss leader' service option? I know I would feel better.

cheers,
jeri.

"I'm afraid of Americans. I'm afraid of the world. I'm afraid I can't help it." -David Bowie
[ Parent ]
Static vs dynamic (none / 0) (#19)
by spacejack on Sat Mar 31, 2001 at 03:37:03 PM EST

What's the use of a static IP? To me it would only seem to make it easier for a) some hacker to attack your machine, b) get banned by servers (either with good reason or not). My ISP gives me a dynamic IP and I much prefer it. My webserver of course has a static IP for those static IP purposes. Sure, I guess it could get attacked or banned for some reason, but at least it's not in my home.

[ Parent ]
Static IP (5.00 / 1) (#36)
by aphrael on Mon Apr 02, 2001 at 04:18:40 PM EST

(1) file transfer. I want to be able to ftp files from home to work and vice-versa. I can't ftp *into* work because of the firewall. I can't reliably ftp *out* of work because I can't necessarily know what my IP is. (2) email. I *loathe* hotmail, yahoo mail, etc; I want to be able to use mh, preferably on a linux box that i'm running. Most mail clients want to be able to send mail to somename@someaddr; someaddr needs to be resolvable in DNS tables to a constant IP.

[ Parent ]
CJB.net (none / 0) (#52)
by pin0cchio on Wed Apr 04, 2001 at 06:05:23 PM EST

I can't reliably ftp *out* of work because I can't necessarily know what my IP is.

That is, unless you use CJB.net for DNS. CJB lets you send your IP address to its DNS server every time your IP changes, giving you a predictable hostname for FTP, HTTP, SMTP, or any other protocol where hosts are addressed by name.


lj65
[ Parent ]
Re: Banning (none / 0) (#53)
by Highlander on Thu Apr 05, 2001 at 05:55:15 AM EST

What happens is that without static IP, servers will take recourse to banning the entire network, not only the wrongdoer.

This has happened with IRC and frequently happens in MUDs.

Moderation in moderation is a good thing.
[ Parent ]

Static ISPs (none / 0) (#23)
by B'Trey on Sat Mar 31, 2001 at 06:41:07 PM EST

I use Speakeasy. I pay about $80 a month, get four static IPs and virtualy no restrictions on how I use my bandwidth.

[ Parent ]
Which proves my point; (none / 0) (#37)
by aphrael on Mon Apr 02, 2001 at 04:19:15 PM EST

that's twice what residential DSL costs in my area.

[ Parent ]
Also (4.00 / 1) (#29)
by DeadBaby on Sun Apr 01, 2001 at 11:45:43 AM EST

Even broadband providers go out of their way to say you cannot use any server software on your account. While they rarely inforce it, people can hardly complain about them doing whatever they can to prevent it.
"Our planet is a lonely speck in the great enveloping cosmic dark. In our obscurity -- in all this vastness -- there is no hint that help will come from elsewhere to save us from ourselves. It is up to us." - Carl Sagan
[ Parent ]
I see no proof for your assertion... (4.00 / 6) (#5)
by tankgirl on Sat Mar 31, 2001 at 12:46:47 PM EST

...you can get _real_ IP's addresses from any Internet provider that has a clue, but not at the entry level consumer pricing ($40 to $50). ISP's have been trying to make high speed access available to the average consumer, someone like my mom. She'd pay twice as much as she does for dial up to get speed, but she wouldn't know what to do with an IP address if she had one. Why waste one on her?

Either way, I assert that IP's are attainable to anyone that wants them, at least in the US. It's the small local ISP's that have no problem meeting the 'special needs' of the group you mention, you should probably check some of them out. NANOG (the North American Network Operators Group) is a good place to start looking, if you're in the US.

