NAT and End-to-End Argument – Does NAT Violate It?

ipipv4nat;

Does NAT violate end to end argument?
What does end to end argument means in this context?

Best Answer

It means that IP was designed for each endpoint only to maintain the state of the communications. NAT requires that the NAT device in the middle to maintain a state of the communications.

IP was designed so that if something in the middle of that path changes, packets can be rerouted without any ill effect. If the path changes and misses the NAT device that maintains the state, then the communications break. That can happen with two WAN routers for redundancy, and the wan link for one breaks, and the traffic now flows through the other, but now the NAT device for the original communication does not see the traffic, so the communications flow breaks due to IP address changes.

Remember that IP was explicitly designed to continue communications in the event of a path failure (tornado, hurricane, fire, nuclear bomb, etc.), and automatically reroute the packets through an alternate path. Because the NAT device is required because it maintains the communications state, it breaks this paradigm.

Related Solutions

NAT vs ALG vs Firewall – Key Differences Explained

If I understand your question correctly, the NAT router translates addresses as data moves from the "inside" to the "outside." If traffic doesn't pass through the router, there is no translation.
"Control plane" and "data plane" are conceptual terms. There isn't always a correspondence to hardware or software. That said, forwarding traffic is the function of the data plane.
The terms ALG, firewall, layer3 switch, etc have no fixed definition. They get defined by the manufacturers and can mean whatever they want it to mean. But generally speaking, an ALG often performs the same functions as a firewall.
TCP/IP can't read IANA specifications, so a port is a port, no matter what number is used. They are all handled (and translated) the same way.

Nat – How does NAT work for large private networks

As a rule of thumb, I size my firewalls for 250 tcp sessions per user. That's on the high side right now, but as people start to use more and more cloud services (dropbox, Office365, etc, etc) the number of sessions per user is only going up in the near future, so I prefer to be on the safe side. This means a single public IP is enough to NAT for only 250 users.

If you have more users, you would need to use more public IP addresses for NAT. This is called a NAT Pool. Your firewall will use IPs from the pool to assign IP/port combinations as needed.

In Cisco IOS, you configure a NAT pool thus:

ip nat pool <name> <start-ip> <end-ip> 
 {netmask <netmask> | prefix-length <prefix-length>}
 [type {rotary}]

If you want to know everything about NAT, check out the Cisco documentation. It's an excellent read.

Best Answer

Related Solutions

NAT vs ALG vs Firewall – Key Differences Explained

Nat – How does NAT work for large private networks

Related Topic