Show Lecture.NAT as a slide show.
CT320 NAT
Thanks to:
- Dr. Indrajit Ray, CSU
- Dr. James Walden, NKU
- Russ Wakefield, CSU
for the contents of these slides.
Acronym
- Network
- Address
- Translation
Notation
- NAT is defined in RFC 2663
- Several levels of NAT are defined
(Basic NAT, NAPT, Bi-directional NAT, Twice NAT, …)
- For this lecture, we will discuss NAPT (Network and Port Translation),
but we’ll bow to common usage and call it NAT.
IP datagram format, redux
0
| 1
| 2
| 3
| 4
| 5
| 6
| 7
| 8
| 9
| 10
| 11
| 12
| 13
| 14
| 15
| 16
| 17
| 18
| 19
| 20
| 21
| 22
| 23
| 24
| 25
| 26
| 27
| 28
| 29
| 30
| 31
|
Version
| IHL
| Type of service
| Total length
|
Identification
| Flags
| Fragment offset
|
Time to live
| Protocol
| Header checksum
|
Source IP address
|
Destination IP address
|
Options (optional)
|
IP data payload (many bytes)
|
NAT: Network Address Translation
The problem:
- We’re running out of IPv4 addresses.
- I have over a dozen hosts at home.
- Comcast would charge me a lot for a dozen IP addresses.
- They’d rather not add a dozen entries to their routers.
- Or give me a /28 subnet, which is even more IP addresses.
Telephone Extensions
┌───────────┐ ┌──────────────┐
│ Dr. McCoy │···· ····│ Dr. Faustus │
└───────────┘ : : └──────────────┘
┌───────────┐ : : ┌──────────────┐
│ Dr. Evil │···: :···│ Dr. Jekyll │
└───────────┘ : : └──────────────┘
┌───────────┐ : : ┌──────────────┐
│ Dr. Who │···: :···│ Dr. Pepper │
└───────────┘ : : └──────────────┘
┌───────────┐ : ┌───────┐ : ┌──────────────┐
│ Dr. Zaius │···:···│ PBX │···:···│ Dr. Dolittle │
└───────────┘ : └───────┘ : └──────────────┘
┌───────────┐ : : : ┌──────────────┐
│ Dr. Doom │···: : :···│ Dr. Zoidberg │
└───────────┘ : phone : └──────────────┘
┌───────────┐ : network : ┌──────────────┐
│ Dr. Teeth │···· ····│ Dr. Watson │
└───────────┘ └──────────────┘
Consider a doctors’ office. It has a dozen doctors. Each doctor
has an office with a phone.
- They’re too cheap to pay for a dozen real phone lines.
- Each doctor needs to make outgoing calls.
- Doctors like to avoid incoming calls.
The solution: an internal phone exchange
(PBX).
NAT
Internet ┌────────┐ ┌─────────────┐
··············│ NAT │·······│ 192.168.1.2 │
203.0.113.9 │ router │ : └─────────────┘
└────────┘ : ┌─────────────┐
:···│ 192.168.1.3 │
: └─────────────┘
: ┌─────────────┐
····│ 192.168.1.4 │
└─────────────┘
Similarly, NAT hides many hosts behind a NAT router.
- From the Internet’s side, the entire house is
only one IP address, 203.0.113.9.
- From the home private network’s side,
it appears that all the hosts are simply on the Internet.
- It makes “incoming calls” more difficult.
- That’s a feature, not a bug.
Private Networks
Private Networks
CIDR range | Number of hosts |
10.0.0.0/8 | 224 (~16 million) |
172.16.0.0/12 | 220 (~1 million) |
192.168.0.0/16 | 216 (~65 thousand) |
- 172.16/12? That’s neither a Class A (/8) nor a Class B (/16) address.
- Yeah, so? Classful addresses are obsolete.
- We are not restricted to classful addresses.
- CIDR is more flexible.
NAT: Network Address Translation
Internet ┌────────┐ ┌─────────────┐
···············│ NAT │·······│ 192.168.1.2 │
203.0.113.9 │ router │ : └─────────────┘
└────────┘ : ┌─────────────┐
:···│ 192.168.1.3 │
: └─────────────┘
: ┌─────────────┐
····│ 192.168.1.4 │
└─────────────┘
- Local network uses just one IP address,
as far as outside word is concerned.
- No need to be allocated range of addresses from ISP;
just one IP address is used for all devices.
- Can change addresses of devices in local
network without notifying outside world.
- can change ISP without changing addresses of devices in local network
- devices inside local net not explicitly addressable,
not visible to outside world (a security bonus)
Remember how TCP works
- A TCP connection has a (host, port number) at each end.
- Service port numbers are well-known
- For clients, the port number is dynamically generated (made up).
If example.com connects via ssh to denver.cs.colostate.edu,
the connection looks like:
(example.com,6234) ◀────▶ (denver.cs.colostate.edu,22)
Why have the port 6234? So that when a reply packet from denver arrives,
we know which program to send the reply to: the program
listening on port 6234.
Without NAT
How does a typical transaction occur without NAT?
- example.com opens an ssh connection to denver.cs.colostate.edu.
- (example.com,6234) ◀────▶ (denver.cs.colostate.edu,22)
- example.com sends a TCP packet to denver, by sending to port 22 on denver.
- denver responds by sending a TCP packet to port 6234 on example.com.
NAT: Implementation
Internet ┌────────┐ ┌─────────────┐
··············│ NAT │·······│ 192.168.1.2 │
203.0.113.9 │ router │ : └─────────────┘
└────────┘ : ┌─────────────┐
:···│ 192.168.1.3 │
: └─────────────┘
: ┌─────────────┐
····│ 192.168.1.4 │
└─────────────┘
WAN | LAN |
ebay.com, 3345 | 192.168.1.4, 5001 |
hp.com, 8765 | 192.168.1.3, 5010 |
A NAT router must:
- outgoing datagrams: replace (source IP address, port #) of every
outgoing datagram to (NAT IP address, new port #)
- Remote clients/servers will respond using
(NAT IP address, new port #) as destination addr.
- remember (in NAT translation table) every (source IP address, port #)
to (NAT IP address, new port #) translation pair
- incoming datagrams: replace (NAT IP address, new port #)
in dest fields of every incoming datagram with corresponding
(source IP address, port #) stored in NAT table
With NAT
┌─────────────┐ ┌────────┐ ┌─────────────┐
│ denver.cs.… │·····│ NAT │·····│ 192.168.1.2 │
└─────────────┘ │ router │ └─────────────┘
129.82.44.141 └────────┘
example.com
How does a typical transaction occur with NAT?
- example.com opens an ssh connection to denver.cs.colostate.edu;
sends a packet
- Packet: (from:192.168.1.2,6234) (to:denver,22)
- NAT router rewrites the packet:
- Packet: (from:example.com,9876) (to:denver,22)
- denver sends a reponse:
- Packet: (from:denver,22) (to:example.com,9876)
- NAT router rewrites the packet:
- Packet: (from:denver,22) (to:192.168.1.2,6234)
NAT: Network Address Translation
- 16-bit port-number field:
- 65,536 simultaneous connections with a single LAN-side address!
- NAT is controversial (book’s term):
- NAT is evil (protocol designer and security term)
- Routers should only process up to layer 3.
- NAT violates end-to-end argument.
- NAT possibility must be taken into account by app designers,
e.g., P2P applications.
- Address shortage should instead be solved by IPv6.