And heck, if you're in the San Francisco bay area, mail me we've just started our own ISP, and we give a minimum of 14 IP's on _every connection_...no kidding.

jeri.
"I'm afraid of Americans. I'm afraid of the world. I'm afraid I can't help it." -David Bowie
Small local ISPs (3.00 / 1) (#12)
by aphrael on Sat Mar 31, 2001 at 01:53:01 PM EST

have a hard time competing, in California, with PacBell (which *sometimes* gives static IPs; their policy seems to change every couple of months.)

[ Parent ]
That's just another reason to choose local ISP's.. (3.00 / 1) (#16)
by tankgirl on Sat Mar 31, 2001 at 02:44:51 PM EST

...over Pacific Bell Internet (PBI).
right? :-)

Money talks, don't put it in the conglomerates pockets if you don't want to.

cheers,
jeri
"I'm afraid of Americans. I'm afraid of the world. I'm afraid I can't help it." -David Bowie
[ Parent ]
Yes and no (2.00 / 1) (#38)
by aphrael on Mon Apr 02, 2001 at 04:46:39 PM EST

i'm a customer of a medium-sized local ISP which has been in the ISP business since 1992. OTOH, i'd be wary of getting ISP service from an organization which I even suspected might be fly-by-night; having sudden service dislocations *sucks*, and since I run email to a local box, it also would mean that all of my email would start bouncing.

[ Parent ]
hey, hey, not so fast (5.00 / 1) (#21)
by mami on Sat Mar 31, 2001 at 04:57:14 PM EST

She'd pay twice as much as she does for dial up to get speed, but she wouldn't know what to do with an IP address if she had one. Why waste one on her?

I feel offended. :-) No waste of static IPs on moms, compris ? I have 32 and I started out in 1995 with a whole class C. Right now I simply don't want to use them for public purposes, that doesn't mean I don't know what to do with them, if I wanted to. It also doesn't mean that I would allow anyone to take the right to have static IPs away from me ? Who are you to make a judgement and take any person's right for a static IP away ? I have a right to a static IP the same way I have a right to a telephone number or the right to get electricity in my house, as long as I pay my bills for them. And it's not the role of the telco or utility company or ISP to decide, if I use my tel phone number for a fax, a modem, an answering machine or all of it, nor is it the utility company to decide for which machines I use the electricity for, nor should it be the right of the ISP to restrict any usage of the connection the customer pays for.

I would never want to have a connection with NO static IPs and with restrictions to run servers and a lan, even if I pay too much and even if I don't need them. If and what I do with them is my business. If I buy connection, what I really want to buy with it is not speed, is not a service from an ISP to run things for me, what I want to buy is a permanent address and connection and the freedom (and responsibility) to run my own server the way I want it, when I want it.

The real problem I have with the current structure is that many ISPs, who might be willing to give you a static IPs, don't let you run your own name and mail servers. The whole structure is geared to make you dependent on IPS's services and I don't like it. I believe it's getting worse, connections will be more expensive, more restrictive and less controllable for the end-user, all that hidden behind the argument that the end-user is too dumb or too uninterested to learn it. I simply think this is a phony, self serving lie. ISPs need to make a living and try to protect services, they offer to their customers, from the end-user's control, fearing the end-user could take over and make the ISP's services superfluous.

To me the best and in the end most secure solution is a structure where every internet user is the ISP for his own node. Not every person wants to be a professional ISP for making a living, but every person should be his own ISP for his own household and business servers and take charge and responsibility for it. There is enough opportunity for system admins and programmers to consult to help people maintain and host on their customer's own servers located in their customer's homes.

Considering the security and privacy issues involved leaving the maintenance of your server in the hands of ISPs, I would always opt to hand down the control and responsibility for the configuration and maintenance of servers to the end-user.

That's not popular and the trend is in the opposite direction. But I don't like at all what the current trend seems to be.

[ Parent ]

I think you missed my point... (3.00 / 1) (#22)
by tankgirl on Sat Mar 31, 2001 at 05:11:13 PM EST

...I used _my mom_ in the example, because I know darn well she doesn't care about static IP's. I darn well do, and that's why I am personally involved with a worker owned ISP cooperative that gives a mimimum of 14 static IP's to any user. We _encourage_ our users to run their own mailservers and webservers.

