Skip Links

Network World

Jeff Doyle

Large Scale NAT Architectures

NAT444 and NAT 464

By jdoyle on Wed, 09/30/09 - 1:37pm.

Traditional NAT, as discussed in the previous article, has been used for fifteen or so years to enable the sharing of a small number of public IPv4 addresses by a larger number of privately-addressed devices. In the case of homes and small businesses, there is usually just a single public IPv4 address on the outside NAT interface. That public address is assigned by a broadband service provider.

As we approach the depletion of public IPv4 addresses, broadband providers are looking at how to continue giving their customers public-facing IP addresses when there are no IPv4 addresses left to hand out. The answer seems rather obvious: If NAT has been effective at the provider-facing customer edge, it should also be effective at the customer-facing provider edge. That’s the basis of Large Scale NAT (LSN).

LSN adds another layer of translation, so that just as private IPv4 addresses are used on the inside of the CPE NAT they can also be used to assign addresses to the outside of the CPE NAT.

Figure 1 shows a conceptual example. The service provider assigns addresses out of its public IPv4 aggregate to the “Internet-facing” side of its LSN devices. On the “customer-facing” side of each LSN, an address out of a private IPv4 block – say, the 172.16.0.0/12 block – is assigned to the outside of each attached CPE NAT. Each customer then uses another private IPv4 block – typically 10.0.0.0/8 – to address all the devices within his network.

A device in one of the customer networks might send a packet to some Internet destination with a source address of 10.1.1.1; the CPE NAT then translates the source address to, for instance, 172.16.1.1 (with accompanying port mapping). At the LSN the source address is translated to the public IPv4 address, say 201.15.83.1 (again with port mapping), and the packet is routed to the destination. Responding packets to 201.15.83.1 are routed to the service provider’s aggregate IPv4 address, then to the appropriate LSN, which translates the destination address back to 172.16.1.1 and forwards the packet to the corresponding CPE NAT which translates the destination address to 10.1.1.1.

Accurate routing from the Internet to the correct device within the correct customer network depends on two things:

1)    The session was initiated from within the customer network, so that the CPE NAT and the LSN have the correct address and port mappings; and

2)    The route view from the outside is always toward a destination that can be uniquely identified. So a packet from the public Internet can be routed to the service provider’s unique IPv4 aggregate address; once within the service provider network, a more-specific route is used to send the packet to a particular LSN (which is usually a software process on some edge or aggregation router). The LSN has an outside-to-inside address/port mapping that points to a specific CPE NAT, and the CPE NAT has another outside-to-inside address/port mapping that either takes the packet to a directly connected destination or matches a route that is unique within the boundaries of that customer’s network.

This architecture is NAT444: It translates from IPv4 address to another IPv4 address to a third IPv4 address. The approach is attractive because existing CPE NATs can be used with no modifications. NATs do not care whether their outside IPv4 addresses are public or private, so from the CPE NAT’s perspective nothing is different. Service providers deploying this architecture do not have to impose special equipment requirements on their customers or require customers to change out existing equipment. Any old NAT will do.

While it is simple, NAT444 is not without issues. One concern common not only to this architecture but any LSN solution is scalability. For a broadband provider, each customer network can represent several devices behind the CPE NAT in a home or perhaps a dozen devices behind the CPE NAT in a small office. And each of those devices can produce multiple application streams. There is not yet enough production experience to know the upper boundaries of how many customer networks a single LSN can handle, either in terms of performance or in terms of mapping steams to a single public IPv4 address. 

An issue particular to NAT444 is the possibility of address overlaps between the customer’s network and the private addresses used by the service provider. For example, if the provider uses addresses out of the 172.16.0.0/12 block between the LSN and the CPE NAT, and the customer addresses his network out of the same block, uniqueness between the two zones is lost and packets might be misrouted. Insuring that customers use non-conflicting address ranges can be an administrative headache for the provider.

Another issue with NAT444 occurs when a customer wants to send packets to another customer behind the same LSN, as illustrated in Figure 2. Filtering policies in firewalls, router ACLs, and even servers often block packets from outside the network that have private source addresses. To circumvent this problem packets must pass through the LSN so that their source addresses can be translated to a public address and then “hairpinned” back through the LSN to the destination. LSN resources are consumed even though the packets are not going to a destination beyond the LSN.

A proposed solution to both of these problems is to set aside a block of the remaining public IPv4 space as an “ISP Shared Address” space. Because the address block would be reserved for use in NAT444 architectures, the same addresses can be used behind different LSNs the same way RFC1918 addresses are used. But because they are not RFC1918 addresses, they won’t conflict with the private addresses in any customer network. And because they are not RFC1918 addresses, they will not be blocked by filtering policies; packet flows between customers behind the same LSN do not have to pass through the LSN.

Another solution to these problems is to use public IPv6 addresses between the LSN and the CPE NATs, as shown in Figure 3. IPv4 packets originating in the customer network are translated into IPv6 packets for the hop between the CPE NAT and the LSN, and then translated back to IPv4 (with a public address) by the LSN. This architecture is NAT464.

There is no chance of address conflicts between the IPv6 address on the outside of the CPE NAT and the IPv4 private addresses on the inside. And assuming that the CPE NAT translates incoming packets to an IPv4 address internal to the local network, there should be no filtering issues effecting communications between two customers behind the same LSN.

NAT464 has the added advantage that the links between the provider and the customer are IPv6 only, rather than dual stacked, so the most of the issue of finding enough IPv4 addresses for customers goes away. And, because it supports IPv4 over IPv6 rather than supporting IPv4 and IPv6 in parallel, it gets us closer to where we eventually want to be: A pure IPv6 network.

