Network Address Translation Design and Implementation Abstract??”This is the final report for a research project covering network address translation (NAT). Research topics include: the history and necessity for NAT, overall design, implementation, the different types, and examples of its use. Keywords??”NAT; networking; project; research Necessity IP addresses were originally designed to be globally unique. In an IP network, each computer is allocated a unique IP address.
In the current version of IP protocol (IPv4) an IP address is 4 bytes, and because an address is 4 bytes, the total number of vailable addresses is 2 to the power of 32, which is 4,294,967,296. This represents the total theoretical number of computers that can be directly connected to the Internet. This property of the IP address is fundamental in supporting the end-to-end architecture of the Internet. Until recently, almost all of the Internet protocol designs were based on the original IP address model. However, the explosive growth of the Internet during the 1990s made clear the danger of IP address space exhaustion.
This also created an instant demand on IP addresses. Connecting large numbers of ser networks and home computers demanded IP addresses instantly and in large quantities. The regular IP address allocation process could not possibly meet such a demand. IP increasingly became the standard for networked digital communication; the wide-spread mobile phones have become viable internet hosts. The introduction of broadband Internet access increased IP penetration. These connections are always active and are rarely turned off compared to what was common in dial-up networks.
Inefficiencies caused by subnetting made it difficult to use all addresses in a block. RFC 3194] defines the host-density ratio; it is a metric for utilization of IP address blocks used in allocation policies. The advanced hardware infrastructure made it possible to host many instances of an operating system on a single unit; each of these may require a unique public IP address. Network address translation began to be developed to meet this instant high demand, and products featuring NAT were quickly developed to meet the market demand.
NAT is a technology which is featured on devices like routers, servers, and firewalls. NAT makes it possible for LAN devices ith private IP addresses to communicate with the devices on the public network. Devices which are configured with private IP addresses are not able to communicate with devices that have public IP addresses because private IP addresses are not routable on the internet. This implies that devices on the LAN will not be able to communicate with devices on the public network directly. Traffic that is initiated from routable on the public network.
With NAT it is possible to share a single address between multiple computers and connect them all at the same time to the Internet. Moreover, users who do not require external communication with the outside network (Internet) do not consume public IP addresses. NAT did not only offer a solution for the increased demand and cost of IPv4 addresses, but also improved the overall security of networks by forming a first line of defense against external attacks. The main idea was to set up individual private networks that are connected indirectly to the Internet.
NAT routers will translate the addresses in the datagram from the private network to the public internet and vice versa. One of the main reasons NAT is o widely spread is because it provides the ability to manage and monitor the network on a large scale. Administrators can still enjoy the control benefits that come with a private network and still be able to connect to the Internet. It is easy to add clients and even change the main Internet service provider as the change will only happen on the public addresses.
History The first RFC (Request for Comments) that raised a concern about IP address space exhaustion was RFC 1287, Towards the Future Internet Architecture, which was published in 1991. RFC 1287 also discussed possible ways to extend IP address space. The first suggested a direction similar to current NATs: Replace the 32-bit field with a field of the same size but with a different meaning. Instead of being globally unique, it would be unique only within some smaller region. Gateways on the boundary would rewrite the address as the packet crossed the boundary.
Shortly after RFC 1287 was published, RFC 1335 introduced a clearer description of the use of internal IP addresses as a solution to IP address exhaustion. The NAT idea was first described in the article “Extending the IP Internet through Address Reuse” which appeared in the January 1993 issue of ACM Computer Communication Review and as later published as RFC 1631. The invention of the Web in the early 1990s underlined the urgency to take action toward solving both the routing scalability and the address shortage problems.
Long-term solutions require a long lead time to develop; therefore efforts began to develop both a short-term and a long-term solution to those problems. As a short term solution, Classless Inter-domain Routing (CIDR) was proposed, which removes the class boundaries embedded in the IP address structure. This enables more efficient address allocation, helping to extend the lifetime of IP address space. Address space was poorly utilized with the “Classful” addressing approach, CIDR helped in extending the lifetime of IPv4 address space by removing the class boundaries embedded in IPv4 structure.
