Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Voice of IP is going to be simpler. No longer will Skype have to punch holes in the firewall/NAT using various different tricks to do bi-directional communication. Since this takes advantage of the fact that everything is routed it is going to be simpler to open up devices to the outside world without having to worry about having the right ports forwarded. Setting up a game server to play with friends is going to be simpler. NAT no longer standing in the way will help with VPN.

NAT traversal was always a pain the behind...



All routers that I interact with support port forwarding via UPnP so applications can open ports themselves. For example, BitTorrent clients like Transmission use this to set up port forwarding automatically.


Because every device is setup in a super secure manor that it can be on the Internet? Let's not kid ourselves devices will sit behind firewalls for quite a bit longer


Stateful firewalls and NAT are distinct concepts. We can and will be using stateful firewalls long after we kick NAT to the curb.


One way to think of NAT is that it's a hack to IPv4 that uses the port field to add an additional two-bytes of ephemeral IP address space, resulting in 48-bit addresses.


You get a lot more than 2 bytes, because your NAT tables can map both sender and receiver (IP, TCP port) tuples to a connection.


How does that work? You add two bytes to the address and somehow that makes the address longer by more than 2 bytes?


His point is that full-blown NAT/PAT is really 2 + 4 + 2 = 8 bytes on top of the base IP address for your system.

The tuple for a connection is:

source IP = 4 bytes

source port = 2 bytes

dest IP = 4 bytes

dest port = 2 bytes

For 12 bytes, or (in theory) 96 bits of ephemeral address space.


Okay, but I don't see how that increases the address by more than 2 bytes. Without NAT, you've got 4-byte addresses. The source/dest tuples have an 8-byte space, but each IP address is only 4 bytes. If the tuple space for NAT is 12 bytes, then each address is 6 bytes, or 2 bytes larger than without NAT.

It doesn't seem very meaningful to talk about tuple space, because we don't assign a tuple to each host. If we had 2^8 addresses, we wouldn't be nearly so worried about IP address exhaustion. But we don't have 2^8 addresses. We have 2^8 tuples.


You could have multiple hosts on the internal network appear to the outside world as the same (IP, TCP Port) tuple because they are connected to external different addresses.

To illustrate, let's say my network's external IP address is X. Let's choose some port number Y. A packet addressed to X:Y could be going to any one of several machines on my internal network, because the NAT uses the source (not just the destination) as part of its lookup. So X:Y does not uniquely identify a machine... it's only part of the total address.


Ah, I see what you mean now. Thank you for clarifying.


Sure, devices can sit behind a firewall and I highly suggest implementing a border firewall anyway, but in the long run it will be easier. Devices can still use UPnP to dynamically ask the border firewall to open up ports, and instead of having a finite number of ports because of a single IP address that is being used to NAT now each device behind the firewall could technically ask for 65535 different ports to be allowed through the firewall dynamically.

Now Bobby can run his game server on port 2275 and Billy can run his game server on port 2275 both connect to the same cable modem, and each will be able to get their own traffic routed to them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: