The U-verse Residential Gateway and NAT

Summary

The U-verse service cannot be used without the AT&T-provided and owned 2WIRE 3800 HGV-B Residential Gateway, which includes a network address translator that cannot be completely bypassed. NATs are common in home and small business networks, so if you already operate with one this does not create any new problems. But NATs are a serious obstacle if you run certain applications or almost any kind of server, particularly if you have more than one computer.

As with its DSL services, AT&T makes optional static IP address blocks available with Uverse. But this traffic must also pass through the RG, which has some serious problems in handling it. I will have more to say about static IP addressing and U-verse here.

Discussion

Most residential and small business broadband Internet services (but not U-verse) provide DSL or cable modems that are relatively "transparent". The ISP generally assigns a single public IP address to whatever device the user connects directly to the modem with an Ethernet cable.

Generally this device is a small home or office residential gateway. (Here I use the term generically, as opposed to the specific model of residential gateway - the 2Wire 3800 - that AT&T provides to Uverse users and which must be used with it.) They are often referred to as routers, although that term is more properly applied to a different set of functions that are more likely found in larger commercial networks. In particular, most small "routers" are in fact network address translators (NATs), sometimes erroneously referred to as firewalls. (More on this later.)

NAT is well known among Internet engineers for the serious disruption it has wrought to the Internet architecture. Before NAT, any computer could act as client or server using any mutually agreed transport and application protocol. Now, without additional hacks it is impossible for a computer on the external Internet to initiate a session (a TCP connections or an exchange of UDP packets) to a computer on the private side of a NAT. And it has become almost impossible to experiment with new Internet transport protocols aside from TCP and UDP.

This is not a problem for many people because they use a small, well-defined set of Internet applications that are all TCP or UDP clients. When they surf the web or read mail, they initiate every transaction to the servers on the external Internet. But it can be useful for the individual to run his own servers that can be accessed from the outside. This includes peer-to-peer file sharing, which despite much negative press has many perfectly legitimate uses, or simply accessing one's own computers at home while traveling.

NATs are sometimes erroneously referred to as firewalls because of this inherent blocking of all incoming transactions. But a true firewall can be turned off when it is in the way; the NAT's "firewall" is inherent even when you don't want it.

The sad fact, however, is that NAT has become almost universal on most home and small business networks because of the shortage of IPv4 addresses. The practice of most retail broadband ISPs to give only a single public IP address to each customer unless they pay for more, and for most customers with more than one computer to use a NAT.

However, with most broadband DSL and cable modem offerings, the modem is essentially transparent and the single public IP address is owned by whatever device the user connects to it. If the user has only a single computer, he has the option of connecting it directly to the modem and avoiding NAT. In this case he will usually activate some sort of built-in protection against malicious externally initiated traffic, e.g., to the file sharing services on his computer. This usually takes the form of a built-in firewall such as ZoneAlarm on Windows, the built-in firewall in Mac OS X, ipfirewall in FreeBSD and related systems, or the iptables facility in Linux.

Or the user with multiple computers and NAT-compatible applications can elect to use a NAT. The important thing is that the user selects the device that will be assigned the single public IP address, and it need not be a simple NAT. Even if it contains a NAT, it may also include a 6to4 or Virtual Private Network (VPN) tunnel implemented with IPSEC or Open VPN, all of which can provide important avenues around the inherent limitations of the simple NAT.

This is not the case with U-verse because it is a Triple Play service that provides video, phone and Internet access over a single VDSL2 link. It cannot be used without the RG, whose built-in NAT services the built-in VoIP adapter and video control subsystems as well as any computers on the local network. This built-in NAT always "owns" the public IP address, and the RG does not implement a 6to4 or VPN tunnel.

In common with many other NATs, the RG has a "DMZplus" feature whereby a single computer on the local network can be configured with the single public IP address that is ordinarily assigned to the RG itself. This is as close as you can get to getting the RG's NAT out of the way. But of course the NAT is still present, as it must be to service the voice and video services.

A somewhat cleaner configuration would dedicate one IP address for VoIP and/or video control and a second address to the user's computer network. However, by far the cleanest alternative for those who want to avoid NATs entirely is to obtain an additional block of public IP addresses that you can assign directly to your own computers. AT&T makes these extra addresses available at prices considerably lower than Time Warner Cable, who makes them available only to business accounts, and this was what finally led me to give U-verse a try.

I will have much more to say about static IP addresses on U-verse here.


Last modified: Wed Jan 20 03:49:03 PST 2010