Network address translation: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
{| class="wikitable" |
{| class="wikitable" |
||
| |
| |
||
<br />! header 1 |
|||
! <</gallery> |
|||
|}In [[Computer Network]]ing, the process of '''Network Address Translation''' ('''NAT''', also known as '''Network Masquerading''', '''Native Address Translation''' or '''IP Masquerading''') involves re-writing the source and/or destination [[IP address|address]]es of [[Internet Protocol|IP]] [[packet]]s as they pass through a [[Router]] or [[Firewall (networking)|firewall]]. Most systems using NAT do so in order to enable multiple [[node (networking)|host]]s on a [[private network]] to access the [[Internet]] using a single public IP address (see [[gateway (telecommunications)|gateway]]). Many [[network administrator]]s find NAT a convenient technique and use it widely. Nonetheless, NAT can introduce complications in communication between hosts and may have a performance impact. |
|}In [[Computer Network]]ing, the process of '''Network Address Translation''' ('''NAT''', also known as '''Network Masquerading''', '''Native Address Translation''' or '''IP Masquerading''') involves re-writing the source and/or destination [[IP address|address]]es of [[Internet Protocol|IP]] [[packet]]s as they pass through a [[Router]] or [[Firewall (networking)|firewall]]. Most systems using NAT do so in order to enable multiple [[node (networking)|host]]s on a [[private network]] to access the [[Internet]] using a single public IP address (see [[gateway (telecommunications)|gateway]]). Many [[network administrator]]s find NAT a convenient technique and use it widely. Nonetheless, NAT can introduce complications in communication between hosts and may have a performance impact. |
||
Revision as of 10:19, 13 July 2007
In Computer Networking, the process of Network Address Translation (NAT, also known as Network Masquerading, Native Address Translation or IP Masquerading) involves re-writing the source and/or destination addresses of IP packets as they pass through a Router or firewall. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address (see gateway). Many network administrators find NAT a convenient technique and use it widely. Nonetheless, NAT can introduce complications in communication between hosts and may have a performance impact.
Overview
NAT first became popular as a way to deal with the IPv4 address shortage and to avoid all the difficulty of reserving IP addresses. NAT has proven particularly popular in countries other than the United States, which (for historical reasons) have fewer address-blocks allocated per capita. It has become a standard feature in routers for home and small-office Internet connections, where the price of extra IP addresses would often outweigh the benefits.
In a typical configuration, a local network uses one of the designated "private" IP address subnets (the RFC 1918 Private Network Addresses are 192.168.x.x, 172.16.x.x through 172.31.x.x, and 10.x.x.x - using CIDR notation, 192.168/16, 172.16/12, and 10/8), and a router on that network has a private address (such as 192.168.0.1) in that address space. The router is also connected to the Internet with a single "public" address (known as "overloaded" NAT) or multiple "public" addresses assigned by an ISP. As traffic passes from the local network to the Internet, the source address in each packet is translated on the fly from the private addresses to the public address(es). The router tracks basic data about each active connection (particularly the destination address and port). When a reply returns to the router, it uses the connection tracking data it stored during the outbound phase to determine where on the internal network to forward the reply; the TCP or UDP client port numbers are used to demultiplex the packets in the case of overloaded NAT, or IP address and port number when multiple public addresses are available, on packet return. To a system on the Internet, the router itself appears to be the source/destination for this traffic.
It has been argued that the wide adoption of IPv6 would make NAT useless, as the latter is a method of handling the shortage of IPv4 address space. However, this argument either ignores the natural firewall provided by NAT, or assumes that consumer-grade network routing devices (which are often installed by purchasers lacking knowledge of firewall configuration) would always be factory configured to block incoming server requests.
Drawbacks
Hosts behind NAT-enabled routers do not have true end-to-end connectivity and cannot participate in some Internet protocols. Services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination. Some protocols can accommodate one instance of NAT between participating hosts ("passive mode" FTP, for example), sometimes with the assistance of an Application Layer Gateway (see below), but fail when both systems are separated from the Internet by NAT. Use of NAT also complicates tunneling protocols such as IPsec because NAT modifies values in the headers which interfere with the integrity checks done by IPsec and other tunneling protocols.
End-to-end connectivity has been a core principle of the Internet, supported for example by the Internet Architecture Board. Current Internet architectural documents observe that NAT is a violation of the End-to-End Principle, but that NAT does have a valid role in careful design [1]. There is considerably more concern with the use of IPv6 NAT, and many IPv6 architects believe IPv6 was intended to remove the need for NAT[2].