You buy the pipe, we make sure you can use it.

I'm just saying that _not everybody_ wants that from their Internet connection. Some people just want to surf, get their email, and enjoy. Those of us who want to 'tinker' with the Internet should be allowed to, same for those who don't want to tinker. Either way the service these two groups want is different. And the one you and I want costs ISP's more to provide. And as such we should be willing too pay for it.

cheers,
jeri.

"I'm afraid of Americans. I'm afraid of the world. I'm afraid I can't help it." -David Bowie
[ Parent ]
don't worry (3.00 / 1) (#27)
by mami on Sun Apr 01, 2001 at 12:45:03 AM EST

I didn't miss your point, just teasing a bit...How much do you charge for your 14 static IPs with a SDSL line (lowest speed you offer) ? Or do you offer static IPs for dial-up/ISDN accounts ?

[ Parent ]
the reason i hate nat's.. (3.20 / 5) (#6)
by rebelcool on Sat Mar 31, 2001 at 12:50:05 PM EST

makes banning miscreants impossible.

COG. Build your own community. Free, easy, powerful. Demo site

Banning miscreants (4.00 / 1) (#26)
by Miniluv on Sun Apr 01, 2001 at 12:02:42 AM EST

Depending on the network environment behind the NAT, and the webserver and webclient involved it is still possible.

For example:
We use static addresses for the workstations at my employer. These are in the 10/8 range, and go through a Squid proxy to websurf, or a socks4 server for other services. Squid passes a field with the original requestor IP to my apache server at home, and I have PHP scripts which recognize that IP and can ban based on it.

While this isn't ALWAYS the situation, it is fairly frequently the case, in my experience.

"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'
[ Parent ]

Why popularity is harmful to Internet culture (4.08 / 12) (#8)
by crank42 on Sat Mar 31, 2001 at 01:27:37 PM EST

In the period where every machine connected to the Net had its own IP address, the only people who used the Internet already knew enough about their machines to have, at the least, the potential to be able to plough through the docs for (say) httpd. They were technically sophisticated enough to be able to learn how to set up a server, even if they didn't (at some time or other) know how to do it.

The popularity of the Internet has changed that. Many people don't even know that they can see their e-mail headers, let alone that the headers might contain useful information. What's more, they don't want to know. They want the Internet to be like a telephone: simple to use, and ubiquitous. So, the change in Net culture is not due to NAT. NAT is a symptom of the same thing: lots of people attaching to the Internet.

Network 10 Considered Harmful (3.88 / 9) (#9)
by bobsquatch on Sat Mar 31, 2001 at 01:45:15 PM EST

This idea has been around since '94: see rfc 1627.

That said, I think your problem isn't with NAT, per se, but with the loss of 1-1 mapping of computer with IP address. Dynamic IP should draw much more of your wrath, since it's screwing home users' prospects for servers more effectively than corporate NAT ever did. It's screwing them because the office is not the place for a private server -- even if each workstation had an external IP address (shudder), any sane security policy would firewall them off or shut them down.

There's no good philosophical reason why home users shouldn't have their own fixed IPs, though -- just technical and greedy reasons. The address space is limited, and the big boys don't want competition.

The shortage of IP's isn't because... (4.00 / 4) (#14)
by tankgirl on Sat Mar 31, 2001 at 02:13:29 PM EST

...of the big boys you mention. Address space on the old Internet (ARPANET) was all handed out as class A's. Educational institutions were the first users, along with some corps. Imagine what one organization could do with a 10.0.0.0 network. Boggles the mind.

There was a voluntary IP reclamantion program started in late 97 or so where ARIN would allow you to return a portion of your Class A to the available pool...not many took advantage. (See this old list of reserved Class A's...)

