[afnog] Mikrotik Router Help

[Brian Candler]

On Wednesday 29 June 2005 06:17, Randy Bush wrote:
> > There are quite a number of "ISPs" that give out private ip addresses and
> > then NAT their customers. One ISP here in Uganda which I will not mention
> >
> > :-) actually gives their customers private ip addreses and then does
> >
> > static NAT for them at their end. No amount of talk could convince them
> > of the folly of this approach.
>
> those who need some understanding why this is not a good idea might
> see <http://rip.psg.com/~randy/040226.apnic-nats.pdf>.

NAT is here, IMO, because it gives people what they *want*. Really.

What people want is to be able to actively manage and expand their own 
networks, without (a) having to chase a paper trail up an allocation 
hierarchy, and (b) having to renumber any existing devices or users as their 
network grows. NAT gives them that.

NAT is a broken version of what I believe would be the real solution: 
extensible addressing. That is, I should be able to get one unique identifier 
from my upstream network, and use that to allocate addresses to an unlimited 
number of end-points. Those end-points, in turn, should be able to set up 
networks hosting an unlimited number of additional end-points - and so on.

Consider a small U.S. ISP, which provides a satellite Internet link to an 
African ISP, one of whose customers is running a community micro-ISP. I think 
we all know that if an end-user of that micro ISP wants a /25 allocation, it 
would be a bureaucratic nightmare to get it; they would have to write plans, 
file them with the micro-ISP, who in turn would file them with the upstream 
African ISP, who would consult with Afrinic, who would bury them in peat for 
three months and recycle them as firelighters etc. Even if the plans are 
valid, policy at any of those organisations could cause the request to be 
stalled or refused; there is no IP allocation adjudicator to refer complaints 
to. And once they outgrow the /25 and need a /24, they have to go through the 
whole process again.

NAT allows end users to free themselves entirely and get on with running their 
networks.

In the old days, many ISPs' T&Cs forbade you from running multiple machines 
behind a single server, because they used that as a way of controlling their 
revenue stream. Nowadays most such T&Cs have been dropped, basically because 
they are unenforceable. However, ISPs still *do* use IP allocation 
restrictions as a way of limiting customer usage and forcing upgrades to more 
expensive products. It's unfortunately a fact of life (or business).

Also, IMO NAT is not quite as evil as this document makes out, because most 
Internet applications are client-server rather than peer-to-peer, and 
client-server sits much more happily with NAT. With typically the number of 
clients being far higher than the number of servers, it's much easier to 
justify an IP address for a server rather than an IP address for every 
client. Theoretical concerns aside: it does actually work in practice.

This is not to say that African ISPs should be offering their customers only 
private addresses: they should not. They should give each customer at least 
one real IP address, otherwise they cannot really be said to be giving IP 
connectivity (that is, forwarding packets at layer 3; NAT is a layer 4-7 
proxy service and modifies data in transit). But if end-users want to use 
NAT, that's their prerogative, and I think in the current environment their 
reasons for doing so are demonstrably valid.

Regards,

Brian.