Network Address Translation (NAT) Don McGregor Research Associate MOVES Institute [email protected].

Network Address Translation(NAT)

Don McGregor

Research Associate

MOVES Institute

[email protected]

Network Address Translation

• In the original “classic” internet IPs were all publicly addressable. You could contact any host from any other host

• IPs have become a somewhat rare commodity now, so people are trying to conserve them. One way to do this is via NAT

• The idea is to use a single “classic” IP on the internet-facing side of a network, and “private” IPs on the other side

NAT

Internet Home Router

RouterPublic IP205.155.65.17

RouterPrivate IP192.168.1.1

LaptopPrivate IP192.168.1.2

NAT

• Your home router, when it boots, usually receives a public IP from your ISP on its internet-facing side. This IP can be addressed by the internet.

• On your home network side, it usually assigns itself an IP of 192.168.1.1. This is a “private IP” that is not usable on the big internet

• Your router runs DHCP itself, and hands out private IPs to anything on your home network (but not the public-facing network!) So a laptop on your home network might get assigned an IP of 192.168.1.2

• Everything in your home network has a unique IP and everything is happy

Private IPs

• The IETF has assigned certain blocks of Ips to be “private IPs”. They are– 10.0.0.0 – 10.255.255.255– 172.16.0.0 – 172.31.255.255– 192.168.0.0 – 192.168.255.255

• These IPs can only be used within a private network. If any packets have a destination address from the above blocks, they are simply discarded on the big internet. You can still use them on your private network, though.

Example:

• Send a packet from your laptop in your home network to a desktop in your home network.– OK; source and destination IPs of 192.168.1.x are OK on

your private network

• Send a packet with a source or destination IP of 192.168.1.x to www.apple.com– Not OK! Packet must traverse the big internet, and there are

millions of hosts with an IP of 192.168.1.2 in private networks. We wouldn’t know where to send the response, determined by the source IP!

• As a result routers on the public internet discard packets using private IPs

Getting Out

• So how can we allow our laptop to contact Amazon from inside our private network?

• This is done via Network Address Translation

• A TCP/IP packet has a source and destination IP address

192.168.1.2 209.191.122.70 …Other stuff Payload

Src IP Dest IP

NAT

• When the packet is received by your home router it does a change: the source IP is changed from 192.168.1.2 to the public IP assigned to the home router, 205.155.65.17

• This IP is unique in the internet; no other host anywhere in the world should have it

• When a response is received, the home router does a switch again: the destination IP is changed from the public IP to 192.168.1.2

NAT

• The NAT router maintains a table that maps each private network socket connection, so multiple hosts inside the private network can use the same NAT host

10

Configuration (Home)

• Usually you just point your web browser at 192.168.1.1. There’s a web-based configuration tool there. Log on (probably with the pw and username in the documentation) and configure

11

Port Forwarding

• Notice that a host external to the NAT can’t talk to a host internal to the NAT—there’s no way to know which internal host it should go to unless an internal host first establishes a connection out and creates an entry in the NAT table

• This is a big problem for games and simulations exchanging state information

• One way around this is “port fowarding”. The NAT box is pre-configured so that traffic from outside to the router is automatically forwarded to a specific host and port

12

Port Forwarding (LinkSys)

Why?

• Suppose you’re running a network in a secure facility that is completely cut off from the internet. No need for routable IPs, and in fact you don’t want routable IPs

• It saves public IPs. A company can have only a few public IPs but hundreds or thousands of hosts with private IPs. The internet is running out of public IPs

• Can be more secure; an outsider can’t directly establish a connection to a private host

• Allows clients to contact outside servers

Why Not?

• Sometimes you want to have others connect to you (peer-to-peer): Voice over IP, games and virtual environments, etc. There are some techniques for allowing this (“NAT Punch-through” or “NAT traversal”) but they’re pretty complex and because home routers vary so much are difficult to standardize

• See RFC 5128 for details on NAT traversal• See also “port forwarding”