Now you know the _real_ reason there's not enough IPv4 space available to those who want to make use it.

For more info about IP allocation guidelines see RFC2050

jeri.
"I'm afraid of Americans. I'm afraid of the world. I'm afraid I can't help it." -David Bowie
[ Parent ]
technical reason (3.66 / 3) (#10)
by Arkady on Sat Mar 31, 2001 at 01:47:30 PM EST

I hate NAT in a sort of situational way.

Several years ago, I actually wrote a NAT (which I dropped a few months later when Linux' IP Masquerade came out). NAT was cool because I was on a normal dialup and it let me use all my machines on the Net and, since this sort of thing was how I learned geeking, it helped me a lot. NAT is still cool in this kind of context, where you can't connect your whole network.

But NAT on real networks sucks big ones.

My biggest complaint is that it seriously interferes with my ability to admin a network remotely. It prevents me from seeing the network as the local users see it, which means that for a lot of problems I actually have to go "on site" just to figure out what's wrong.

I also agree with your sociological issues, though I'd never thought of it that way.

-robin

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


You want NAT + VPN (3.50 / 2) (#17)
by petard on Sat Mar 31, 2001 at 03:01:44 PM EST

If you set up a VPN gateway on your NATted "real" network, you get all the benefits of NAT and all the benefits of secure remote administration. Not only that, but for real networks, there is considerable benefit (cost-savings and security) IMO to not having every box be publicly addressable.

[ Parent ]
nah (3.50 / 2) (#18)
by Arkady on Sat Mar 31, 2001 at 03:22:36 PM EST

True, the VPN tunnel through the NAT to an internal system does get you a view as though you were local. This is a good thing, when it works and you have software to allow TCP encapsultion of the LAN protocols.

In my specific case, though, I'd have to bridge my whole network through the VPN link to get my personal box in that way (since I use BeOS and can't find a VPN client for it; let me know if you know of one). Since my house net has several multi-user *nix boxen, that'd kinda negate the "security" argument for the NAT since anyone who knew about it could route traffic via my *nixes which, for other reasons, need to allow packet routing.

I don't see any big advantage to NAT (in the case where real IPs are available) anyay, since the router's access control list can be used to block incoming traffic you don't want. I certainly can't think of any cost saving associated with NAT (unless your ISP charges pr IP number, which some $%&^$*ers do).

NATs are like anything else: they're useful for some things in some cases and not others. They're certainly not a security panacea.

-robin

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


[ Parent ]
Router ACLs (4.00 / 1) (#24)
by MrSmithers on Sat Mar 31, 2001 at 10:21:21 PM EST

Ummmm, I sure hope you're not using router ACLs to protect anything important. While they're a good first line of defense, packet filtering has severe limitations. See active FTP for a good example. And if you need to run anything based on UDP, say bye bye to security for ANY UDP-based protocol, as someone who knows what they're doing can just bind to a port you're using as a destination and bypass all your rules...

If you want real security you need application-level proxies. Even with transparent proxies you usually start with a deny-all ruleset by default, so you're blocking everything and you might as well do NAT to save IPs (or randomize them for outgoing traffic :)

Unfortunately I've yet to see a good Free (as in speech) firewall/transparent proxy. I'm talking about something along the lines of Raptor/FW-1/whatever. Sure, you can set up apache for proxy, etc., but then you'd have to install new software for each protocol, and maintain that software and keep up with security patches for each one, and so on... Not to mention Apache isn't exactly designed with checking application-level integrity in mind anyway. Better to have my web servers behind the proxies, not as them :)

Unix: Where /sbin/init is Job 1



[ Parent ]
A widespread misunderstanding (4.00 / 5) (#28)
by rune on Sun Apr 01, 2001 at 08:35:16 AM EST

You're actually talking about PAT (port address translation) not NAT (network address translation). NAT translates local adresses to internet addresses, which means that everyone on the LAN are able to run a webserver as every LAN address is assigned a corresponding unique IP-address on the internet, whereas PAT translates the LAN ip to a port on the gateway.