Some Internet service providers (ISPs) only provide their customers with "local" IP addresses. Thus, these customers must access services external to the ISP's network through NAT. As a result, some[who?] may argue that such companies do not properly provide "Internet" service.
Depending on one's point of view, another drawback of NAT is that it greatly slowed the acceptance of IPv6, relegating it to research networks and limited public use.[citation needed]
Benefits
In addition to the convenience and low cost of NAT, the lack of full bidirectional connectivity can be regarded in some situations as a feature rather than a limitation. To the extent that NAT depends on a machine on the local network to initiate any connection to hosts on the other side of the router, it prevents malicious activity initiated by outside hosts from reaching those local hosts. This can enhance the reliability of local systems by stopping worms and enhance privacy by discouraging scans. Many NAT-enabled firewalls use this as the core of the protection they provide.
The greatest benefit of NAT is that it is a practical solution to the impending exhaustion of IPv4 address space. Networks that previously required a Class B IP range or a block of Class C network addresses can now be connected to the Internet with as little as a single IP address (many home networks are set up this way). The more common arrangement is having machines that require true bidirectional and unfettered connectivity supplied with a 'real' IP address, while having machines that do not provide services to outside users tucked away behind NAT with only a few IP addresses used to enable Internet access.
Basic NAT vs port number translation
Two kinds of network address translation exist. The type popularly called simply "NAT" (also sometimes named "Network Address Port Translation" or "NAPT" or even PAT) refers to network address translation involving the mapping of port numbers, allowing multiple machines to share a single IP address. The other, technically simpler, form - also called NAT or "one-to-one NAT" or "basic NAT" or "static NAT" - involves only address translation, not port mapping. This requires an external IP address for each simultaneous connection. Broadband routers often use this feature, sometimes labelled "DMZ host", to allow a designated computer to accept all external connections even when the router itself uses the only available external IP address.
NAT with port-translation comes in two sub-types: source address translation (source NAT), which re-writes the IP address of the computer which initiated the connection; and its counterpart, destination address translation (destination NAT). In practice, both are usually used together in coordination for two-way communication.
NAT and TCP/UDP
"Pure NAT", operating on IP alone, will correctly pass protocols that are totally concerned with IP information, such as ICMP. As soon as the protocol stack is climbed, even with such basic protocols such TCP and UDP, the protocols will break unless NAT takes action beyond the network layer.
IP has a checksum in each packet header, which provides error detection only for the header. The major transport layer protocols, TCP and UDP, have a checksum that covers all the data they carry, as well as the TCP/UDP checksum, plus a "pseudo-header" that contains the source and destination IP addresses of the packet carryin the TCP/UDP header.
TCP and UDP have, in their header, a checksum field for error detection on the entire segment, which, in the case of TCP, may be composed of many packets. This checksum is computed from information that includes the IP addresses of the first packet that makes up the TCP message. For a NAT to successfully pass TCP, it must recompute the TCP header checksum based on the translated IP addresses, not the original ones, and put that checksum into the TCP header. Subsequent packets in the TCP flow do not have headers and thus will pass with no problem.
UDP has an equivalent checksum that also must be recomputed.
Applications affected by NAT
Some higher-layer protocols (such as FTP and SIP) send network layer address information inside application payloads. FTP in active mode, for example, uses separate connections for control traffic (commands) and for data traffic (file contents). When requesting a file transfer, the host making the request identifies the corresponding data connection by its layer 3 and layer 4 addresses. If the host making the request lies behind a simple NAT firewall, the translation of the IP address and/or TCP port number makes the information received by the server invalid.
An Application Layer Gateway (ALG) can fix this problem. An ALG software module running on a NAT firewall device updates any payload data made invalid by address translation. ALGs obviously need to understand the higher-layer protocol that they need to fix, and so each protocol with this problem requires a separate ALG.
Another possible solution to this problem is to use NAT traversal techniques using protocols such as STUN or ICE or proprietary approaches in a session border controller. NAT traversal is possible in both TCP- and UDP-based applications, but the UDP-based technique is simpler, more widely understood, and more compatible with legacy NATs. In either case, the high level protocol must be designed with NAT traversal in mind, and it does not work reliably across symmetric NATs or other poorly-behaved legacy NATs.
Other possibilities are UPnP (Universal Plug and Play) or Bonjour (NAT-PMP), but these require the cooperation of the NAT device.
Most traditional client-server protocols (FTP being the main exception), however, do not send layer 3 contact information and therefore do not require any special treatment by NATs. In fact, avoiding NAT complications is practically a requirement when designing new higher-layer protocols today.