While NAT464 simplifies things in the intermediate zone between the LSN and CPE NATs, it is more problematic for the LSN and CPE NATs themselves. The most obvious problem is that both these devices must now be NAT64 – that is, they must translate between the two protocol versions. Very few current CPE NATs support NAT64, so providers adopting this solution are faced with requiring their customers to change their equipment: an administrative and customer relations headache most providers would rather avoid.

More importantly, translation between address families is more complex than simple translation within a single address family, which is reflected in the fact that NAT64 implementations (formerly called NAT-PT) neither perform as well nor scale as well as NAT44. NAT64 implementations have improved, and will continue to improve, but it is unlikely that they will ever be as efficient as NAT44.

A promising compromise is a solution called Dual Stack Lite, which eliminates some of the complexity of NAT464 by using tunneling rather than address family translation. I’ll cover DS-Lite in the next post.

 

Nice article. Questions

0
By Rajesh (not verified) on Wed, 09/30/2009 - 9:44pm.

Nice article.

Questions though?

Wouldn't real time applications suffer because of double natting, may it be 444 or 464?

As well, if we have a PE device implementing NAT in full cone nat, then it means probably a lot of ports are open owing to the reason a lot of 444 are happening and easy to come in or am I being paranoid?

Cheers,
rsivanandan

Re: Questions

0
By jdoyle on Thu, 10/01/2009 - 12:36am.

Hi Rsivanandan,

THe open ports issue is probably no worse than for regular NAT. However, as you point out many applications that reference the IP address in the upper protocol headers will suffer. There are a number of workarounds to compensate for a single NAT, but adding a second one -- especially one that is centralized in the service provider network and out of the end-users domain -- will break many or most of these.

--Jeff

Go ahead, whatever.

0
By Anon (not verified) on Thu, 10/01/2009 - 3:15am.

I personally don't care if the ISPs start NATting their connections to hell, as long as they make sure to provide reliable end-to-end IPv6 access at the same time.

If anything, the crappified IPv4 network will provide a great incentive to start using IPv6.

Re: Go Ahead

0
By jdoyle on Thu, 10/01/2009 - 10:31am.

I agree.

When NAT was first created in the mid-1990s it was supposed to be one of several means to slow down IPv4 depletion while IPng (which became IPv6) was being standardized and deployed. Combined with RFC1918 it was so effective that IPv6 was deployed almost nowhere outside of a few academic networks. Operators had a solution, crappy as it was, that worked and wouldn't require them to take on the expense and headaches of getting IPv6 in place. Even though had they done it in the late 1990s, we would not now be in the position of again running out of IPv4 addresses and needing an uglier incarnation of NAT to help us out. Again.

I'm going to write about this toward the end of the this present series on new NAT solutions, but in brief, these things should only be a means of supporting the IPv4 side of dual stacking while users and content are moved to IPv6 over the next few years. There's a real danger of network operators saying, "Hey, LSNs help us extend the life of IPv4! We don't need to do IPv6 after all!"

That will just get us deeper into the hole we started digging in the mid-1990s.

Many CFOs and CIOs operate on very thin budgets; particularly in broadband service provider networks. As a result its very easy to choose the cheapest short-term solution, even though it will wind up costing more money in the long term. When it comes to IPv6, security, effective network management, or even sound operational policies and procedures, many will continue ignoring the bear following them along the trail until it bites them in the ass.

--Jeff

"Many CFOs and CIOs operate

0
By Anon (not verified) on Sat, 10/03/2009 - 8:51am.

"Many CFOs and CIOs operate on very thin budgets; particularly in broadband service provider networks. As a result its very easy to choose the cheapest short-term solution, even though it will wind up costing more money in the long term."

And in two sentences you sum up everything that is wrong with how business is conducted in the US... professional management with quarterly incentives.

ISP Shared Address

0
By Anon on Thu, 10/01/2009 - 1:03pm.

Good article. Do you know the status of the "ISP Shared Address" proposal?

I thought that was one of the easier transition techniques since it doesn't require CPE changes. An ISP can introduce dual stack and still support legacy v4 only CPE devices this way.

Thanks,
Mark

Re: Shared Address

0
By jdoyle on Thu, 10/01/2009 - 7:03pm.

Hi Mark,

The Internet Draft is still current:

draft-shirasaki-isp-shared-addr-03

but an IPv4 address block has yet been set aside for it.

--Jeff

Draw nicer pictures!

0
By wendell on Thu, 10/01/2009 - 3:21pm.

Hey Jeff,
Great words, but could you invest a little more time and effort with your drawings? ;-) Good to see you posting a little more these days...
Wendell

Re:

0
By jdoyle on Thu, 10/01/2009 - 6:50pm.

I'll talk to my Art Department.

Not a good way to push IPv6

0
By Tom (not verified) on Fri, 10/02/2009 - 12:23pm.

As an engineer working for a service provider who provides very large residential broadband services, these little workaround would stop being introduced. Will it work for simple services, of course. Is this the future of the Internet, a big NO.

It took 2 years to convice management that IPv4 to IPv6 is a necessity, then comes these "double" NATing bandaids. When a vendor comes and exposes something like this to upper management, 2 years of justification will most likely be thrown out the window due to "less cost now" picture sown into the management's brain.

How sad...

12next ›last »

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About Jeff Doyle on IP Routing

Jeff Doyle is president of Jeff Doyle and Associates, an IP network consultancy. Jeff is the author of Routing TCP/IP, Volumes I (read an excerpt) and II and of OSPF and IS-IS: Choosing an IGP for Large-Scale Networks. He is a frequent speaker on IPv6, MPLS, and large-scale routing.

Contact him.