Nit to pick (4.75 / 4) (#30)
by leonbrooks on Mon Apr 02, 2001 at 05:44:41 AM EST

Even if it is possible to configure the gateway to forward the connections to your computer on the local network, this means nobody else on your local network will be able to run a webserver on the standard port 80, because all connections get forwarded to you.

While it doesn't actually interfere with your thesis, it is easy to set up Apache to field and forward inbound HTTP/1.1 requests aimed at (for example) username.personalpages.mydomain.com:80 to username.internaldomain:80 and so enable web hosting on personal machines.

I'm not saying that this is a good idea, just that it's easy to implement. (-:

Regarding your actual thesis: IMHO, the sure knowledge that today's inexpertly maintained workstation is tomorrow's cracker listening post does more to repress internet culture than NAT, in much the same way that cities and dog-eat-dog city culture tend to repress friendship, privacy, independent thought and the general manananess of country life.

As country people are buying more locks, keeping weapons for invaders rather than animal pests and making themselves less conspicuous/hospitable, so Internet users are buying more firewalls, closing their ports and generally trying to become invisible.
-- If at first you don't succeed, try a shorter bungee

At the End of the Day... (3.20 / 5) (#31)
by j on Mon Apr 02, 2001 at 12:25:24 PM EST

We are running IP Masquerading at home. We have one DSL line with one static IP address. All servers are running on the machine that does the masquerading. I will readily agree that it would be better if all our machines had their own IP address. But now, we are paying about $40 for our connection; multiple static addresses start at about $100 with our ISP. Is that worth it? Not for us.
And as to 'big enterprise': I'd rather have them use up as few addresses as possible. Leaves more for the rest of the world. Where I work, almost everyone has their own Tomcat running. If I asked our network administrator very nicely, he would probably open the port that I'm running on to the outside world. But why bother. The possible ramifications of playing around on one of my employer's servers and serving up something that would be in violation of company policies aren't too pleasant. I'd rather keep experimentation confined to the machines I own.

Clueless MUD Admins. (4.25 / 4) (#32)
by Kugyou on Mon Apr 02, 2001 at 12:42:22 PM EST

That's my biggest problem with NAT. Clueless MUD Admins. I used to play a few MUDs back a few years ago, and I played most of them from a computer lab at my university - one which utilized NAT and where all the connections appeared to be made from the campus RS6000. One of these MUDs had a 'no-multiplay' rule (i.e., a player cannot have two simultaneous sessions to the same MUD). One day, I find my character and that of a friend of mine transported by an admin to a place referred to as the "Thinking Room", described as "A place to sit quietly and think about what you've done." Our characters were silenced and banned from all channels (including the channel to speak to the admin) for about 15-20 minutes, during which time we were informed that disconnecting would cause an immediate character deletion. Okay, enough with Kugyou's war crimes rant. The bit about losing my character wasn't what got me. What got me was the e-mail that was sent to the IT manager at the school, informing him that I had done one of the following:
  • Broken into the campus RS6000
  • 'Bounced' through the RS6000, not knowing that it could be 'traced' back to that server, in order to break a MUD rule.
  • Falsely identified myself under one or both of the user id's I supplied to disprove the accusations.
I'm not sure what's worse, though - that the accusations were levelled against me and my friend to begin with, or that we were actually questioned seriously about these accusations. (And people wonder why we hate our IT manager). Apparently our sysadmin was just as clueless about NAT as the MUD admin was. Anyway, quick conclusion: NAT can be damaging, not for the purpose of dealing with servers behind a company firewall or whatnot, but for the accusations it causes - in more areas than just MUDs and other frivolities. Another friend of mine received an e-mail accusing him of credit card fraud because he and another person ordered items from the same website while using computers in that same lab...blah.

