When Can You Ditch Network Address Translation (NAT)?

Photo Credit: CGN NAT via Jason Fesler cc

This blog post attempts to offer a quick overview of why you might need NAT now and why you should prepare for a full transition away from it in the future.

IPv4 Networks Rely on NAT

NAT keeps private IP addresses hidden. An organization may have one public IP address on the Internet, but may sustain countless private IP addresses through the implementation of a NAT router. This technology temporarily alleviates the issue of diminishing address space with IPv4 and masks devices connected to the Internet with private IPs.

Until IPv6 is fully realized, NAT will stay Put

NAT and IPv6 can coexist, but not without extra effort for configuration on the part of a network admin. IPsec, with the usage of Authentication Header (AH) and Encapsulating Security Payload (ESP) header, conflicts with NAT. NAT does not easily coexist with protocols containing embedded IP addresses. In IPv6, every packet and header contains embedded IP addresses. IPsec  in addition to other IPv6 features, may render NAT pointless in network design.

No, NAT is not essential for a security through obscurity approach either. Stateful firewalls provide security, not NAT. Properly configured firewalls filter out the good from the bad traffic and make every attempt to keep intruders out of the network. Firewalls provide a layer of perimeters, and ideally, host-based security between network segments. Rely on firewalls, not NAT. This statement applies to IPv4 and IPv6. I cannot reiterate this point enough. NAT is not intended and should not be valued for security, but was developed and implemented as an interim solution for address allocation.

Even if you dismiss NAT, what about the reality of the ever so slow IPv6 adoption? How long will it take for ISPs, businesses, and organizations of all sizes to fully transition to IPv6?

They can’t afford to (whether in training personnel or demanding customers to do so), don’t quite know how, and don’t frankly care at the moment to upgrade. There is no incentive to make them move. Without incentive, as seen before in the theory of incentive-based design, there’s little motivation to upgrade.

Whatever your reason for sticking with IPv4 or upgrading to IPv6, Network Address Translation (NAT) as a convenient and temporary addressing solution, will fade into the background eventually. But remember that even if you manage to transition fully to IPv6, you need a way to communicate with IPv4 addresses and content on the Internet.

Plan for IPv6 Transition with Tunneling, Dual Stacking, NAT64/DNS64

Until then, encourage IT networking staff or take the initiative yourself to learn more about IPv6 addressing, dual stacking, tunneling, and the necessary steps and approaches for upgrading. Those ahead of the transition game will become very valuable to organizations with outdated networking schemes.

Research transition methods such as encapsulation (tunneling) and dual stacking. Look at NAT64/DNS64 for alternative methods for maintaining NAT on a network that can translate IPv4 and IPv6 addresses to traverse across complex networks. Unfortunately, workaround solutions take priority until a full transition is realized.

Also, remember that IPv6 security training can certainly bolster your skill set as well. Even if you only manage the network design and performance, a thorough understanding of network security empowers network admins to optimize network design while securing all endpoints for IPv4 and IPv6 traffic.

After reviewing the current state of IPv6 adoption, there is no realistic timetable for IPv6 complete adoption and the retired use of NAT. Even if an organization fully realizes an exclusive IPv6 network, they must continue to account for IPv4 addresses and utilize NAT.