awesome-everything RU
↑ Back to the climb

Networking & Protocols

NAT, addressing, and IPv6 deployment

Crux NAT extended the IPv4 Internet past 4 billion addresses but broke end-to-end connectivity. IPv6, SLAAC, anycast, and dual-stack are the principled way forward.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at middle altitude — in the sky
◷ 14 min

WebRTC video calls need both parties to connect directly — but a typical user is behind two NAT layers. The STUN server has to tell each side its public IP and port. The TURN server relays the call if direct connection fails. Understanding why NAT exists, how it works, and what it breaks is essential for any full-stack engineer building peer-to-peer or real-time features.

RFC 1918 private addressing

IPv4’s 32-bit address space holds ~4.3 billion addresses. That ran out. RFC 1918 reserved three ranges for private use:

RangeCIDRSize
10.0.0.0/8Class A private16.7 million
172.16.0.0/12Class B private1 million
192.168.0.0/16Class C private65,536

Hosts on private addresses cannot be reached directly from the public Internet. They can only initiate outbound connections (after which the NAT table holds the mapping for replies).

Network Address Translation (NAT)

NAT (RFC 2663) rewrites packets at the network boundary:

  1. Outgoing packet: source IP (private, e.g. 192.168.1.10) + source port (e.g. 45231) → rewritten to router’s public IP + a unique source port (e.g. 203.0.113.5:12345). The router stores this mapping.
  2. Incoming reply: destination IP + port (203.0.113.5:12345) → router looks up the NAT table → rewrites back to 192.168.1.10:45231 and forwards to the internal host.

NAT enabled the IPv4 Internet to grow past its address limit but it fundamentally broke end-to-end addressing: the public Internet sees one IP for many internal hosts, and internal hosts cannot accept unsolicited inbound connections.

What NAT breaks:

  • Peer-to-peer protocols (BitTorrent, VoIP, WebRTC): either side needs to initiate — NAT only permits outbound-initiated connections.
  • Port forwarding: must be configured manually for each service you want externally reachable.
  • Abuse-tracking: a single public IP may hide hundreds of unrelated users.

Carrier-Grade NAT (CGNAT)

Mobile carriers and ISPs deploy CGNAT to share one public IPv4 address across hundreds or thousands of customers:

  1. Customer’s home router NATs to 100.64.x.x (RFC 6598 shared address space — “NAT64 carrier space”).
  2. The carrier’s CGNAT NATs again to a public IP.

Double NAT compounds the P2P problem. CGNAT users cannot host any service on their IP, and peer-to-peer NAT traversal is harder. Rate-limiting by IP is meaningless (hundreds of unrelated users share one IP).

Working around NAT: STUN/TURN/ICE

WebRTC and modern P2P protocols use a three-tier approach:

  • STUN (Session Traversal Utilities for NAT): a STUN server tells each peer its public IP and port as seen from outside the NAT. Peers try to connect directly using this information.
  • TURN (Traversal Using Relays around NAT): if direct connection fails (e.g. symmetric NAT, CGNAT), a TURN server relays all traffic. Latency penalty; only fallback.
  • ICE (Interactive Connectivity Establishment): the framework that iterates through STUN candidates, direct addresses, and TURN until one path works.
NAT and IPv6 by the numbers
IPv4 public address pool
~3.7 billion usable
CGNAT clients per public IP
100–10,000
IPv6 global traffic (2026)
~45–50%
Google IPv6 milestone
50.1% on 2026-03-28
IPv6 /48 per site
281 trillion /64 subnets
SLAAC interface ID (privacy ext.)
64 bits, randomised per site

IPv6 addresses: structure and SLAAC

IPv6 addresses are 128 bits, written as eight colon-separated hex groups. Shorthand: leading zeros omitted, longest run of zeros replaced by ::. Example: 2001:db8::1.