CIDR was formalized in 1993 in several RFCs [RFC 1517]. “Classless” addressing means that instead of breaking a particular network into subnets, we can aggregate networks into larger “supernets”; CIDR was often related to as “supernetting” for this reason. CIDR also facilitated routing aggregation, which slowed down the growth of the routing table size. In 1992, many new IETF working groups began developing a new IP as a long- term solution. The Internet Engineering Steering Group (IESG) set up a new IPng area in 1993 to coordinate the efforts.
The IPng Working Group (later renamed to IPv6) was established in 1994 to develop a new version of ‘P. Several groups of IP addresses were set aside for experimentation and research when TCP/IP was first developed. be routed on the Internet. “Private IP addresses” are different from “Public IP addresses” in that public IP addresses are unique, valid IP addresses that can be routed across the Internet. Private addresses can be used on LANs but they cannot connect to the Internet. Another way of describing private IP addresses is that they re “local”–lP addresses that are local to a network.
Similarly, the term global IP address is used instead of “public”–lP addresses that are globally unique. To be a host on the Internet it is necessary to have a unique, valid public IP address. If you share the same IP address as another host on the Internet, there would be no way of ensuring that information would be sent or received from the correct place. In order for computers to communicate, they must have a unique identification. But we know that there are a limited number of available IP addresses while the number of hosts on the Internet continues to grow. This is where NAT comes in.
Definition and Design NAT or Network Address Translation is the process of modifying IP address information in packets when they traverse a traffic routing device. NAT is used primarily as a tool to route packets on the network layer and to provide security. NATS are used in instances where networks have private addresses that are not able to connect to the internet directly. The NAT that is configured at the router uses a routing table to assign a public address to a packet from a private address. The primary purpose is to make sure that the packet arrives at its destination correctly.
NATS are needed to convert private addresses into public addresses because private addresses can be used in multiple instances in different locations in the world. If the private addresses were allowed access to the internet, there would be a possibility of a packet being sent to the wrong destination. NATS also provide a level of security because the host receiving the packet does not have the private address associated with the packet. In its simplest form, NAT provides a one-to-one translation of IP addresses, which is often also called a one-to-one NAT. In this type of NAT only the IP ddresses and checksums are changed.
The rest of the packet is untouched. Basically, NATS are used to interconnect two IP networks that have incompatible addressing. To avoid ambiguity in handling multiple packet destinations, a one-to- many NAT must alter information such as TCP/UDP ports in outgoing communications, and a translation table must be maintained so that return packets can be correctly translated back. This method enables communication through the router only when the conversation originates in the masqueraded network, since the translation tables are established there. Most NAT devices today allow the translation table entries to be confgured for permanent use.
This feature is often referred to as “Static NAT” or port forwarding, and it allows traffic originating in the “outside” network to reach designated hosts “inside” the network. Different Types static NAT Static NATS are used to allow assigned computers access to the internet. In order to do this, the router is connected to a series of computers with private addresses and has a table of public addresses that correspond to each of the private computers so that they may communicate with other public addresses connected to the internet. ach individual device that has a private address.
If a computer that is not in the routing table for a router with a Static NAT, then that computer will not be assigned a public address, and it will be declined access to the internet. With Static NAT, we can translate between IP networks that have the same number of IPs. A special case is when both networks contain Just one IP (i. e. the netmask is 255. 255. 255. 255). The entire translation process can be written as one line containing a few simple logic transformations: [(new-address) = (new-network) OR (old-address AND (NOT etmask))] In addition, no information about the state of connections must be kept.
Connections from outside the network to inside host appear to have a different IP than on the inside, so static NAT is almost completely transparent. Example: Translate all IPs in network 138. 201. 148 to IPs in network 94. 64. 15. Netmask is 255. 255. 255. 0 for both. 138. 201. 148. 27 translated to 94. 64. 15. 27, etc. Fig.. Example of Static NAT. Dynamic NAT Dynamic NATS are used in cases where hosts do not always need access to the internet. A pool of public addresses can be confgured at the router in which private ddresses can be temporarily assigned.
This scenario is more cost effective and is beneficial when only temporary access for a private address is needed. A smaller amount of public addresses may be used to service a larger amount of private addresses. This allows larger networks to purchase a smaller amount of public addresses. The primary problem with utilizing a Dynamic NAT is when the pool of public addresses are all utilized at the same time then no additional private addresses can be assigned public addresses until a public address becomes available. Dynamic NAT is necessary when the number of IPs on either side of the NAT are not equal.
The number of hosts communicating is limited by the number of NAT IPs available. When all NAT IPs are being used, no other connections can be translated. The connections must then be rejected by the NAT router. Dynamic NAT is more complex than static NAT, because the communicating hosts and connections must be kept track of, which requires looking at TCP information in packets. Dynamic NAT may also be useful when there are enough NAT IPs. Some people use this feature as a security measure: it is not possible for someone outside a network to get IP numbers to connect to hosts behind a NAT router with dynamic NAT.
They have to look at connections that take place, so the next time the same host may connect using a completely different ‘P. Connections from outside are only possible when the host still has an entry in the dynamic NAT table, where the NAT router keeps track of internal IPs and which NAT IP they are mapped to. For non-passive FTP sessions, where the server attempts to establish the data-channel, there is not a problem. Because when the server sends its packets to the FTP-client, there is already an entry for it in the NAT-table.
It is also extremely likely that it still contains the same client-IP o NAT-IP mapping that were there when the client started the channel. However, there are two different scenarios if an outsider wants to establish a connection to a certain host on the inside at an arbitrary time: the inside host does not have an entry in the NAT-table and is therefore unreachable, or it does have an entry, but which because the internal host is communicating with the outside. In this case, the NAT-IP is known but not the internal IP of the host.
Example: Dynamically translate all IPs in (class B) network 138. 201 to IPs in (class C) network 178. 201. 112. Each new connection from the inside gets assigned an IP from the pool f class C addresses, as long as there are unused addresses left. If a mapping already exists for the internal host, this one is used instead. As long as the mapping exists, the internal host can be reached via the IP that has been assigned to it. Fig.. Example of Dynamic NAT Port Address Translation NAT with Port Address Translation (PAT) is the third iteration of network address translation.
PAT connects multiple private addresses to one single public address using ports on the router to distinguish between the hosts. A private address connects to a router with a confgured PAT and the router assigns the public address ith a port number that corresponds to the private address and the router keeps track of which ports are being used by each private address in a routing table. For each transaction in the previous NAT types, there is a one-to-one mapping between the Inside Local addresses of the device and the Inside Global address that represents it to the public network.
Unfortunately, this is not efficient to serve large number of hosts when the number of registered public addresses is small. Port- Based NAT overcomes this problem by translating the IP address as well as the Port number in the TCP or IJDP header. The datagram will be sent out with different source address and port. The response will come back to this same address and port combination (Socket) and is translated back again. Since this technique allows us to have multiple Inside Local address sharing a single inside Global Address, it is called Overloading of an Inside Global Address or Overloaded NAT.
Other names for this type include Port-Based NAT and Network Address Port Translation (NAPT). In the event that two private addresses are using the same port to access the public address the router will assign the next available port number to the second private address. Using PAT allows 64512 hosts to use the same public address by utilizing ports 1025 through 65535 on the router. If all ports for a public address are currently being utilized the router will assign the new hosts to a new public address reusing the ports on the router.
This form of network address translation lowers the amount of public addresses needed to be purchased in order to serve a large number of hosts. It provides a significant advantage over using Static NAT or Dynamic NAT which only allow a public address to be accessed by a single host. Incoming connections are not possible with PAT, because when a host has an ntry in the masquerading table of the NAT device, this entry is only valid for the connection being active. Additional measures can be taken to enable incoming connections.
A NAT-device could be set up so that it relays all connections coming in from the outside to a host on the inside. However, because there is Just one IP that is visible outside for enabling incoming connections for the same service, but for different hosts on the inside, it must listen on different ports on the NAT-device. Most inconvenient. The only solution is to the same number of IPs as there are services to be provided. An external IP can still be shared by different services and then remapped to different internal IPs using NAT. Example: Masquerade the internal network 138. 201 using the NAT router’s own address.