-----------------------------------------
Dust in the wind bores holes in mountains
Not necessarily NAT (5.00 / 1) (#45)
by fluffy grue on Tue Apr 03, 2001 at 04:12:56 PM EST

You could very well have all just been using dumb xterminals which were going through the RS6000 as their server. When was this? MUD admins should typically know better; any MUD where the admins don't know how dumb terminals look from the outside shouldn't be allowed to run a MUD.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

And for those who think that's unlikely... (none / 0) (#47)
by DavidTC on Tue Apr 03, 2001 at 09:04:16 PM EST

...my school had, until two years ago, a dumb xterm lab, hooked to an RS6000. The RS6000 is still there newton.spsu.edu, but they got rid of the lab two years ago and logins a year ago, and now it's just a web, database, and mail server. :( But before then, I, and someone else I never met, always had 'screen tf' in the background.

Oh, and to point out how stupid this is, my entire school also looks like it's coming from one address, gate.spsu.edu.

-David T. C.
Yes, my email address is real.
[ Parent ]

Even on telnet? (none / 0) (#49)
by fluffy grue on Wed Apr 04, 2001 at 02:32:35 AM EST

Is it on *everything* that it looks like you're coming from gate.spsu.edu, or just on web? If it's just on web, it's probably a transparent proxy, like what NMSU has (which leads to lots of fun when people want to claim that I'm the same person as someone else who I've never even met, based on IP address).

NMSU used to have a number of dumb xterminal labs, but those have all been replaced by cheap PCs and Macs. The CS department specifically had almost nothing but xterminals, but those were mostly gotten rid of a few years ago, replaced by PCs, and then they got a wild itch and started buying SunRays, indicating that they completely forgot how bad the dumb xterminals were (SunRays are bascially dumb xterminals, only with a single point of failure on a server which likes to manage WAY too much session info).

Oh well, at least things are much improved from when I first got here as an undergrad in 1995... the main CS lab was 24 xterminals (Sun3/50s) served off of 8 slightly-faster "servers" (Sun ELCs), and all of the files were served off of a single SPARCstation, Hawikuh. Every student had a whole whopping 5MB of disk quota. Later on they got another SPARCstation, Hukiwuh, and they let people move their accounts to it and get a whole whopping 10MB of disk space. And the undergrads these days complain about getting only 50MB to play with, served off of one of several large, fast Linux boxen and accessed from one of several large, fast Linux boxen... :P
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

It's everything. (none / 0) (#54)
by DavidTC on Fri Apr 06, 2001 at 08:28:13 AM EST

We have a transparent squid proxy on gate.spsu.edu for port 80, and normal ip_masq for everything.

-David T. C.
Yes, my email address is real.
[ Parent ]
SPSU. (none / 0) (#56)
by Kugyou on Wed Apr 18, 2001 at 10:28:31 AM EST

Dude, I stand corrected. I forgot that newton was more a proxy than a NAT thingy. I still remember the good old days on Chaos Wastes MUD, MUDding from the beloved E-lab...yes, I go to SPSU. Only reason I'm responding to you here is mostly because I keep getting server errors from your e-mail server...Did you play CW at all? If so, who? Just curious...

-----------------------------------------
Dust in the wind bores holes in mountains
[ Parent ]
Tend to MUSH. (none / 0) (#57)
by DavidTC on Sun May 06, 2001 at 03:51:31 AM EST

No, I'm more a MUSHer then a MUDder. Currently hanging out on M*U*S*H, ChaoticMUX, and OGR, and I'm not posting addresses, cause I don't want random people finding the places and pestering people, but I'm sure you can find them. ;) Just mention something about SPSU on Public. :) Oh, and I fixed my email, stupid .cx address apparently stopped working.

-David T. C.
Yes, my email address is real.
[ Parent ]
You forgot a really important issue however. (4.00 / 5) (#34)
by Sheepdot on Mon Apr 02, 2001 at 01:02:07 PM EST

There is one thing to consider about NATs that make them generally worthwhile for the business or home DSL user.

