[afnog] Mikrotik Router Help
Brian Candler
B.Candler at pobox.com
Wed Jun 29 16:30:34 EAT 2005
On Wednesday 29 June 2005 06:17, Randy Bush wrote:
> > There are quite a number of "ISPs" that give out private ip addresses and
> > then NAT their customers. One ISP here in Uganda which I will not mention
> >
> > :-) actually gives their customers private ip addreses and then does
> >
> > static NAT for them at their end. No amount of talk could convince them
> > of the folly of this approach.
>
> those who need some understanding why this is not a good idea might
> see <http://rip.psg.com/~randy/040226.apnic-nats.pdf>.
NAT is here, IMO, because it gives people what they *want*. Really.
What people want is to be able to actively manage and expand their own
networks, without (a) having to chase a paper trail up an allocation
hierarchy, and (b) having to renumber any existing devices or users as their
network grows. NAT gives them that.
NAT is a broken version of what I believe would be the real solution:
extensible addressing. That is, I should be able to get one unique identifier
from my upstream network, and use that to allocate addresses to an unlimited
number of end-points. Those end-points, in turn, should be able to set up
networks hosting an unlimited number of additional end-points - and so on.
Consider a small U.S. ISP, which provides a satellite Internet link to an
African ISP, one of whose customers is running a community micro-ISP. I think
we all know that if an end-user of that micro ISP wants a /25 allocation, it
would be a bureaucratic nightmare to get it; they would have to write plans,
file them with the micro-ISP, who in turn would file them with the upstream
African ISP, who would consult with Afrinic, who would bury them in peat for
three months and recycle them as firelighters etc. Even if the plans are
valid, policy at any of those organisations could cause the request to be
stalled or refused; there is no IP allocation adjudicator to refer complaints
to. And once they outgrow the /25 and need a /24, they have to go through the
whole process again.
NAT allows end users to free themselves entirely and get on with running their
networks.
In the old days, many ISPs' T&Cs forbade you from running multiple machines
behind a single server, because they used that as a way of controlling their
revenue stream. Nowadays most such T&Cs have been dropped, basically because
they are unenforceable. However, ISPs still *do* use IP allocation
restrictions as a way of limiting customer usage and forcing upgrades to more
expensive products. It's unfortunately a fact of life (or business).
Also, IMO NAT is not quite as evil as this document makes out, because most
Internet applications are client-server rather than peer-to-peer, and
client-server sits much more happily with NAT. With typically the number of
clients being far higher than the number of servers, it's much easier to
justify an IP address for a server rather than an IP address for every
client. Theoretical concerns aside: it does actually work in practice.
This is not to say that African ISPs should be offering their customers only
private addresses: they should not. They should give each customer at least
one real IP address, otherwise they cannot really be said to be giving IP
connectivity (that is, forwarding packets at layer 3; NAT is a layer 4-7
proxy service and modifies data in transit). But if end-users want to use
NAT, that's their prerogative, and I think in the current environment their
reasons for doing so are demonstrably valid.
Regards,
Brian.
More information about the afnog
mailing list