For each outgoing packet the source IP is replaced by the routers (external) ‘P, and the source port is exchanged against an unused port from the range reserved exclusively for masquerading on the router. If the destination IP of an incoming packet is the local router IP and the destination port is inside the range of ports used for masquerading on the router, the NAT router checks its masquerading table if the acket belongs to a masqueraded session; if this is the case, the destination IP and port of the internal host is inserted and the packet is sent to the internal host Fig..
Example of PAT Unidirectional NAT NAT was designed assuming that a client-server (request-response) communication would begin with a datagram sent from the local network to the global one. For this reason, the first type of NAT is sometimes called Unidirectional, Outbound or Traditional NAT. Bidirectional NAT This is an enhanced NAT version that allows devices on the outside network to initiate a transaction with one of the machines in the local network. This type of NAT is called Bidirectional NAT, Two-Way NAT or Inbound NAT.
All of these convey the concept that it allows transactions in both ways. The problem with Inbound NAT is that external devices will not be able to know the addresses for the nodes in the local network. This problem is called the “Hidden Addresses” problem. There are two methods to solve this: Use Static mapping for devices on the inside network that need to be accessed externally. When static mapping is employed, the global address of the device using the static mapping will be publicly known. Make use of the TCP/IP Domain Name System (DNS).
This allows requests to be sent as names instead of IP addresses. The basic process can be simplified as follows: The Outside device sends a DNS request using the name of the device on the Inside Network “wmw. st- andrews. ac. uk”. The DNS for the Internal Network resolves “www. st-andrews. ac. uk” into an Inside Local Address. The Inside Local address is passed to NAT and used to create dynamic mapping between the Inside Local Address of the server accessed from the outside and an Inside Global Address. This mapping is put into NAT’s translation table.
When the DNS sends back the name resolution, it tells the outside evice of the server being sought Advantages of NAT Public IP Address Sharing A large number of hosts can share a small number of public IP addresses. This saves money and also conserves IP address space. In addition to that, an increased number of systems are possible because of the IP address space; Home Automation is an important area that mainly benefited from NAT Easier Expansion Since local network devices are privately addressed and a public IP address isn’t needed for each one, it is easy to add new clients to the local network.
Greater Local Control can still connect to the Internet. Greater Flexibility in ISP Service Changing the organization’s Internet Service Provider (ISP) is easier because only the public addresses change. It isn’t necessary to renumber all the client machines on the network. Increased Security The NAT translation represents a level of indirection. Thus, it automatically creates a type of Firewall between the organization’s network and the public Internet.
It is more difficult for any client devices to be accessed directly by someone malicious because the clients don’t have publicly-known IP addresses. Transparency NAT implementation is mostly transparent, because the changes take place in one or erhaps a few routers. The dozens or hundreds of hosts themselves don’t need to be changed. Disadvatages of NAT Checksum Changing the content of an IP address or TCP port can affect other fields, such as the checksum. And many protocols and applications carry information based on the IP address within their data fields.
Changing the IP address in the header could completely change the meaning of the encapsulated data. The checksum must be recalculated if the source or destination IP address or both change, because he checksum of an IP packet is calculated over the entire header. Complexity NAT represents one more complexity in setting up and managing the network. It also makes troubleshooting more confusing due to address substitutions. Lack of Public Addresses Certain functions won’t work properly due to lack of a “real” IP address in the client host machines.
Security Protocols like IPSec are designed to detect modifications to headers and commonly balk at the changes that NAT makes, since they cannot differentiate those changes from malicious datagram “hacking”. It is still possible to combine NAT and IPsec, but this becomes more complicated. In addition to protocols NAT poses a big problem for ecurity systems and especially for networks protected by intrusion detection systems (IDS) and intrusion prevention systems (‘PS). Poor Support for Client Access NAT makes it difficult for legitimate access to clients on the local network. Peer-to- peer” applications are harder to set up. To address this issue, a socially enhanced NAT was proposed by combining social network topologies with traditional NAT architecture to better integrate peer-to-peer communication through NATed networks. This allows incoming connections from trusted parties, resolving one of the central criticisms of the NAT approach. Performance Reduction NAT address translation in addition to some of the extra work required (recalculating checksum) increases the performance overhead. Fragmantation Fragmentation is another issue with NAT.
