Let’s have a look at one other a part of the prolonged remark Bob left after listening to the Rise of NAT podcast. This one is targeted on the NAT traversal mess:
You talked about that solely video-conferencing and BitTorrent use client-to-client connectivity (and they’re certainly the primary use circumstances), however hell, do they should engineer complicated methods to bypass these NATs and firewalls: STUN, TURN, ICE, DHT…
Cleansing up the acronym checklist first: DHT is not like the others and has nothing to do with NAT.
Now that we’re left with three acronyms, let’s strive to determine what they do:
- STUN detects NAT gadgets within the forwarding path and makes use of intelligent tips to create the NAT translations that may finally be used to succeed in a peer node behind one other NAT gadget.
- STUN doesn’t work with all varieties of NAT. Particularly, it doesn’t work with symmetric NAT (NAT utilizing 5-tuple NAT translations – what you’d see on Cisco IOS). TURN tries to repair that.
- ICE appears to be an umbrella resolution on prime of the opposite two (please write a remark if I obtained it improper)
Wouldn’t or not it’s higher if, as an alternative of the above mess, the host might inform the NAT gadget it wants a public port? After all, we’ve not less than three protocols to try this, proving but once more the infinite knowledge of xkcd:
Why do we want STUN/TURN/ICE if we’ve a (supposedly) working resolution? It typically comes all the way down to I don’t need to take care of these uncouth folks from the IT basement (aka “networking engineers”), a well-known technique utilized by the likes of Novell and VMware, or to I need to make this work regardless that some silly safety folks assume it needs to be blocked (see additionally: utilizing Sign to plan bomb strikes).
I by no means stated NAT is a superb resolution (it’s not), nevertheless it’s nonetheless a crucial evil (even within the IPv6 world) that must be handled. There are customary methods to do it, and happily, we’ve tons of libraries you need to use to get the job performed with out going into the small print. A fast seek for “Python [STUN|TURN|ICE] NAT” resulted in a half-dozen GitHub/PyPi tasks. Ideally, we’d have a single library that everybody makes use of to get the job performed (like OpenSSL and OpenSSH), however possibly we’re not at that stage but.
Final however not least, networking engineers like to assume that networking’s complexities are distinctive. Properly, I can level you to quite a few different IT disciplines stuffed with complexities, however they managed to construct layers of abstraction round them. For instance, folks stopped reinventing compilers, working methods, and databases ages in the past. I haven’t heard anybody (aside from a small circle of database builders) speaking concerning the complexities of distributed databases that come up as a result of they need to take care of byzantine faults and the implications of the CAP theorem. Why ought to NAT traversal be any completely different?
However It Would Be Higher in IPv6 World
Right here’s the most typical counter-argument to my “NAT is a crucial evil” rants, this time made by Daryll Swer:
All these issues don’t exist on native routed (and static) IPv6.
TL&DR: Bollocks.
Most hosts related to the general public IPv6 Web over a LAN or WiFi sit behind a stateful firewall (for varied causes). Punching holes by means of that firewall is equal to establishing NAT translations.
Oh, however coping with firewalls is a lot easier within the IPv6 world:
Firewall gap punching solely entails STUN, and that’s it. We transfer on with our lives.
Type of. First rate stateful firewalls match on the complete 5-tuple, which is functionally equal to symmetric NAT, however don’t change the UDP port numbers when packets traverse them (making them equal to port-restricted cone NAT), so it’s simpler to find what gap your peer punched of their firewall.
On a extra sensible notice, even the Cisco router between me and the worldwide Web appears to be utilizing port-restricted cone NAT (one other time period for a similar conduct appears to be Endpoint-Unbiased Mapping – EIM), and I don’t keep in mind when a VoIP name or a video conferencing app wouldn’t work. Sure, issues are unnecessarily complicated (from the attitude of IPv6 followers), however they work. It appears the NAT-induced complexity remains to be not costly sufficient to make migration to IPv6 cost-effective.
Nevertheless, to be honest, CG-NAT within the IPv4 world does introduce a complete new degree of evilness not current within the IPv6 world. For instance, if two gadgets in the identical CG-NAT cone need to talk however occur to make use of a server outdoors of the NAT cone to seek out their respective IP addresses, the site visitors has to undergo the NAT gadget (hairpinning).
