Symmetric NAT

Mon, Aug 20, 2012

_I almost titled this post “Symmetric NAT considered harmful”, except I promised myself I’d never title something “considered harmful.”_

It seems like the number of consumer-level routers on the market that implement symmetric NAT (endpoint-dependent mapping) has been rising in recent years. This paper puts it as high as 16% in 2010 (with another 14% blocking UDP traffic, which, while tangential to this post, is really disappointing).

RFC 4787 (Network Address Translation (NAT) Behavioral Requirements for Unicast UDP) is the “Best Common Practices” document regarding developing NAT devices and how they should behave. It has this to say as its very first requirement:

REQ-1: A NAT MUST have an “Endpoint-Independent Mapping” behavior.

Every piece of hardware or software out there doing symmetric NAT is negatively affecting the usefulness of the internet as a whole. Not only do these devices make the internet less useful for their owners, but users behind symmetric NAT often require extra resources or load on the networks and applications they use. (Using a third party’s bandwidth for relay of VoIP streams, for example.)

So why are there still so many symmetric NAT devices out there?

The Manufacturer Problem
The biggest part of the symmetric NAT problem is manufacturers. It frustrates me to no end that manufacturers of consumer-grade routers still to this day implement symmetric NAT. Belkin’s latest cheap 802.11n wireless routers (in the $25-30 price range) do, as do a large number of all-in-one DSL modem/router combinations that I’ve seen.

I have a hunch that this is because these cheaper routers use embedded system- on-chips (like the Ralink RT3050 used in the Belkin N150) where it’s cheaper and easier to implement dumb symmetric NAT (one lookup table in memory) than to implement restricted cone NAT (which requires holding filtering state in memory as well).

The Perception Problem
The other part of the problem is with how people think of NAT. Many people seem to think that the problem NAT solves is security, and that symmetric NAT is the most secure. The problem NAT actually exists to solve, however, is translation. While filtering is a part of it, the translation behavior (endpoint dependent or independent mapping) makes no difference to the level of security. I’ll say this again, because it’s important: the mapping behavior of a NAT makes no difference to the level of security it provides. Security is a function of what packets are allowed to go through the device, not how those packets are translated.

The Solution
Honestly, I don’t really have a solution. Thanks to the World IPv6 Launch Day, IPv6 is finally on its way, and should make the whole problem moot. But the day when game and application developers can ignore IPv4 and NAT and focus solely on IPv6 is still a long way off.

It seems the only solution is to make whatever noise we can about the problems of symmetric NAT, and hope other people do the same. Education is key. If you’re reading this, write a post yourself about the problems with symmetric NAT. Email your favorite hardware-reviewing website, and ask them to post information about NAT properties when they review routers. Or just warn people away from buying routers you know to be doing Symmetric NAT. I’ll be doing all of the above.

People hate hearing “your gameplay will be impacted because of your $20 router”, but are much more understanding of “your gameplay will be impacted because of your $20 video card.” That’s just life for a network programmer. But maybe we can warn people away from buying broken hardware to begin with, and make everyone happy…