Welcome to my first NAT post of 2012. After spending some time during the holidays unwrapping new tech toys and trying to get them to work on my home network, I’m full of enough vitriol that I need to direct it somewhere. Based on the number of searches for “double NAT” that end up on my blog, I thought it was only fitting that I direct some hate toward NAT444, also called carrier-grade NAT or large-scale NAT.
Carrier-grade NAT is the brainchild of the ISP world. It turns out that we may be running out of IP addresses. Shocking, right? We’ve all known for at least a year that we were on the verge of running out of IPv4 addresses. I even said as much last February. The ISPs seem to have decided that IPv4 is still a very important business model for them and the need to continue using it over IPv6 is equally important. My best guess is that many consumer-oriented ISPs looked at their traffic patterns and found that the majority of them were dominated by outbound connections. This isn’t shocking when you consider that the majority of devices in the home aren’t focused around serving content. In fact, many residential ISPs (like mine) tend to block connections on well-known server ports like 25 and 80. This serves to discourage consumer users from firing up their own mail and web servers and forces them to use those of the ISP. It also makes the traffic patterns outflow dominant.
With the lack of availability of IPv4 addresses, the ISP need to find a way to condense their existing and new traffic onto an ever-dwindling pool of available resources. Hence, NAT444. Rather than handing the customer an global IPv4 address for use, the ISP NATs all traffic between their exit points and the customer premise equipment (CPE):
In this example, the subscribers may have an address space on their devices in the 192.168.x.x/24 space. The ISP would then assign an address to the CPE device in the 172.16.x.x./16 space or the 10.x.x.x/8 space. That traffic would then bent sent through some kind of NAT gateway device or cluster of devices. Those devices would function in the same way that your home DSL/Cable router functions when translating addresses, only on a much larger scale. The amount of addresses the ISP current has in their pool would not need to be significantly increased to compensate for a larger number of subscribers, just as if buying a new XBox doesn’t require you to get a new IP address from your ISP.
NAT444 has its appealing points. It’s helpful in staving off the final depletion of the IPv4 address space from the provider side of things. It will help keep IPv4 up and running until IPv6 can be implemented and reduce the pressure on the address space. Yeah, that’s about it…
NAT444 has drawbacks. Lots of them. First, you are adding a whole new layer of complexity onto your ISP’s network. Keeping track of all those state tables and translations for things like lawful intercept is going to be a pain. Not to mention that the NAT gateway devices are going to need to be huge, or at the very least clustered well. Think about how many translations are going through your CPE device at home. Now multiply that by the number of people on your ISP’s network. Each of those connections now has to have a corresponding translation in the NAT table. That means RAM and CPU power. Stupidly big boxes for that purpose. What about applications? We’ve already seen that things like VoIP don’t like NAT, especially when SIP hardcodes the IP address of the endpoint into all of its messages. Lucky for me, a group already did some testing and published their results as a draft RFC. Their findings? Not so great if you like using SIP or seeding files with BitTorrent (hey, it has legitmate uses…). They also tested things like XBox Live and Netflix. Those appear to have been bad as late as last year, but may have gotten better as of the last test. Although, I don’t think testing Netflix streaming for 15 minutes was a fair assessment. You can also forget about hosting anything from your own network. No web, no email, no peer-to-peer gaming sessions over a NAT444 setup. I’m sure your ISP will be more than happy to provide you with a non-NAT444 setup provided you want to upgrade to “premium” service or move to a business account with all the associated fees.
I leave you with a this small reminder…
I had one of those funny epiphanies when writing this post. I kept holding down the shift key when typing, so NAT444 kept turning into NAT$$$. That’s when it hit me. NAT444 isn’t about providing better service for the customers. It’s about keeping the whole mess running just a little while longer with the same old equipment. If the ISPs can put off upgrading to IPv6 for another year or two, that’s one more year they don’t have to spend their budgets on new stuff. Who cares if it’s a little harder to troubleshoot things?
In the end, I think NAT444 will be dead on arrival, or at the most shortly thereafter. Why? Because too many things that end users depend on today will be horribly broken. Sure, I can grouse about how NAT444 breaks the Internet and is horrible from a design perspective. I am the I Hate NAT Guy, after all. But try telling the average suburban household that they won’t be able to watch a streaming Netflix movie or play Call of Duty over XBox live anymore because we didn’t plan to keep the Internet running with a new set of addresses. Those people won’t wax intellectual about their existential quandary on a blog. They’ll vote with their dollars and go to an ISP that doesn’t use NAT444 so all their shiny new technology works the way they want it to. In the end, NAT444 will end up costing the ISPs big $$$.
Amen to most of that. Love the 444>$$$ thing. I wouldnt be surprised if the marketing people were aware of this but deemed us all too stupid to notice! 😉
Good rant 🙂
Think about the NAT666 😉
The good news is that NAT$$$ may cost more than IPv6, so it may kill itself off.
Pingback: IPv6, NAT, and the SME – A Response | The Networking Nerd
Really….Block port 80???? I dont think so
Actually, it’s more likely than you think:
The stated reason for the majority seems to be worm blocking, and I agree on blocking NetBIOS as well as MS-SQL traffic. The port 25 and port 80 blocking to me only seems to be designed to drive people to a business-class account with static IPs and additional services. That way, they can also keep an eye on how much traffic you are pushing into their network and charge accordingly.
Pingback: The Five Stages of IPv6 and NAT | The Networking Nerd