Show Lecture.NAT as a slide show.
CT320 NAT
Thanks to:
- Dr. Indrajit Ray, CSU
- Dr. James Walden, NKU
- Russ Wakefield, CSU
for the contents of these slides.
Acronym
- Network
- Address
- Translation
Notation
- NAT is defined in RFC 2663
- Several levels of NAT are defined (Basic NAT, NAPT, Bi-directional NAT, Twice NAT, …)
- For this lecture, we will discuss NAPT (Network and Port Translation), but we’ll bow to common usage and call it NAT.
IP datagram format, redux
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
| Version | IHL | Type of service | Total length | ||||||||||||||||||||||||||||
| Identification | Flags | Fragment offset | |||||||||||||||||||||||||||||
| Time to live | Protocol | Header checksum | |||||||||||||||||||||||||||||
| Source IP address | |||||||||||||||||||||||||||||||
| Destination IP address | |||||||||||||||||||||||||||||||
| Options (optional) | |||||||||||||||||||||||||||||||
| IP data payload (many bytes) | |||||||||||||||||||||||||||||||
NAT: Network Address Translation
The problem:
- We’re running out of IPv4 addresses.
- I have over a dozen hosts at home.
- Comcast would charge me a lot for a dozen IP addresses.
- They’d rather not add a dozen entries to their routers.
- Or give me a /28 subnet, which is even more IP addresses.
- How many?
- Or give me a /28 subnet, which is even more IP addresses.
Telephone Extensions
┌───────────┐ ┌──────────────┐ │ Dr. McCoy │···· ····│ Dr. Faustus │ └───────────┘ : : └──────────────┘ ┌───────────┐ : : ┌──────────────┐ │ Dr. Evil │···: :···│ Dr. Jekyll │ └───────────┘ : : └──────────────┘ ┌───────────┐ : : ┌──────────────┐ │ Dr. Who │···: :···│ Dr. Pepper │ └───────────┘ : : └──────────────┘ ┌───────────┐ : ┌───────┐ : ┌──────────────┐ │ Dr. Zaius │···:···│ PBX │···:···│ Dr. Dolittle │ └───────────┘ : └───────┘ : └──────────────┘ ┌───────────┐ : : : ┌──────────────┐ │ Dr. Doom │···: : :···│ Dr. Zoidberg │ └───────────┘ : phone : └──────────────┘ ┌───────────┐ : network : ┌──────────────┐ │ Dr. Teeth │···· ····│ Dr. Watson │ └───────────┘ └──────────────┘
Consider a doctors’ office. It has a dozen doctors. Each doctor has an office with a phone.
- They’re too cheap to pay for a dozen real phone lines.
- Each doctor needs to make outgoing calls.
- Doctors like to avoid incoming calls.
The solution: an internal phone exchange (PBX).
NAT
Internet ┌────────┐ ┌─────────────┐
··············│ NAT │·······│ 192.168.1.2 │
203.0.113.9 │ router │ : └─────────────┘
└────────┘ : ┌─────────────┐
:···│ 192.168.1.3 │
: └─────────────┘
: ┌─────────────┐
····│ 192.168.1.4 │
└─────────────┘
Similarly, NAT hides many hosts behind a NAT router.
- From the Internet’s side, the entire house is only one IP address, 203.0.113.9.
- From the home private network’s side, it appears that all the hosts are simply on the Internet.
- It makes “incoming calls” more difficult.
- That’s a feature, not a bug.
Private Networks
| CIDR range | Number of hosts |
|---|---|
| 10.0.0.0/8 | 224 (~16 million) |
| 172.16.0.0/12 | 220 (~1 million) |
| 192.168.0.0/16 | 216 (~65 thousand) |
- 172.16/12? That’s neither a Class A (/8) nor a Class B (/16) address.
- Yeah, so? Classful addresses are obsolete.
- We are not restricted to classful addresses.
- CIDR is more flexible.
NAT: Network Address Translation
Internet ┌────────┐ ┌─────────────┐
···············│ NAT │·······│ 192.168.1.2 │
203.0.113.9 │ router │ : └─────────────┘
└────────┘ : ┌─────────────┐
:···│ 192.168.1.3 │
: └─────────────┘
: ┌─────────────┐
····│ 192.168.1.4 │
└─────────────┘
- Local network uses just one IP address, as far as outside word is concerned.
- No need to be allocated range of addresses from ISP;
just one IP address is used for all devices.
- Cheaper!
- Can change addresses of devices in local network without notifying outside world.
- can change ISP without changing addresses of devices in local network
- devices inside local net not explicitly addressable, not visible to outside world (a security bonus)
Remember how TCP works
- A TCP connection has a (host, port number) at each end.
- Service port numbers are well-known
- ssh: 22
- https: 443
- For clients, the port number is dynamically generated (made up).
If example.com connects via ssh to denver.cs.colostate.edu, the connection looks like:
(example.com,6234) ◀────▶ (denver.cs.colostate.edu,22)
Why have the port 6234? So that when a reply packet from denver arrives, we know which program to send the reply to: the program listening on port 6234.
Without NAT
How does a typical transaction occur without NAT?
- example.com opens an ssh connection to denver.cs.colostate.edu.
- (example.com,6234) ◀────▶ (denver.cs.colostate.edu,22)
- example.com sends a TCP packet to denver, by sending to port 22 on denver.
- denver responds by sending a TCP packet to port 6234 on example.com.
NAT: Implementation
Internet ┌────────┐ ┌─────────────┐
··············│ NAT │·······│ 192.168.1.2 │
203.0.113.9 │ router │ : └─────────────┘
└────────┘ : ┌─────────────┐
:···│ 192.168.1.3 │
: └─────────────┘
: ┌─────────────┐
····│ 192.168.1.4 │
└─────────────┘
| WAN | LAN |
|---|---|
| ebay.com, 3345 | 192.168.1.4, 5001 |
| hp.com, 8765 | 192.168.1.3, 5010 |
A NAT router must:
- outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)
- Remote clients/servers will respond using
(NAT IP address, new port #) as destination addr.
- remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
- incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table
With NAT
┌─────────────┐ ┌────────┐ ┌─────────────┐ │ denver.cs.… │·····│ NAT │·····│ 192.168.1.2 │ └─────────────┘ │ router │ └─────────────┘ 129.82.44.141 └────────┘ example.com
How does a typical transaction occur with NAT?
- example.com opens an ssh connection to denver.cs.colostate.edu;
sends a packet
- Packet: (from:192.168.1.2,6234) (to:denver,22)
- NAT router rewrites the packet:
- Packet: (from:example.com,9876) (to:denver,22)
- denver sends a reponse:
- Packet: (from:denver,22) (to:example.com,9876)
- NAT router rewrites the packet:
- Packet: (from:denver,22) (to:192.168.1.2,6234)
NAT: Network Address Translation
- 16-bit port-number field:
- 65,536 simultaneous connections with a single LAN-side address!
- NAT is controversial (book’s term):
- NAT is evil (protocol designer and security term)
- Routers should only process up to layer 3.
- NAT violates end-to-end argument.
- NAT possibility must be taken into account by app designers,
e.g., P2P applications.
- Address shortage should instead be solved by IPv6.
- Don’t hold your breath.
- Address shortage should instead be solved by IPv6.