Trojans operate by infecting the computer and listening on a port, often advertising to their owner what port they are on in a specific machine. On a machine behind a NAT router, trojans do next to no harm to the user.

I recently found a copy of SubSeven that had been installed on a roommate's computer the other day. Turned out to be about 6 months old. Sure enough it was advertising itself via IRC, but it wasn't getting any connections because the port it ran on wasn't maped from the router to the computer.

For those people who get NAT, running a webserver might be viable, but running a DNS server isn't. If you want to run a DNS server you must pay for a static IP, and if that is done, NAT usually isn't. So what this means is the people who want to run webservers from the same IP, can do so, and then use their regular DNS provider to redirect their www.site.com to 24.45.120.3:8080 (or whatever their heart desires).

Anyway, I'd highly suggest all the NAT naysayers start reading documentation and try using it for a little longer than say, 3 months. It's a great, cheap way to get on the Internet, and it doubles as a poorman's firewall for those of us with DSL.

As a whole, I'm utterly pleased.


AUPs more harmful than NAT/PAT (4.00 / 3) (#39)
by HypoLuxa on Mon Apr 02, 2001 at 06:42:52 PM EST

With NAT (or PAT, which is what you are actually describing), you can still run servers. You have to learn yet another system, that being your firewall/router, but this only goes to add more skills to your admin arsenal. NAT/PAT, in and of itself, does not prevent you from running any service.

What does prevent you from running services are Acceptable Use Policies enforced by many ISPs. @home, RoadRunner, and other broadband providers are notorious for port scanning and terminating accounts that offer "business" services on "residential" accounts. The use of PPoE and forcing users into dynamic addressing are furthering this trend. The introduction of broadband is offering the potential to decentralize the Internet traffic again, and provide all the great opportunities that you are talking about for running services. ISP AUPs are flushing that potential.

--
I'm guided by the beauty of our weapons.
- Leonard Cohen

In my experience (4.50 / 2) (#44)
by Jordan Block on Tue Apr 03, 2001 at 04:11:51 PM EST

Most ISP do NOT use NAT for their clients, they still have a whole mess of routable IP addresses, and you still get one from them, it may be dynamically assigned with DHCP, but you've got a real IP. If you want static, you pay 10 bucks more or whatever, and you have a static IP. Companies using NAT tend not to worry if the employees cant run a Half-Life or www server, that's a good thing! I'm a netadmin, and if I had users firing up all sorts of server on my network, it would very rapidly saturate our T1s, and make my job hell. It almost seems that the author is thinking of DHCP in writing this article, but maybe that's just me...

NAT is really a GOOD idea for soom things (4.33 / 3) (#46)
by scross on Tue Apr 03, 2001 at 04:15:12 PM EST

It seems that you fundamental argument is valid if and only if you support the following: Any machine on the Internet should have the ability to be either client or server.

In my company, 5000 full-time employees, 1000 workstations, we absolutely can not permit any of these workstations being directly address from the Internet. Some workstations have payroll data, accounts payable cheques, future press releases, trade secrets, performance reviews, budget views, and for all I know the recipie for Coca-Cola.

Bidirectional network connectivity is a requirement for most of the new unmanaged peer-to-peer protocols being developed. Until a convincing business need for unmanaged peer-to-peer arises, direct connection will never be permitted. The classic techniques like e-mail attachments for sharing files will suffice nicely for a long time to come.

Thus having no need for an outside system connecting to an inside system, most of the drawbacks of NAT vanish. The benefits of NAT are a hugh cost savings in IP addresses.

I would agree for consumer Internet, NAT would be highly inappropriate. I would not look favourably at any ISP that tried to NAT my home system.

I would think there is a market for a second class of service with second class pricing for people with less demanding needs. My Mum and Dad come to mind who only needs e-mail and yahoo.

