Scribd
Upload
68 views

Network Address Translation (NAT) : Scott Rixner

1. Network Address Translation (NAT) allows multiple devices on a private network to share a single public IP address to access the internet. It works by translating the private IP addresses and port numbers in network packets to public IP addresses and port numbers. 2. When a device on the private network initiates an outbound connection, the NAT device replaces the source IP address and port number with its own public IP address and an available port number. For inbound packets, it reverses the process by looking up the destination private address based on the public address and port number. 3. NAT can operate in different modes like one-to-one mapping, static NAT, or port address translation (PAT). PAT allows multiple private

Uploaded by

Anonymous PDGLsjN1Q5
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
68 views

Network Address Translation (NAT) : Scott Rixner

1. Network Address Translation (NAT) allows multiple devices on a private network to share a single public IP address to access the internet. It works by translating the private IP addresses and port numbers in network packets to public IP addresses and port numbers. 2. When a device on the private network initiates an outbound connection, the NAT device replaces the source IP address and port number with its own public IP address and an available port number. For inbound packets, it reverses the process by looking up the destination private address based on the public address and port number. 3. NAT can operate in different modes like one-to-one mapping, static NAT, or port address translation (PAT). PAT allows multiple private

Uploaded by

Anonymous PDGLsjN1Q5
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Network Address

Translation (NAT)

Scott Rixner
Review: Private IPv4 Addressing
 Not routable on public internet
 No chance of conflict with a valid public IP
 Why do I want private addresses?
 Not every printer / fax machine / IPod / etc. needs to
be publicly accessible from the Internet
 Useful for local collections of computers not
connected to internet
Name IP address range Number of IPs
24-bit block 10.0.0.0 – 10.255.255.255 16,777,216
20-bit block 172.16.0.0 – 172.31.255.255 1,048,576
16-bit block 192.168.0.0 – 192.168.255.255 65,536

Network Systems Architecture 2


Preview: TCP and UDP
 Two common protocols nested inside IP packets

TCP UDP

 Reliability guaranteed  Delivery not guaranteed


 Connection-based  No connections
 Stream of data between  Each packet is
two endpoints independent (like IP)
 Must explicitly open
and close

 Each protocol uses port numbers to distinguish


between independent data streams

Network Systems Architecture 3


Network Address Translation
 Translate / route packets between one IP
address space and another
 Commonly translates from private IP range to
public IP range (but the concept can be
generalized to two public address ranges)
 Accomplished by modifying packet header
 Source address
 Destination address Not every NAT technique
modifies every field!
 IP port number
 IP / TCP / UDP checksums

Network Systems Architecture 4


Network Address Translation
CRET
SE
TOP
Network A Network B
Internal External
NAT

 Network A  Network B
 Multiple computers trying to  Traffic from network A
access network B appears with addresses in
 Don’t want to reveal Network B’s space
network A’s structure to  May be mapped as single
network B or multiple addresses

Network Systems Architecture 5


Is a NAT Device a Router?
 Internal and External networks are completely separate
 MAC addresses are not propagated across NAT unit – just like a
router!
 IP packets must be routed to NAT to reach external
network
 The NAT unit is often the final router on the internal network
 Most actual NAT devices contains a built-in 2-port router
with a minimal set of routing capabilities
 Table lookups
 Modify packet headers
 Recalculate checksums

Network Systems Architecture 6


Why Use Address Translation?
 Allows multiple hosts on private network to access public
network through a single address
 Overcomes policy problems (e.g. buying extra IPs from your ISP
costs $$)
 Overcomes IPv4 address shortages in developing world
 Disguises internal network structure
 All requests appear to originate from NAT unit
 Increases “security”
 Allows you to use entire 10.x.x.x private address space
and remap to smaller public address range
 Very convenient for clean network topology and simplified router
forwarding tables

Network Systems Architecture 7


Types of Translation
 Terms are used interchangeably
 Network Address Translation (NAT)
 Translatesonly the address fields, not ports
 Every machine on network A gets a unique
address on network B
 Port Address Translation (PAT)
 Translates address and port numbers
 Allows multiple machines on network A to
share single IP address on network B
 All requests appear to come from PAT unit

Network Systems Architecture 8


Network Address Translation Types
 One-to-One Mapping Internal External

 Every internal IP gets a 192.168.32.10 213.18.15.110


PC 1

Public Network
different external IP 213.18.15.111
192.168.32.12
PC 2 NAT
213.18.15.112
 Static PC 3
192.168.32.15

 Internal IP is always
mapped to same NAT Mapping Table: Static or Dynamic
External IP Internal IP External IP
192.168.32.10 213.18.15.116
 Dynamic / Pooled 192.168.32.12 213.18.15.112

 Internal IP is mapped to 192.168.32.15 213.18.15.125


… …
random external IP
Not shown in Table: MAC Addresses!

Network Systems Architecture 9


NAT Mechanics – Outbound Packet
Internal External

Internet
128.42.218.97
192.168.32.10 213.18.15.116
Packet PC 1 NAT PC 2
A B C X Y Z
… …

… …

Ethernet Header IP Header Data


Dst MAC Src MAC … … IP Csum Src IP Dst IP … Payload CRC

Before NAT (internal network)


B A … … IP Csum PC 1 PC 2 … Payload CRC
After NAT (external network)
X C … … IP Csum NAT PC 2 … Payload CRC
 Save internal IP and MAC to mapping table  Recalculate checksums (Ethernet CRC, IP
 Replace source IP and MAC with NAT unit header, TCP/UDP/… headers)

Network Systems Architecture 10


NAT Mechanics – Inbound Packet
Internal External

Internet
128.42.218.97
192.168.32.10 213.18.15.116
PC 1 NAT PC 2 Packet
A B C X Y Z
… …

… …

Ethernet Header IP Header Data


Dst MAC Src MAC … … IP Csum Src IP Dst IP … Payload CRC

Before NAT (external network)


C X … … IP Csum PC 2 NAT … Payload CRC
After NAT (internal network)
A B … … IP Csum PC 2 PC1 … Payload CRC
 Lookup Dst IP in mapping table. Only  Replace Dst IP and MAC with private
forward if match found address
 Update checksums (CRC, IP, TCP/UDP/…)

Network Systems Architecture 11


NAT Mechanics – Inbound Packet
Internal External

Internet
128.42.218.97
192.168.32.10 213.18.15.116
PC 1 NAT PC 2 Packet
A B C Z
… …

… …

 What happens if a router sends a packet


to the NAT unit, but no valid mapping
exists for the destination IP?
 Packet is dropped

Network Systems Architecture 12


Port Address Translation
 IP Overloading Internal External
192.168.32.10 213.18.15.116
 Many internal IPs are Port 1701 Port 1501
PC 1

Public Network
mapped to one (or a 192.168.32.12 213.18.15.116
Port 1831 Port 1502
few) external IPs PC 2 NAT
192.168.32.15 213.18.15.116
 TCP/UDP port number PC 3
Port 1200 Port 1503

is also changed and


used to identify unique NAT Mapping Table
connections between Internal IP Internal External IP External
internal and external Port Port
192.168.32.10 1701 213.18.15.116 1501
hosts 192.168.32.12 1831 213.18.15.116 1502

 Usually dynamic 192.168.32.15 1200 213.18.15.116 1503


… … … …

Not shown in Table: MAC Addresses!

Network Systems Architecture 13


Clearing Mappings
 When should a mapping be removed from a
NAT?
 Static
NAT - Never?
 Dynamic NAT - Only if the host is idle for a long time?

 When should a mapping be removed from a


PAT?
 TCP –Close of connection or reasonable timeout
 Connection is framed by SYN and FIN packets
 UDP – Unable to determine close of “connection”, so
must use reasonable timeout instead

Network Systems Architecture 14


Home Broadband “Router”
 What is this device?
 Port Address Translation
(PAT), plus a…
 4-port switch
 Router
 DHCP server External Network

 Wireless access point?


Router + PAT
 Stateful firewall?
 Blinking LEDs? 5-port Ethernet Switch

Internal Network
Network Systems Architecture 15
NAT/PAT – Protocol Problems
 PAT Fails: Protocols that require incoming connections
 Example: FTP Active Mode
 Client sends request
 Server attempts to open new connection back to client to send data
 No entry in PAT table so connection is rejected
 Example: SIP / RTP (VOIP telecommunication)

 NAT / PAT Fails: Protocols that carry IP address / port values in


their payload
 Example: IPsec (and other tunneling / VPN protocols)
 NAT changes src/dst addresses in header but is unable to fix encrypted
payload. Packet fails security check and is discarded because receiver
detects (correctly) that the packet was altered in transit

 NAT / PAT Fails: Protocols that use checksums which include IP


addresses
 NAT only knows how to recalculate checksums for IP/TCP/UDP
packets, not any new protocol that might be developed

Network Systems Architecture 16


Application-Level Gateway (ALG)
 Technique to avoid breaking common protocols
 NAT device runs multiple ALGs
 Each ALG looks for a different protocol
 Rewrites packet payload to fix problems
 Common ALG modules
 FTP, BitTorrent, SIP, RTSP, File transfer in IM
applications, etc…
 Not future proof
 Each ALG is a fix for a specific protocol
 Need to upgrade NAT software as new applications
are developed

Network Systems Architecture 17


Severs and PAT
 Is there an simple way to enable servers to
function behind a PAT?
 Administrator can insert static mappings into
mapping tables
 e.g. All incoming TCP requests on port 80 should
always be forwarded to IP A.B.C.D, port 80 (enables
a web server)
 Must be configured in advance
 Doesn’t scale well
 What if I have two web servers behind my PAT?
 What if I don’t know the incoming port #?

Network Systems Architecture 18


Severs and NAT
 Do I need to do anything to get my servers
behind NAT to work?
 No – IP address mapping is already one-to-
one
 A static mapping would be helpful for the
clients…

Network Systems Architecture 19


NAT and Security
 NAT is often advertised as being essential for
security
 Claim is mostly deceptive
 Security through obscurity?
 “If evil hacker on public network can’t see me, I must
be secure!”
 Computers on private network using PAT are hidden
 Protects against worms scanning for exploits as long as there
are no static mappings allowing outside access
 If your parents have a simple PAT in front of their unpatched
Windows box, they’re protected against some worms

Network Systems Architecture 20


NAT and Security
 Provides no protection against whole classes of malware
 A security flaw in your PDF viewer can still be exploited by a bad
download
 The user can still do dangerous / stupid things
(“Click on Angelina_Jolie.exe for free pictures!”)
 Limited protection on larger networks
 Servers must be publicly accessible to perform their function (via
fixed port or IP mapping)
 If your IIS webserver or Linux server with remote SSH is
unpatched, it is still vulnerable to worms
 Once compromised, this machine provides entry vector to reach
internal network, which may be completely unprotected!
 Don’t let your guard down - Security in depth

Network Systems Architecture 21


Nesting IP Ranges via NAT
 Allowed to have multiple levels of NAT
 Each level performs translation independently
without any understanding of entire network
(Private) (Public)
Student PC

Student PC

Student PC
68.7.230.x

10.101.23.x
Rice
(Private) (Private) NAT
My PC 1

My PC 2
192.168.20.x My
PAT 10.101.23.245

My PC 3

Network Systems Architecture 22


Future of NAT
 Is NAT still needed with IPv6? IPv6 has:
 Much larger address range – No need for
NAT to save IP addresses
 No private IP address ranges
 Network architects want to remove NAT
“hack” from new IPv6 networks
 ALG support can be a nightmare!
 NAT can still be used with IPv6
 Nothing about NAT requires that one of the
address ranges be private
Network Systems Architecture 23
Network Systems Architecture 24

You might also like