IP makes no guarantee that packets are delivered in order. It’s possible that the first fragment might not arrive at the NAT before later fragments. If a packet destined for a certain port becomes fragmented at some point in the network before it reaches the NAT, and the header containing the source and destination port numbers is only in the first fragment, then that fragment is merely translated and forwarded. The NAT has no way to tell whether the subsequent fragments must be translated. Therefore, NAT must keep stateful subsequent fragments are translated the same way.
If fragments arrive out of order, the NAT must hold the fragments until the first fragment arrives so that it can be examined. Encryption Encryption is not possible with NAT. For NAT to function, IP addresses and any information derived from them cannot be encrypted. If the data fields are encrypted NAT has no way of reading the data. SMTP For Simple Mail Transfer Protocol (SMTP), NAT examines the appropriate fields within SMTP messages and makes translations when IP addresses are found. SMTP messages can use IP addresses rather than names when requesting mail transfers, even though they normally contain domain names, not IP addresses.
Problems with Network address translation has some major drawbacks in terms of the quality of Internet connectivity. All types of NAT break the originally envisioned model of IP end-to-end connectivity across the Internet, and PAT makes it difficult for systems behind a NAT to accept incoming communications. As a result, NAT traversal methods have been devised to alleviate the issues encountered. The File Transfer Protocol (FTP) uses two connections: the control connection which is initiated by the host, and the data connection which is initiated by the server.
The sequence of events for setting up an FTP session and transferring a file presents a problem for some secured networks. It is common practice to confgure a firewall to disallow the initiation of connections from outside. This is done by looking for a cleared ACK or RST bit in the TCP header, which indicates a connection request. When an FTP server tries to establish a connection to the host across a firewall, the connection is denied. To overcome this, the host can use a PASV command instead of a PORT command to open the data connection.
This is used to passively open a data port and to inform the host of the port number. Then the host actively opens the data connection to the server port. The connection is not blocked because the connection request is outgoing through the firewall rather than incoming. The PORT and PASV commands carry the port numbers and IP addresses. If they cross a NAT, the addresses must be translated. And when the address is translated, the message size can change. This is ecause the IP address is encoded in ASCII in its dotted-decimal form, which means that the IP address in the FTP message is not a fixed length.
If the size of the message remains the same, the NAT recalculates the TCP checksum. If the message becomes smaller, the NAT adds ASCII zeros to the message to make it the same size as the original. If the message becomes larger, the problem becomes more complicated because the TCP SEQ and ACK numbers are based on the length of the TCP segments. A table is kept by the NAT that keeps track of the SEQ and ACK numbers. Whenever an FTP message crosses a NAT, the table records the source and estination IP addresses and ports, the initial sequence number, and a time stamp.
This is used to correctly adjust the SEQ and ACK numbers in the FTP messages. Pv6 IPv6 provides a great solution to the address space crunch that was the underlying reason for the widespread adoption and usage of NAT. A lack of address space resulted in a proportionately higher demand for the domain names in comparison to the availability of the same on the supply side. This led to a squeeze in the prices were skyrocketing. The situation further made sense for the organizations to go for the NAT technique as a cost-cutting tool.
In this way, the address space constraint in the IPv4 fuelled the popularity and widespread usage of the NAT to overcome the situation. If an organization couldn’t have enough IP addresses, then it could share them or create them over the local network through the use of a proxy server and then map the internal IP addresses to the real IP addresses over the Internet thereby making the online communication process streamlined. The Internet Protocol version 6 or IPv6 eliminates the need for NAT by offering a much larger address space that allows the network resources to have their own unique real IP address.
In this way, IPv6 strikes at the very root of the problem for which NAT provided a solution. IPv6 offers a significantly larger address space that allows greater flexibility in assigning unique addresses over the Internet. Pv4 (the currently used standard protocol over the Internet that carries bulk of the network traffic), provides 32 bits of address space while the IPv6 offers 128 bits of address space that is easily able to support 2128 or 3. 4W1038 or about 340 billion billion billion billion unique IP addresses.