Cheers, Sarah

Ok, but you really want a firewall or http proxy (none / 0) (#51)
by Highlander on Wed Apr 04, 2001 at 06:31:44 AM EST

I think you really want a firewall or http proxy, and you probably should not have your top secret machines connected to the internet at all.

Although I don't like it, I see your point that businesses like NAT because it gives them control about the servers opened by employees. However, I wonder how companies want to find people with the skills of running a webserver when there is no way people can get that experience.

Still, if you accept that everyone should be allowed to run a server at home, it is obvious that the current system (ipV4) is not able to handle this demand. Better would be ipV6. But while NAT is around, together with dynamically assigned IPs, people will try to cope with the shortcomings of ipV4 using NAT instead of doing the right thing(TM), investing in better protocols.

In addition, if people had been using their own static IPs for a longer time, we might have been able to avoid some of the trouble with legislation that forces providers to log the login time and IPs of their customers. The deployment of these systems can be costly.

Moderation in moderation is a good thing.
[ Parent ]

Firewalls? (3.66 / 3) (#48)
by dilinger on Tue Apr 03, 2001 at 11:01:12 PM EST

Ok, if I understood this, your main concern is the ability to run a server from behind a NAT box. I can think of 2 scenarios offhand: a school/company NAT, where you only control 1 or 2 computers on the lan, and a home/dialup/personal NAT, where you have total control of the NAT box, and hosts hidden behind it.

In the case a personal NAT, there's no problems: it would generally be small, and you can forward ports as needed (or just run a server from the NAT box).

In the case of a company/school NAT setup, the restriction on being able to run a server is the same type of restriction that would be forced upon you if you were behind a restrictive firewall. My school firewalls off all ports except for 113 and 80 (how restrictive this is can be argued), but it limits me from running anything but identd and httpd.

The firewall, however, is there for a reason: to protect. NAT serves it's purpose as well. By your line of reasoning, firewalls are harmful to the internet; yet, they've been around in one form or another since arpanet.

And, of course, the issue isn't that you can't run a server; you certainly can; it's that people outside the LAN (past the gate) can't see it. If you're on a large (private) network, as would be the case w/ a corporate NAT or firewall, you could run servers for the other people behind the gate with no problems.

I fail to see the problem here. I find firewalls as annoying as any other user, but they can be a necessary evil (a lot of protection can be had by firewalling off port 21, when boxes behind the firewall are running stock redhat boxen). This restricts the running of an ftpd. Boo-hoo. My 28.8 restricted my running a shoutcast server. Restrictions exist on the internet, just like anywhere else; users must learn to deal. This isn't making some huge change in internet ideals, it's simply a fact of life that's been w/ us all along.

Blah. I'm rambling. Carry on!

NAT, not firewall (none / 0) (#50)
by Highlander on Wed Apr 04, 2001 at 06:15:39 AM EST

I can see why you want firewalls.

But this is not the same as using NAT/PAT. The weak link in your chain of thoughts is, you cannot forward ports through the firewall if several persons want to offer the same port to the internet.

I might agree with you, if every machine had its own unique IP and could serve every port.

I might agree with you, if ISP and sysadmins were helpful about port forwarding, or would grant firewall administration to power users. (They are not, since port forwarding slowly makes it pointless to have a firewall.)

Finally, the idea of firewalls is kind of stupid; any trojan could take commands from newsgroups or web pages, completely bypassing your firewall, unless you lock all ports.

Moderation in moderation is a good thing.
[ Parent ]

Improvements to NAT (none / 0) (#55)
by Highlander on Tue Apr 17, 2001 at 08:47:03 AM EST

The AVES System uses communication between AVES nameservers and AVES aware NAT firewalls to allow clients behind NAT to run as servers.

I am not sure that is really a neat solution, but for some ISP it will be interesting.

Moderation in moderation is a good thing.

Why NAT is harmful to Internet Culture | 57 comments (55 topical, 2 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!