2. Disadvantages of NAT

Any rewriting of packet headers has the potential to cause problems. With NAT, problems are most likely to occur with those protocols in which the IP address is embedded within the packets, or with those where there is a need for a remote host to initiate a connection to the host behind the NAT. With many such protocols, there may be legitimate uses of them, particularly within the university environment.

Protocols which may potentially (but not always) have problems behind NAT include, but are not limited to:
  • FTP
  • Audio/video conferencing and messaging protocols, such as SIP, H.323, etc
  • IPsec
  • Kerberos
  • X windowing system
For many protocols, workarounds do exist, as the need to work behind NAT becomes increasingly common. Methods include:
  • Application-level gateways on the NAT device, rewriting packets as necessary
  • Proxying/tunnelling
  • Client-side reconfiguration
For some protocols, however, no solution exists.

Some application-level gateways can introduce their own problems, through bugs, security issues and the difficulty of debugging problems where they are involved. Indeed, some application gateways have achieved considerable notoriety, such were the problems caused.

As with stateful firewalls, issues with TCP timeouts can arise with many protocols. Idle TCP connections may be kept open through the use of keep-alives, but if the interval between sending keep-alives is longer than the lifetime of a connection in the state table of a firewall or NAT drive, idle connections are liable to be broken. This may be annoying for some applications, for instance logins to remote systems, especially if users have a need to log into several simultaneously. Keeping state table entries for too long may risk the table filling, but the keep-alive interval can often be adjusted in applications to reduce the risk of unwanted disconnects.

Up: Contents Previous: 1. Perceived benefits of NAT Next: 3. Traceability