What if you ran multiple webservers? Or a webserver, an email server, VPN concentrator, etc? The more public-facing resources an organization needs, the more IP space they'll require.
Some applications work with NAT, but have to listen on a well-known port number to be of practical use on the Internet, and there are very few instances where different applications can share the same port number
There are a limited number of source ports usable available per IP address. If a single IP is shared by too many applications, the available source port pool may be exhausted, and the application will likely malfunction
Using NAT "hides" users utilizing that IP for client traffic, which makes the organization that owns the IP responsible for traffic coming from that IP. In some situations, the inability to easily hold end-users accountable for any abuse complaints aimed at the shared IP is undesirable.
In addition to what chuckbales said, additional addresses are useful for testing. You don't want to make changes in the production Web server without first testing, so you have a test Web server. That test server needs its own address on the Internet.
The end-to-end principle says that intelligence should be in the end nodes. NAT is an intermediate node that thinks it's smart.
It has its uses, but it's a PITA and makes it harder to add more intelligence to the end nodes. How many NAT workarounds have been made?
You may need more than one device serving up a public-facing resource (HTTP, DNS, etc). Also, NAT doesn't solve everything - in fact, NAT breaks certain applications and protocols.
Will you need more than 65000 concurrent connections at any one time?
For lots of reasons really. Certain ports must be used for certain services... namely HTTP, HTTPS, SMTP, etc. Let's say I have two webservers. One is Windows/IIS and the other is Linux/Apache. I couldn't use non-standard ports like 81 or all of my users would need to learn to type :81 at the end of the URL like http://mysite.com:81 and I can't forward port 80 to two different servers. Each would need its own unique external IP address. SSL certificates for hosting secure sites also need unique IP addresses even if hosted on the same server.
Same scenario would apply if I had multiple email servers. Incoming email must be received on port 25 as that's the only port the sending servers will try to connect to my servers on.
Also as someone mentioned some things don't NAT well. H323 (video conferencing) is a good example of that. Setting up Polycoms or similar H323 video conferencing systems behind a firewall to work well over the internet often requires 1 to 1 NAT.
well... for starters... tons of things don't like NAT.
Take, for example, mail servers, when integrated with reverse DNS and certificates. Each mail server's reverse DNS entry should match the outbound interface. Additionally, each mail server's reverse DNS entry should be unique to satisfy best practices for SSL certificates. This alone is justification to require 1 mail server per IP address and vice versa.
But there's more. For example, Microsoft Direct Access services behind NAT (specifically teredo tunneling) explicitly requires two sequential IP addresses. It can not be implemented on one address.
Further, look at Microsoft Lync or Microsoft Exchange. These services require NON-NATTED interfaces with unique public IP addresses and unique certificates (or a wildcard certificate).
How about raw port counts... say you have 5000 computers for your users and they have (on average) 20 connections open. (20 connections is not a particularly high number). This is 100,000 connections. Since your NAT translation table has to fit this all within 65533 ports per public IP address, masquerading will fail to allocate new connections to the last 30,000 connections.
further, is the entire idea that NAT is stupid and masquerading is stupid. Anyone who can propperly implement a firewall has no functional requirement for NAT other than the expensive nature of 1:1 public IP addressing. The entire idea of private IP addressing is, in my opinion, a crutch that new network administrators lean on instead of properly securing their firewalls with proper rules. They just say "ok, every IP address is private and behind nat, and I've only allowed 1 inbound PAT translation for our web server, everything is great!!!" until they realize just how fucking vulnerable their network is once one user gets a trojan for looking at a porn site.
What if you ran multiple webservers? Or a webserver, an email server, VPN concentrator, etc? The more public-facing resources an organization needs, the more IP space they'll require.
More replies
Some applications don't work well with NAT
Some applications work with NAT, but have to listen on a well-known port number to be of practical use on the Internet, and there are very few instances where different applications can share the same port number
There are a limited number of source ports usable available per IP address. If a single IP is shared by too many applications, the available source port pool may be exhausted, and the application will likely malfunction
Using NAT "hides" users utilizing that IP for client traffic, which makes the organization that owns the IP responsible for traffic coming from that IP. In some situations, the inability to easily hold end-users accountable for any abuse complaints aimed at the shared IP is undesirable.
More replies
In addition to what chuckbales said, additional addresses are useful for testing. You don't want to make changes in the production Web server without first testing, so you have a test Web server. That test server needs its own address on the Internet.
The end-to-end principle says that intelligence should be in the end nodes. NAT is an intermediate node that thinks it's smart.
It has its uses, but it's a PITA and makes it harder to add more intelligence to the end nodes. How many NAT workarounds have been made?
You may need more than one device serving up a public-facing resource (HTTP, DNS, etc). Also, NAT doesn't solve everything - in fact, NAT breaks certain applications and protocols.
Will you need more than 65000 concurrent connections at any one time?
More replies
For lots of reasons really. Certain ports must be used for certain services... namely HTTP, HTTPS, SMTP, etc. Let's say I have two webservers. One is Windows/IIS and the other is Linux/Apache. I couldn't use non-standard ports like 81 or all of my users would need to learn to type :81 at the end of the URL like http://mysite.com:81 and I can't forward port 80 to two different servers. Each would need its own unique external IP address. SSL certificates for hosting secure sites also need unique IP addresses even if hosted on the same server.
Same scenario would apply if I had multiple email servers. Incoming email must be received on port 25 as that's the only port the sending servers will try to connect to my servers on.
Also as someone mentioned some things don't NAT well. H323 (video conferencing) is a good example of that. Setting up Polycoms or similar H323 video conferencing systems behind a firewall to work well over the internet often requires 1 to 1 NAT.
More replies
well... for starters... tons of things don't like NAT.
Take, for example, mail servers, when integrated with reverse DNS and certificates. Each mail server's reverse DNS entry should match the outbound interface. Additionally, each mail server's reverse DNS entry should be unique to satisfy best practices for SSL certificates. This alone is justification to require 1 mail server per IP address and vice versa.
But there's more. For example, Microsoft Direct Access services behind NAT (specifically teredo tunneling) explicitly requires two sequential IP addresses. It can not be implemented on one address.
Further, look at Microsoft Lync or Microsoft Exchange. These services require NON-NATTED interfaces with unique public IP addresses and unique certificates (or a wildcard certificate).
How about raw port counts... say you have 5000 computers for your users and they have (on average) 20 connections open. (20 connections is not a particularly high number). This is 100,000 connections. Since your NAT translation table has to fit this all within 65533 ports per public IP address, masquerading will fail to allocate new connections to the last 30,000 connections.
further, is the entire idea that NAT is stupid and masquerading is stupid. Anyone who can propperly implement a firewall has no functional requirement for NAT other than the expensive nature of 1:1 public IP addressing. The entire idea of private IP addressing is, in my opinion, a crutch that new network administrators lean on instead of properly securing their firewalls with proper rules. They just say "ok, every IP address is private and behind nat, and I've only allowed 1 inbound PAT translation for our web server, everything is great!!!" until they realize just how fucking vulnerable their network is once one user gets a trojan for looking at a porn site.