« Why MovableType | Main | Deceived »
May 09, 2003
Problems with NAT
I've been collecting ideas for a paper (and probably series of blogs) on the problems with NAT and why NAT should be avoided like the plague.
Coincidentally, I was confronted with a NAT-related problem, that goes to one of many points I'm trying to make.
Got a message that someone couldn't reach a machine in Alpine School District. His traceroute stops two routers before the machine. So I asked him what address he's coming from. 172.16.1.1.
Now, if I was in my normal diagnostic stupor, I'd try "traceroute 172.16.1.1" from my machine, and then from that router. Here's where it gets confusing.
172.16.1.1 happens to be private address space. If I were to use that address space on my own network, and not recognize that it's a private address (a very common mistake, even for experienced people), I would chase my tail for a while trying to figure out why this guy is on my network (because that's how it would look).
172.16.1.1 isn't in use on our backbone. And I was alert enough (this time) to notice that it's private address space. So, must be behind a NAT gateway. Sigh.
More complications: the Alpine router is addressed using "private" 10.x addresses, so testing to/from that router can't be done. This is probably the most important router to be able to diagnose from, since it connects to the machine in question.
So, I request a trace-route from the guy (who is oblivious to the fact that he's NAT'd). Now, best-case, I can test from the router upstream from Alpine to his NAT gateway. And ... it works. But I already knew that, it's getting to the Alpine router and the machine past that doesn't work. But I can't test end-to-end from those points of the network, because of the private address/NAT issue.
Maybe I can do some kind of special traceroute that circumvents NAT. Except that routers don't do that kind of stuff. Hmm.
I guess I have to get a sniffer and put it at different parts of the network to see if I can see the traffic.
By now, I'm 3 hours into this problem (not working on it the whole time, but just collecting and exchanging information). And I haven't yet been able to run the most basic test: and end-to-end ping or traceroute.
And NAT is eliminating the need for IPv6? I guess you could say that, if you've never operated a network...
Posted by pete at May 9, 2003 04:04 PM
Trackback Pings
TrackBack URL for this entry: