Network Address Translation

EETS 8312 Internet and Intranet Engineering Fall 2003 Southern Methodist University Dr Bernard Ku.

EETS 8312 -- Internet and Intranet Engineering

Introduction

Network Address Translation (NAT) is a method of connecting multiple computers with unregistered IP addresses to the internet (or any other IP network) using one or a group of registered IP addresses. NAT is defined in RFC 1631. It was called network address translator in that RFC but is also commonly known as network address translation. Address allocation for private networks is defined in RFC 1918.
EETS 8312 -- Internet and Intranet Engineering 2

Topics of Discussion

Why (NAT)? What problems does it solve? What are NATs advantages? What are NATs disadvantages? A subnet example without NAT. A subnet example using NAT. Other forms of NAT. Multi-homing
EETS 8312 -- Internet and Intranet Engineering

Why (NAT)? What problems does it solve?

NAT is a method of allowing multiple computers (or appliances) with unregistered IP addresses to access the Internet using one or a group of registered IP addresses. NATs increasing use is driven by:
A world shortage of IP addresses. Security Needs. Ease and flexibility of network administration.

EETS 8312 -- Internet and Intranet Engineering 4

World shortage of IP addresses

Major cause of IP address shortage was too many addresses were passed out early on:
MIT has 16,843,008 registered IP addresses. USC has 16,911,360 GE has 17,206,528 IBM has 17,542,656 AT&T has 19,800,320

Had those in charge foreseen the present situation they would have been more frugal.
EETS 8312 -- Internet and Intranet Engineering 5

What can be done?

Redesign IP with a bigger address field.

IPv6 is being worked on but it doesnt help now.

Take back vast quantities of addresses given out long ago. (This CANT happen). Figure out a way to stretch what we have as long as we can:
CIDR (we already covered this in class) NAT

EETS 8312 -- Internet and Intranet Engineering

Security

Most view the Internet as one way; they forget not only is their computer connected to the Internet, the Internet is also connected to their computer. Important data residing on computers is at risk (credit card numbers, proprietary info, etc.) NAT automatically provides a firewall type protection without any special set-up.

Hackers can ping the NAT enabled router but the subnets behind it are hidden from view.

Some NAT routers provide for extensive filtering and traffic logging.

Filtering used to restrict traffic (what sites can be viewed) Logging creates log files of sites visited.
EETS 8312 -- Internet and Intranet Engineering 7

Network Administration

Computers can be added or exchange without affecting external networks. Modern NAT gateways support DHCP.

When a computer is switched on the NAT router assigns the private IP addresses automatically.

Modern NAT gateways allow packet filtering. Modern NAT gateways have built in inter-network capability. The internetwork can be divided into several separate subnets. NAT can be installed incrementally, without changes to hosts or routers.
EETS 8312 -- Internet and Intranet Engineering 8

What are NATs advantages?

In summary, a NAT gateway can provide the following benefits:

Firewall protection for the internal network. Protocol-level protection. Automatic client computer configuration control. Packet level filtering and routing. Facilitate scalable routing in a multi-homed network.

EETS 8312 -- Internet and Intranet Engineering 9

What are NATs disadvantages?

NAT takes away the end-to-end significance of the IP address (But this can be a security advantage). End-to-end IP address significance is made up for with increased state in the network forwarding packets will take a little longer.

EETS 8312 -- Internet and Intranet Engineering

10

Forms of NAT

There are two forms of NAT Dynamic NAT and Static NAT. Static NAT maps unregistered IP addresses to registered addresses on a one to one basis. Dynamic NAT maps unregistered IP addresses to a group of registered IP addresses dynamically. Overloading is a form of Dynamic NAT that maps multiple unregistered IP addresses to ONE registered IP address. The following example shows overloading:
EETS 8312 -- Internet and Intranet Engineering 11

A subnet example without NAT

EETS 8312 -- Internet and Intranet Engineering

12

Without NAT

Computers and appliances are connected to modem using a hub. The ISP must provide a separate IP address for each device on the network. The Internet is connected to each of the devices exposing each device to attack. Some ISPs used to provide separate IP addresses for free but now many charge extra for each additional address.
EETS 8312 -- Internet and Intranet Engineering 13

RFC 1918

While any addresses can be used for private networks RFC 1918 strongly recommends the following addresses be used:
10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255

These addresses should never appear on the Internet.

