Richard Barnes

Using RIPE Atlas Metadata to Measure NATs

Richard Barnes
9

As part of the user interface to the RIPE Atlas network, users can see the first and second hops seen by certain probes. By looking for private addresses in these hops, we can learn something about how NATs are used in the Internet – in particular, that there's quite a lot of them!



The RIPE Atlas network is a measurement network operated by the RIPE NCC. It is comprised of many small physical devices (called "probes") that volunteer "probe hosts" connect to various networks.  I've been a proud probe host since I got my first two probes at RIPE 60, and I've been asking the RIPE NCC staff for a while to open up greater access to ATLAS data.

A few months ago, the Atlas team took an important step in that direction by allowing probe hosts to designate their probes as "public".  Once a probe is marked as public, other probe hosts can see certain information, such as its name, location, uptime and latency graphs. Currently over 480 probes are marked as public.

Information pages for public probes also list the first two IP addresses that show up in a traceroute performed by the probe.  One thing that's interesting about these first-hop and second-hop IP addresses is that many of them are private, RFC 1918 addresses.  The use of private addresses of course, implies that there is some sort of Network Address Translation (NAT) device between the probe and the Internet.  So we can learn about how people use NATs by looking at the first- and second-hop addresses that probes see.

RFC 1918 defines three different prefixes for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.  The first question we can ask of the Atlas data set is how commonly each of these subnets gets used.

Network % of 1st hops % of second hops
10.0.0.0/8 12% 9%
172.16.0.0/12 5% 2%
192.168.0.0/16 34% 4%
public 49% 86%

In fact, one single address (192.168.1.1) is a first hop for 10.4% of the public probes.  Presumably this is because many home routers are configured to perform NAT by default, using addresses within 192.168.1.0/24, and not because of a single giant router!  No second-hop router had anything close to this level of popularity.

Taking this a step further, we can look at a "transfer table" describing how often packets go from one class of address on the first hop to another class on the second hop.  We can group these transfers into five broad classes, in increasing order of "badness":

1. All Public (42.6%): Both first and second hops are public (i.e., not RFC 1918 space) 
2. Private to public (39.2%): The first hop is private, but the second is not. 
3. Multiple hops within NAT domain (6.2%): Both hops are private, within the same RFC 1918 prefix. 
4. Hops between NAT domains (5.3%): Both hops are private, but in different RFC 1918 prefixes.   
5. Public to private (2.8%): First hop is public, but second hop is private.

Pie chart of NAT behaviors The first two of these classes are the ones we would definitely expect to see.  Obviously, having direct access to the Internet is the best case.  Connecting through one NAT is second-best, and a very common case for residential users that connect through a "home gateway" such as a cable, DSL, or 3G modem.  Having multiple hops within a NAT domain is only a little way from the "private to public" case, and is mainly an indication of the size of the NAT domain.

Cases (3) and (4) are more unusual. Hopping between NAT domains very likely indicates that the probe has to traverse two NATs before reaching the Internet, far from optimal connectivity.  Hopping from public to private address space seems strange on the face of it, and it's unclear what the implication is.  This situation could arise from double-NATting, with public addresses on the inside, but it might also happen in certain cases where an ISP uses private addresses for some router interfaces.

The main thing to take away from these results is that while the more standard cases (1) and (2) are prevalent, they are not completely dominant; they cover only around 82% of probes.  The more striking number is that around 8% of probes are in categories (3) and (4), which both likely require that there be two NATs between the probe and the Internet.  There's obviously some sampling bias in these numbers, since Atlas probes aren't everywhere.  But given that probe hosts are by and large technical people, one might suppose that the real Internet is no *better* than these numbers indicate.  The Internet is always weirder than you expect it to be! 

9

You may also like

View more

About the author

Richard Barnes Based in Arlington, VA

Comments 9