What really breaks the "end-to-end nature of the Internet"

DevCentral > Weblogs > Lori MacVittie - Two Different Socks

What really breaks the "end-to-end nature of the Internet"

posted on Friday, July 25, 2008 4:14 AM

IPv6 was supposed to eliminate NAT (Network Address Translation). But in order to make the transition from IPv4 reasonable and less painful, it's being added to IPv6. It's intended use in being included in IPv6 is to create gateways that bridge between IPv6 and IPv4 while the transition occurs.

The IETF is not thrilled however. It's description of how it feels about NAT and the necessity to include it make it sound like school-children forced to allow that kid to play in their game of kickball. And then they put him in far right field. And I mean far right field so it's obvious what they think of him.

This Network World article describes NAT as "much maligned" and reminds us that purists hate it for breaking the end-to-end communication model on which the Internet was designed.

From the article:

NAT is deployed in routers, servers and firewalls, and it adds complexity and cost to enterprise networks. Internet purists hate NATs because they break the end-to-end nature of the Internet; this is the idea that any end user can communicate directly to another end user over the Internet without middle boxes altering their packets.

I'm guessing purists hate a whole lot of technologies because there are a ton of other technologies and products that are essentially "middle boxes altering packets."

The problem is I don't want any end user communicating directly with me. I want their packets inspected, sanitized, and thoroughly cleansed before they get anywhere near me. I want them altered or nuked into the ether, particularly if they're full of nastiness or hell-bent on destroying the delicate balance that is my desktop.

Alteration of packets is a necessity to address protocol errors and perform all sorts of interesting application delivery functions. Alteration of packets is necessary to add caching control to web applications that are not written with caching in mind; it's necessary to rewrite URIs, and to protect sensitive data from escaping the confines of the data center. Alteration of packets by "middle boxes" (i.e. intermediaries or proxies) is a requirement for optimizing and securing application data.

And more than just solving the lack of IPv4 problems, NAT has become a primary security mechanism for ensuring end users aren't directly reachable by external applications. Even if I had enough IPv4 addresses to put all the machines in my home on the public Internet, I wouldn't. That's just asking for trouble, especially when some of those machines are being used by teenagers whose idea of security is using "hotbutterfly99" as their username on HotMail or Yahoo. And there's not that much difference between those teenagers and many corporate employees.

Geoff Huston, chief scientist at APNIC and an expert on IPv4 address depletion

Huston says NATs are useful for addressing, packet filtering and other functions. He says the real problem with NATs is that they lack standards, and that is an area where the IETF can make improvements in NATs for IPv6.

"The IETF's position of ignoring NATs some years back forced NAT software builders to exercise their own creativity when designing their version of NATs," Huston says. "This variation of NAT behavior is a far, far worse problem than NATs themselves."

But it goes deeper than just a lack of standards and being "impure". When it comes down to it the root of the problem - what really breaks the end-to-end model of the Internet - is people. It's the nature of people to do things they shouldn't, to code applications without concern or regard for the bigger picture, to just outright make mistakes, and in some cases to be malicious and hell bent on destruction. So long as it's people writing applications and using the Internet, alteration of packets by "middle boxes" is going to be a requirement if we want to keep applications secure, fast, and available. Especially secure.

Packets are going to continue to be altered when IPv6 is fully adopted whether NAT remains used or not, because people can't be upgraded to a new version that addresses our behavior, and we don't have a way to enforce a behavioral RFC on every Internet user in the world.

Besides, given all the good that comes out of "middle boxes altering packets": optimization, scalability, application layer networking, acceleration, and of course, security, I'm just not convinced that NAT and other technologies breaking the end-to-end nature of the Internet is a bad thing after all.

Technorati Tags: MacVittie,F5,networking,NAT,IPv6,IP,IPv4,proxies,internet,IETF

Feedback

7/25/2008 4:46 AM
		Lori, I agree that keeping our internal address' off the internet is key to keeping secure. If we allow the world to see us directly then we are opening up all sorts of issues. By being able to hide behind NAT it gives us another level of security beyond what is provided by firewalls, IPS, ACL's etc... NAT may not be perfect but it's better than "purity" when it comes to trusting others to do the right thing.
Andy Willingham

7/25/2008 9:23 AM
		I would like to argue against the point that NAT is a security implementation at all. NAT confuses and complicates security far more than it adds to it. Instead of just having firewall and routing rules to look after and take care of, now you have to consider the IPs changing/ For security, perhaps a firewall is what should be looked at. NAT traversal is trivial, and that reduces the subject to a matter of security-through-obscurity, which is really difficult to defend. I'm also not sure if "middle boxes" fiddling with traffic in the middle exactly defeats end-to-end internet. I agree with you entirely that "middle boxes" are necessary, but I think they can exist and still maintain a pure end-to-end internet.
Comrade Smack

7/27/2008 5:16 AM
		@Comrade Smack NAT was not designed as a security measure, but it has morphed into one over the years. NAT actually minimizes the number of IP addys that need to be managed at the edge on egress assuming that the administrator is properly managing NAT pools and keeping the pools to the minimum size necessary. A well architected network can make use of NAT functionality to further segregate traffic in order to apply appropriate security policies both on egress and ingress. I don't know any of any reputable organization that does not employ a firewall. NAT isn't used in place of security, it by nature adds another layer of security on egress.
Lori MacVittie

7/29/2008 8:21 AM
		I don't see how NAT adds to anything that the router or switch already in place can take care of. NAT is segregating the network in much the same way a VLAN or Router can, and proper policies can be enacted there, I'm not entirely sure why changing the destination-ip in the header helps the granularity of security policies. My firewall comment wasn't that there wasn't one already in place, but that if someone is looking for NAT to do something (like hiding resources) that a firewall can already do, why not let the firewall handle it?
ComradeSmack

1/4/2009 2:46 PM
		NAT may not be perfect but it's better than "purity" when it comes to trusting others to do the right thing.
better

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 5 and 1 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		645		Comments		1218
Stories		0		Trackbacks		347

	Tag Cloud
	acceleration application delivery application security architecture BIG-IP blog cloud cloud computing dynamic infrastructure F5 HTTP infrastructure INfrastructure 2.0 integration internet load balancing MacVittie optimization performance scalability security SOA virtualization web web 2.0 more tags...

Post Categories

		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization
		WILS
		Infrastructure 2.0

Archives

		March, 2010 (15)
		February, 2010 (20)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)

Application Delivery

		Infrastructure 2.0
		onizo#
		The Virtual ADC

Cloud Computing

Google Group: Cloud Computing

Random

Security

Rational Survivability

SOA

		Loosely Coupled
		Miko Matsumura's SOA Center
		SOA Enterprise Patterns

Copyright 1996 - 2007 F5 Networks, Inc. | Privacy Statement | Terms Of Use