EETS 8312 -- Internet and Intranet Engineering 14

A subnet example using dynamic NAT with overloading

EETS 8312 -- Internet and Intranet Engineering

15

With NAT (overloading)

NAT enabled router (gateway) is connected to modem. ISP assigns IP address 198.76.29.17 to the NAT enabled router. Using DHCP, the NAT enabled router assigns an IP address in the 192.168.0.0 192.168.255.255 range to each device as they are switched on. A computer on the network can run software to configure the router if packet filtering or other configuration is required. Otherwise, the components can just be connected and they work. This is Dynamic NAT with overloading.
EETS 8312 -- Internet and Intranet Engineering

16

Address Translation
Source Address 192.16.11.17 Source Port 234 Destination Address 230.58.27.9 Destination Port 349

The above fields of the IP header completely defines a single TCP/IP connection. This is what the NAT enabled router sees when the computer with address 192.16.11.17 port 234 sends a packet to 230.58.27.9 port 349 through it.
Source Address 198.76.29.17 Source Port 3 Destination Address 230.58.27.9 Destination Port 349

NAT inserts its IP address in the source address field and a unique port number into the source fields and the packet is sent. The IP address and port of the sending computer are saved in an address translation table.
EETS 8312 -- Internet and Intranet Engineering 17

Address Translation
Source Address 230.58.27.9 Source Port 349 Destination Address 198.76.29.17 Destination Port 3

When the above packet returns from the Internet, NAT looks up the IP address and port of the computer that sent the packet (saved in its address translation table) and replaces them in the destination address and port fields:
Source Address 230.58.27.9 Source Port 349 Destination Address 192.16.11.17 Destination Port 234

The packet is then forwarded to the computer having IP address 192.16.11.17 (port 234). One can see how the internal computers are hidden. Pinging 198.76.29.17 pings the router. Internal IP addresses are never seen outside of the private network. Of course, many packets are sent and received independently.
EETS 8312 -- Internet and Intranet Engineering 18

Other NAT Forms

If static NAT were being used, the router would do the same substitution but would always substitute the same registered IP address for the computer on the private network. If dynamic NAT were being used without overloading, the router would dynamically substitute an IP address from a pool of registered addresses.
EETS 8312 -- Internet and Intranet Engineering

19

Multi-homing

Multi-homing is providing multiple points of access to the Internet through (possibly) multiple ISPs each assigning an IP address or range of addresses to the network. Multi-homing reduces the chance of shutdown if one connection fails. Multi-homing allows load-balancing by lowering the number of computers connecting to the Internet through any one connection.
EETS 8312 -- Internet and Intranet Engineering

20

Multi-homing (continued)

In a multi-homed network routers use Border Gateway Protocol (BGP) to route between networks using different protocols. The router uses Internal BGP on the stub domain ( private network ) side. The router uses External BGP to communicate with other routers. NAT can be used to facilitate scalable routing for multi-homed, multi-provider connectivity.

EETS 8312 -- Internet and Intranet Engineering

21

Conclusion

NAT offers a fast and effective way to expand secure Internet access into existing and new private networks (both home and business) without having to wait for IPv6. NAT offers security and greater network administrative flexibility than alternatives. NAT can be used to facilitate scalable routing for multihomed, multi-provider connectivity. NAT is becoming the de facto standard for shared access.
EETS 8312 -- Internet and Intranet Engineering 22

References

Network Address Translation www.safety.net/indnat.html 1996 Network Safety RFC 1631 The IP Network Address Translator. www.faqs.org/rfcs/rfc1631.html May 1994 RFC 1918 Address Allocation for Private Networks. www.faqs.org/rfcs/rfc1918.html Feb 1996 Vicomsoft white paper -www.vicomsoft.com/knowledge/reference/nat.html no date given How Network Translation Works www.computer.howstuffworks.com/nat.htm no date given
EETS 8312 -- Internet and Intranet Engineering 23