This allows a provision for permanent unique addresses to all the individuals and hardware connected to the Internet. Moreover, the extended address length eliminates the need to use techniques such as NAT to avoid running out of the available addresses. An escalating demand for IP addresses acted as the driving force behind the development of IPv6. According to industry estimates, in the wireless domain, more than a billion mobile phones, Personal Digital Assistants (PDA), and other wireless devices will require Internet access, and each will need its own unique IP address.
Moreover, billions of new, always-on Internet appliances for the home – ranging from the TV to the refrigerator – will also come online through the different technologies. Each of these devices will also require their own unique IP address. With the exponentially increasing demand for IP addresses, the world is fast outgrowing IPv4 and waiting to embrace IPv6. In this way, the IPv6 protocol does away with the need to use network address translation techniques to make up for the address space crunch by creating local IP addresses over the LAN and mapping them to the real IP addresses used over the network.
IPv6 also offers superior security features thereby allaying the fears of allocating static IP addresses to the various network resources and throwing them open to attacks in the virtual space. The ecurity issue is often used in the defense of the Network Address Translation process. However, the core principle of Internet is to offer an end-to-end connectivity to the different network resources. This principle is violated by the widespread use of network address translation. In this context, IPv6 provides a long-term solution to meet the address space crunch as well as the security concerns of the Internet users.
For all practical purposes, IPv6 offers an almost endless supply of IP addresses that can be allocated to the exponentially increasing network devices that are being added to the Internet with each passing day. This large pool of IP addresses will provide an abundant supply of usable IP addresses and easily match the demand for the same. This equilibrium will bring the Internet address prices back to normal levels. Simulation For simulation of packet transfer through a router with a configured Static NAT assigned IP address of packets sent two and from hosts inside a NAT to host located outside a NAT.
The topology used for the simulation is three hosts linked to a router with a configured Static NAT with an Ethernet link. Each link is assigned its own private IP to be used within the routing table of the router in order to determine the hich packets belong to each host after the private IP has been translated into an IP that is usable on the outside of the NAT. Fig. 4. Topology of Simulation After the topology is correctly set up, the routing table for the Static NAT must be manually confgured on the router’s console.
Fig. 5. Routing table Configuration. Configuring the router table permanently assigns outside IP addresses to links associated with hosts on the inside of the Static NAT. Wireshark packet capture can now be used to show that the IP address of the packets from the inside of the NAT change as they are routed. A ping message can be sent from the inside of the NAT sing Internet Control Message Protocol (ICMP) and captured on the outside link of the router with NAT. Fig. 6. Ping packet capture of outside link.
Wiresark shows that a ping message being sent from host with a private address 10. 0. 0. 1 is being viewed as a ping from 200. 0. 0. 1 on the outside NAT link. This show that the packet is properly being translated from a local private IP address into an IP address that is recognizable outside the NAT. References Egevang, K, and P Francis. The IP Network Address Translator (NAT). RFC 1631. Cray Communications, NTT, 1994. Web. 25 Mar. 2013.. Droms, R. Dynamic Host configuration protocol. RFC 2131. Bucknell university, 1997. web. 25 Mar. 2013.. Dorton, Doug.
Introduction to Network Address Translation. Web]unction, 2012. Web. 25 Mar. 2013.. Wikipedia contributors. “Network address translation. “Wikipedia, The Free Encyclopedia. 17 Mar 2013.. Hasenstetn, Michael. “IP NETWORK ADDRESS TRANSLATION. ” http://hasenstetn. com. Nikos Drakos, 5 Dec 1997. web. 25 Mar 2013.. Zhang, Lixia. A Retrospective View of Network Address Translation. Los Angeles: University of California, 2008. Web. 25 Mar. 2013.. Doyle, Jeff, and Jennifer Carroll. “NAT Issues. “ciscopress. com. Cisco Press, 8 Feb 2002. Web. 25 Mar 2013.