See this page as a slide show

CT320: NAT

Thanks to:

• Dr. Indrajit Ray, CSU
• Dr. James Walden, NKU
• Russ Wakefield, CSU

for the contents of these slides.

Notation

• NAT is defined in RFC 2663
• Several levels of NAT are defined (Basic NAT, NAPT, Bi-directional NAT, Twice NAT, …)
• For this lecture, we will discuss NAPT (Network and Port Translation), but we’ll bow to common usage and call it NAT.

IP datagram format, redux

0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
Version				IHL				Type of service								Total length
Identification																Flags				Fragment offset
Time to live								Protocol								Header checksum
Source IP address
Destination IP address
Options (optional)
IP data payload (many bytes)

NAT: Network Address Translation

The problem:

• We’re running out of IPv4 addresses.
• I have over a dozen hosts at home.
• Comcast would charge me a lot for a dozen IP addresses.
• They’d rather not add a dozen entries to their routers.
  • Or give me a /28 subnet, which is even more IP addresses.
    • How many?

Telephone Extensions

┌───────────┐                       ┌──────────────┐
│ Dr. McCoy │····               ····│ Dr. Faustus  │
└───────────┘   :               :   └──────────────┘
┌───────────┐   :               :   ┌──────────────┐
│ Dr. Evil  │···:               :···│ Dr. Jekyll   │
└───────────┘   :               :   └──────────────┘
┌───────────┐   :               :   ┌──────────────┐
│ Dr. Who   │···:               :···│ Dr. Pepper   │
└───────────┘   :               :   └──────────────┘
┌───────────┐   :   ┌───────┐   :   ┌──────────────┐
│ Dr. Zaius │···:···│  PBX  │···:···│ Dr. Dolittle │
└───────────┘   :   └───────┘   :   └──────────────┘
┌───────────┐   :       :       :   ┌──────────────┐
│ Dr. Doom  │···:       :       :···│ Dr. Zoidberg │
└───────────┘   :     phone     :   └──────────────┘
┌───────────┐   :    network    :   ┌──────────────┐
│ Dr. Teeth │····               ····│ Dr. Watson   │
└───────────┘                       └──────────────┘

Consider a doctors’ office. It has a dozen doctors. Each doctor has an office with a phone.

• We’re too cheap to pay for a dozen real phone lines.
• Each doctor needs to make outgoing calls.
• Doctors like to avoid incoming calls.

The solution: an internal phone exchange (PBX).

NAT

Internet      ┌────────┐       ┌─────────────┐
··············│ NAT    │·······│ 192.168.1.2 │
203.0.113.9   │ router │   :   └─────────────┘
              └────────┘   :   ┌─────────────┐
                           :···│ 192.168.1.3 │
                           :   └─────────────┘
                           :   ┌─────────────┐
                           ····│ 192.168.1.4 │
                               └─────────────┘

Similarly, NAT hides many hosts behind a NAT router.

• From the Internet’s side, the entire house is only one IP address, 203.0.113.9.
• From the home private network’s side, it appears that all the hosts are simply on the Internet.

Private Networks

Private Networks

CIDR range	Number of hosts
10.0.0.0/8	224 (~16 million)
172.16.0.0/12	220 (~1 million)
192.168.0.0/16	216 (~65 thousand)

NAT: Network Address Translation

Internet       ┌────────┐       ┌─────────────┐
···············│ NAT    │·······│ 192.168.1.2 │
203.0.113.9    │ router │   :   └─────────────┘
               └────────┘   :   ┌─────────────┐
                            :···│ 192.168.1.3 │
                            :   └─────────────┘
                            :   ┌─────────────┐
                            ····│ 192.168.1.4 │
                                └─────────────┘

• Local network uses just one IP address, as far as outside word is concerned.
• No need to be allocated range of addresses from ISP; just one IP address is used for all devices.
  • Cheaper!
• Can change addresses of devices in local network without notifying outside world.
• can change ISP without changing addresses of devices in local network
• devices inside local net not explicitly addressable, not visible to outside world (a security bonus)

Remember how TCP works

• A TCP connection has a (host, port number) at each end.
• Service port numbers are well-known
  • ssh: 22
  • https: 443
• For clients, the port number is dynamically generated (made up).

If example.com connects via ssh to denver.cs.colostate.edu, the connection looks like this:

Why have the port 6234? So that when a reply packet from denver arrives, we know which program to send the reply to: the program listening on port 6234.

Without NAT

How does a typical transaction occur without NAT?

• example.com opens an ssh connection to denver.cs.colostate.edu.
  • (example.com,6234) ◀────▶ (denver.cs.colostate.edu,22)
• example.com sends a TCP packet to denver, by sending to port 22 on denver.
• denver responds by sending a TCP packet to port 6234 on example.com.

NAT: Implementation

Internet      ┌────────┐       ┌─────────────┐
··············│ NAT    │·······│ 192.168.1.2 │
203.0.113.9   │ router │   :   └─────────────┘
              └────────┘   :   ┌─────────────┐
                           :···│ 192.168.1.3 │
                           :   └─────────────┘
                           :   ┌─────────────┐
                           ····│ 192.168.1.4 │
                               └─────────────┘

WAN	LAN
ebay.com, 3345	192.168.1.4, 5001
hp.com, 8765	192.168.1.3, 5010

A NAT router must:

• outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)

• Remote clients/servers will respond using (NAT IP address, new port #) as destination addr.
  • remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
  • incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table

With NAT

┌─────────────┐     ┌────────┐     ┌─────────────┐
│ denver.cs.… │·····│ NAT    │·····│ 192.168.1.2 │
└─────────────┘     │ router │     └─────────────┘
 129.82.44.141      └────────┘
		  example.com

How does a typical transaction occur with NAT?

• example.com opens an ssh connection to denver.cs.colostate.edu; sends a packet
  • Packet: (from:192.168.1.2,6234) (to:denver,22)
• NAT router rewrites the packet:
  • Packet: (from:example.com,9876) (to:denver,22)
• denver sends a reponse:
  • Packet: (from:denver,22) (to:example.com,9876)
• NAT router rewrites the packet:
  • Packet: (from:denver,22) (to:192.168.1.2,6234)

NAT: Network Address Translation

• 16-bit port-number field:
  • 65,536 simultaneous connections with a single LAN-side address!
• NAT is controversial (book’s term):
  • NAT is evil (protocol designer and security term)
  • routers should only process up to layer 3
  • violates end-to-end argument
• NAT possibility must be taken into account by app designers, e.g., P2P applications
  • address shortage should instead be solved by IPv6