6

Does NAT violate end to end argument? What does end to end argument means in this context?

Rumesh Madhusanka
  • 425
  • 5
  • 11

3 Answers3

14

It means that IP was designed for each endpoint only to maintain the state of the communications. NAT requires that the NAT device in the middle to maintain a state of the communications.

IP was designed so that if something in the middle of that path changes, packets can be rerouted without any ill effect. If the path changes and misses the NAT device that maintains the state, then the communications break. That can happen with two WAN routers for redundancy, and the wan link for one breaks, and the traffic now flows through the other, but now the NAT device for the original communication does not see the traffic, so the communications flow breaks due to IP address changes.

Remember that IP was explicitly designed to continue communications in the event of a path failure (tornado, hurricane, fire, nuclear bomb, etc.), and automatically reroute the packets through an alternate path. Because the NAT device is required because it maintains the communications state, it breaks this paradigm.

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
5

End to end paradigm means that any host X with public IP a.b.c.d can directly connect to any host Y with public IP e.f.g.h (assuming IPv4 addressing, but the same thing applies to IPv6). The same must be true in both directions (X initiating connection to Y as well as Y initiating connection to X). This is how Internet used to work before we run out of IPv4 addresses.

NAT breaks that paradigm; after all it's whole purpose is to assign IP address a.b.c.d to router X, and then put many computers behind it in local LAN (like your mobile phone, tablet, laptop, network printer...) and masquerade them to pretend like all the traffic is coming from router.

And then you have a problem - when Y wants to connect to IP a.b.c.d to (for example) port tcp/80 (web server), it will only get to the router X, and not to (for example) your laptop which it wanted.

After all, there is only one public IP a.b.c.d shared by all your devices, and Y cannot know on which of them you actually wanted to connect to port tcp/80.

So, one endpoint Y can no longer connect to other endpoint of communication (for example, laptop behind router X). Thus, end to end communication no longer works.

Matija Nalis
  • 160
  • 6
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/103393/discussion-on-answer-by-matija-nalis-does-nat-violate-end-to-end-argument). – Ron Maupin Jan 17 '20 at 00:52
4

End to end means that host A on one side of the Internet can talk directly to host B on the other side of the internet. So e.g. I can ssh into a box in the US from Europe without any special configuration on any of the devices in between.

When NAT is involved this is most likely not the case, e.g because some manual configuration is required on the NAT device or several devices share a IP address. Note that end to end can also be broken by packet filters, access lists and firewalls.