NATs can also cause problems where IPsec encryption is applied and in cases where multiple devices such as SIP phones are located behind a NAT. Phones which encrypt their signalling with IPsec encapsulate the port information within the IPsec packet meaning that NA(P)T devices cannot access and translate the port. In these cases the NA(P)T devices revert to simple NAT operation. This means that all traffic returning to the NAT will be mapped onto one client causing the service to fail. There are a couple of solutions to this problem, one is to use TLS which operates at level 4 in the OSI Reference Model and therefore does not mask the port number, or to Encapsulate the IPsec within UDP - the latter being the solution chosen by TISPAN to achieve secure NAT traversal.
Different types of NAT
Applications that deal with NAT sometimes need to characterize NAT by type. The STUN protocol [3] proposed to characterize Network address translation as Full cone NAT, restricted cone NAT, port restricted cone NAT or symmetric NAT.[4]
With full cone NAT, also known as one-to-one NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port. An external host can send a packet to the internal host, by sending a packet to the mapped external address.
With restricted cone NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host can send a packet to the internal host only if the internal host had previously sent a packet to it.
Port restricted cone NAT or symmetric NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet to a particular port on the internal host only if the internal host had previously sent a packet from that port to the external host.
With symmetric NAT all requests from the same internal IP address and port to a specific destination IP address and port are mapped to a unique external source IP address and port. If the same internal host sends a packet with the same source address and port to a different destination, a different mapping is used. Only an external host that receives a packet can send a UDP packet back to the internal host.
This classification is now abandoned, because many NAT implementations oscillate between the various types. For example, many NAT implementations follow a port preservation design. For most communications, they will use the same values as internal and external port numbers. However, if two internal hosts attempt to communicate with the same external host using the same port number, the external port number used by the second host will be chosen at random. Such NAT will be sometimes perceived as restricted cone NAT and other times as symmetric NAT.
Other examples of use
- Load Balancing: Destination NAT can redirect connections pointed at some server to randomly selected servers.
- Failover: Destination NAT can be used to set up a service requiring high availability. If a system involves a critical server accessed through a router, and if the router detects that that server has gone down, it could use destination NAT to transparently re-route a connection to arrive on a backup server.
- Transparent proxying: NAT can redirect HTTP connections targeted at the Internet to a special HTTP proxy which can cache content and filter requests. Some internet service providers use this technique to reduce bandwidth usage without requiring their clients to configure their web browser for proxy support.
- Overlapping Networks: Advanced NAT configurations can connect two networks that have overlapping addresses, such as Private addresses, and this is a very useful feature for companies that have just started to merge their networks. This requires that both Source & Destination IP addresses be replaced at the same time, fooling each other's networks.
Popular NAT software
- IPFilter
- PF (firewall): The OpenBSD Packet Filter.
- iptables masquerading
- Berkeley Software Distribution natd
- Internet Connection Sharing (ICS)
- WinGate
- Cisco IOS
- mcse IOS
See also
- Port address translation (PAT, can be used in conjunction with NAT)
- Firewall (networking)
- Proxy server
- Middlebox
- Routing
- Gateway (telecommunications)
- Subnet
- IPv6
- AYIYA (IPv6 over IPv4 UDP thus working IPv6 tunneling over most NATs)
- IPv4 address exhaustion
- Private IP address
- Internet Connection Sharing
- Port forwarding
- STUN: Simple Traversal of UDP over NATs
- Teredo tunneling: NAT traversal using IPv6
- Internet Gateway Device (IGD): UPnP NAT traversal solution
External links
- Characterization of different TCP NATs – Paper discussing the different types of NAT
- Anatomy: A Look Inside Network Address Translators – Volume 7, Issue 3, September 2004
- HowStuffWorks: How Network Address Translation Works by Jeff Tyson
- NAT traversal techniques in multimedia Networks – White Paper from Newport Networks
- Peer-to-Peer Communication Across Network Address Translators (PDF) – NAT traversal techniques for UDP and TCP
- RFC 4008 – Standards Track – Definitions of Managed Objects for Network Address Translators (NAT)
- RFC 3022 – Traditional IP Network Address Translator (Traditional NAT)
- RFC 1631 – Obsolete – The IP Network Address Translator (NAT)
- nat-traverse – Tool to establish tunnels through NAT gateways without need for reconfiguration of the involved routers
- Speak Freely End of Life Announcement – John Walker's discussion of why he stopped developing a famous program for free internet communication, part of which is directly related to NAT.
- NATs, IPsec and VoIP – White paper looks at the issues of IPsec and NAT devices and how UDP encapsulation of IPsec solves the problems.
- Cisco IOS NAT Application Layer Gateway
- Alternative Taxonomy