Typical allocation: /48 prefix to a site → /64 per subnet within the site. SLAAC (Stateless Address Autoconfiguration, RFC 4862) lets a host derive its own address:

  1. Router broadcasts a /64 prefix in Router Advertisement messages.
  2. Host generates the low 64 bits (interface ID) — originally EUI-64 from MAC address, now random for privacy (RFC 8981 privacy extensions).
  3. Host checks for duplicates (Duplicate Address Detection), then starts using the address.
  4. No DHCP required for basic connectivity.

Privacy extensions (RFC 8981) randomise the interface ID per site to prevent cross-site tracking via IPv6 addresses. Modern OSes enable this by default.

Anycast: one IP, many locations

Anycast announces the same IP prefix from multiple geographic locations. BGP routes each user to the AS-path-shortest POP. Applications: DNS resolvers (1.1.1.1, 8.8.8.8), CDN edges, root nameservers, DDoS-protected services.

Anycast works well for stateless services (UDP DNS) — each packet may go to a different POP. For stateful services (TCP, TLS), short flows are fine (BGP routing is stable for the duration), but long flows need either stable BGP or session-state replication across POPs (Cloudflare replicates TLS session tickets globally for this reason).

Dual-stack and Happy Eyeballs

Most current deployments run dual-stack: both IPv4 and IPv6 enabled simultaneously. IPv6-first for content delivery, IPv4 as fallback.

Happy Eyeballs v2 (RFC 8305): when a dual-stack host resolves a hostname, it races IPv4 and IPv6 connect attempts with a short head-start for IPv6. If IPv6 succeeds first, use it; if IPv4 wins or IPv6 stalls, use IPv4 — seamlessly, without user-visible delay. This makes IPv6 adoption safe even when IPv6 paths have intermittent problems.

Why this works

Why NAT does not provide security. NAT hides internal IP addresses from the public Internet, which some operators interpret as a security benefit. But NAT is not a firewall: it does not inspect traffic, does not enforce policy, and does not prevent an internal host that has been compromised from reaching out. A real stateful firewall is required regardless of whether NAT is present. Conflating NAT with security is a dangerous misconception in practice.

Quiz

Why does NAT break true peer-to-peer protocols?

Quiz

What does SLAAC allow an IPv6 host to do?

Pick the best fit

A startup runs services across 3 cloud regions and wants resilient global addressing. Pick the addressing strategy.

Recall before you leave
  1. 01
    An engineer claims you cannot fix CGNAT issues from the application side. Where is the flaw in that argument?
  2. 02
    Why does Happy Eyeballs v2 give IPv6 a head start but still fall back to IPv4?
  3. 03
    What is anycast and what kinds of services use it?
Recap

RFC 1918 private ranges (10/8, 172.16/12, 192.168/16) let organisations reuse addresses internally; NAT at the boundary rewrites source IP+port so many internal hosts share one public IP. This extended IPv4’s life but broke end-to-end connectivity: inbound connections fail without explicit port-forwarding, and P2P protocols require STUN/TURN/ICE workarounds. CGNAT at mobile carriers adds a second NAT layer. IPv6’s 128-bit address space eliminates the need for NAT: every device gets a routable public address, SLAAC auto-configures without DHCP, and privacy extensions randomise the interface ID per site. Anycast uses BGP to route users to the geographically nearest copy of a service. Dual-stack + Happy Eyeballs v2 let applications race IPv4 and IPv6, migrating transparently as IPv6 deployment matures.

Connected lessons
builds on
unlocks
deepens into
Continue the climb ↑IP security and operations
shortcuts expand
search
K
prev piece
k
next piece
j
cycle tier
t
this menu
?
sources4
expand
  1. 01
    datatracker.ietf.org/doc/html/rfc1918
  2. 02
    datatracker.ietf.org/doc/html/rfc8200
  3. 03
    datatracker.ietf.org/doc/html/rfc8305
  4. 04
    datatracker.ietf.org/doc/html/rfc4862

Trademarks belong to their respective owners. Editorial reference only.