CT320: NAT

Thanks to:

Dr. Indrajit Ray, CSU
Dr. James Walden, NKU
Russ Wakefield, CSU

for the contents of these slides.

IP datagram format, redux

0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
Version				IHL				Type of service								Total length
Identification																Flags				Fragment offset
Time to live								Protocol								Header checksum
Source IP address
Destination IP address
Options (optional)
IP data payload (many bytes)

NAT: Network Address Translation

The problem:

We’re running out of IPv4 addresses.
I have over a dozen hosts at home.
Comcast would charge me a lot for a dozen IP addresses.
They’d rather not add a dozen entries to their routers.
- Or give me a /28 subnet, which is even more IP addresses.
  - How many?

Telephone Extensions

┌───────────┐                       ┌──────────────┐
│ Dr. McCoy │····               ····│ Dr. Faustus  │
└───────────┘   :               :   └──────────────┘
┌───────────┐   :               :   ┌──────────────┐
│ Dr. Evil  │···:               :···│ Dr. Jekyll   │
└───────────┘   :               :   └──────────────┘
┌───────────┐   :               :   ┌──────────────┐
│ Dr. Who   │···:               :···│ Dr. Pepper   │
└───────────┘   :               :   └──────────────┘
┌───────────┐   :   ┌───────┐   :   ┌──────────────┐
│ Dr. Zaius │···:···│  PBX  │···:···│ Dr. Dolittle │
└───────────┘   :   └───────┘   :   └──────────────┘
┌───────────┐   :       :       :   ┌──────────────┐
│ Dr. Doom  │···:       :       :···│ Dr. Zoidberg │
└───────────┘   :     phone     :   └──────────────┘
┌───────────┐   :    network    :   ┌──────────────┐
│ Dr. Teeth │····               ····│ Dr. Watson   │
└───────────┘                       └──────────────┘

Consider a doctors’ office. It has a dozen doctors. Each doctor has an office with a phone.

We’re too cheap to pay for a dozen real phone lines.
Each doctor needs to make outgoing calls.
Doctors like to avoid incoming calls.

The solution: an internal phone exchange (PBX).

NAT

Internet     ┌────────┐       ┌─────────────┐
·············│ NAT    │·······│ 192.168.1.2 │
22.33.44.55  │ router │   :   └─────────────┘
             └────────┘   :   ┌─────────────┐
                          :···│ 192.168.1.2 │
                          :   └─────────────┘
                          :   ┌─────────────┐
                          ····│ 192.168.1.4 │
                              └─────────────┘

Similarly, NAT hides many hosts behind a NAT router.

From the Internet’s side, the entire house is only one IP address, 22.33.44.55.
From the home private network’s side, it appears that all the hosts are simply on the Internet.

Private Networks

Private Networks
CIDR range	Number of hosts
10.0.0.0/8	2²⁴ ~ 16 million
172.16.0.0/12	2²⁰ ~ 1 million
192.168.0.0/16	2¹⁶ ~ 65 thousand

NAT: Network Address Translation

Internet     ┌────────┐       ┌─────────────┐
·············│ NAT    │·······│ 192.168.1.2 │
22.33.44.55  │ router │   :   └─────────────┘
             └────────┘   :   ┌─────────────┐
                          :···│ 192.168.1.2 │
                          :   └─────────────┘
                          :   ┌─────────────┐
                          ····│ 192.168.1.4 │
                              └─────────────┘

Local network uses just one IP address, as far as outside word is concerned.
No need to be allocated range of addresses from ISP; just one IP address is used for all devices.
- Cheaper!
Can change addresses of devices in local network without notifying outside world.
can change ISP without changing addresses of devices in local network
devices inside local net not explicitly addressable, not visible to outside world (a security bonus)

Remember how TCP works

Let’s not forget how TCP works:

A TCP connection has a (host, port number) at each end.
Service port numbers are well-known (ssh is 22, HTTPS is 443, …).
For clients, the port numbers is made up.

For example, if I initiate an ssh connection to denver.cs.colostate.edu from home, the connection looks like this:

(jack-rulez.com,6234) <=======> (denver.cs.colostate.edu,22)

Why have the port 6234? So that when a reply packet from denver arrives, we know which program to send the reply to: the program listening on port 6234.

Without NAT

How does a typical transaction occur without NAT?

jack-rulez.com opens an ssh connection to denver.cs.colostate.edu.
- (jack-rulez.com,6234) <=======> (denver.cs.colostate.edu,22)
jack-rulez sends a TCP packet to denver, by sending to port 22 on denver.
denver responds by sending a TCP packet to port 6234 on jack-rulez.com.

NAT: Implementation

Internet     ┌────────┐       ┌─────────────┐
·············│ NAT    │·······│ 192.168.1.2 │
22.33.44.55  │ router │   :   └─────────────┘
             └────────┘   :   ┌─────────────┐
                          :···│ 192.168.1.2 │
                          :   └─────────────┘
                          :   ┌─────────────┐
                          ····│ 192.168.1.4 │
                              └─────────────┘

WAN	LAN
ebay.com, 3345	192.168.1.4, 5001
hp.com, 8765	192.168.1.3, 5010

A NAT router must:

outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)

Remote clients/servers will respond using (NAT IP address, new port #) as destination addr.
- remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
- incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table

With NAT

┌─────────────┐             ┌────────┐       ┌─────────────┐
│ denver.cs.… │·············│ NAT    │·······│ 192.168.1.2 │
└─────────────┘             │ router │       └─────────────┘
 129.82.46.205              └────────┘
			  jack-rulez.com

How does a typical transaction occur with NAT?

jack-rulez.com opens an ssh connection to denver.cs.colostate.edu; sends a packet
- Packet: (from:192.168.1.2,6234) (to:denver,22)
NAT router rewrites the packet:
- Packet: (from:jack-rulez,9876) (to:denver,22)
denver sends a reponse:
- Packet: (from:denver,22) (to:jack-rulez,9876)
NAT router rewrites the packet:
- Packet: (from:denver,22) (to:192.168.1.2,6234)

NAT: Network Address Translation

16-bit port-number field:
- 60,000 simultaneous connections with a single LAN-side address!
NAT is controversial (book’s term):
- NAT is evil (protocol designer and security term)
- routers should only process up to layer 3
- violates end-to-end argument
NAT possibility must be taken into account by app designers, e.g., P2P applications
- address shortage should instead be solved by IPv6

CT320: Network and System Administration

Fall 2016

NAT

CT320: NAT

IP datagram format, redux

NAT: Network Address Translation

Telephone Extensions

NAT

Private Networks

NAT: Network Address Translation

Remember how TCP works

Without NAT

NAT: Implementation

With NAT

NAT: Network Address Translation