NAT by yaoyufang


									Project Report                                                       Tim Kaddoura


       Human population is growing exponentially, the global digital divide is
slowly but surely narrowing, and the internet is predicted to stay in the high ranks
of future popular technologies. What does this mean to network service
providers? Are they obliged to quickly adopt IPv6, even though it takes years to
migrate to whole new network infrastructure? Network Address Translation is the
ideal interim solution.
       In this report, I will discuss the reasons why NAT is a viable solution for
the extension of the IP address format, its security benefits in current networks,
and its advantages/disadvantages to current systems software, such as SNMP.

                   IP Address Allocation Overview

       Internet Protocol (IP) addresses act similarly to postal home addresses.
They are the crucial points for allowing one to send/receive messages over a
network. The current network infrastructure around the world uses IP version 4.
What does this mean? It means that an IP address is four bytes long, and so in
theory, the arithmetic shows that there are 232 addresses worldwide available for
use. When one considers about 4.3 billion address available for use, then one
should imagine having about 4.3 billion machines connected to the internet all at
the same time. Is this a far fetched scenario?
       The IP address scheme is divided into 4 categories (or classes) to clearly
identify large networks from small networks. These classes are named, A, B, C,
and D. The first byte of an IP address determines which class an address
belongs to. Networks under both classes A and B have already allocated all the
address leaving classes C and D yet to be fully used. And so the 4.3 billion figure
is dramatically dropped to almost half, about 2.15 billion network addresses.

CS158B                              Page 1 of 7                          3/25/2005
Project Report                                                        Tim Kaddoura

       “This is the most urgent architectural problem, as it is directly involved in
the ability of the Internet to continue to grow successfully” [3]. And so this is why
the Internet Engineering Task Force (IETF) designed IP version 6 (or Next
Generation Internet Protocol). With IPv6, 6 bytes long, the infrastructure could
theoretically withstand a whopping 248 hosts connecting to the internet at the
same time, which means that internet exhaustion will no longer be an issue.
However this comes with a costly disadvantage because we are talking about
changing the whole infrastructure. In other words, both hardware and software
will ultimately be affected by the change because the IP header has changed.
       Change is a good thing, but it comes very slow and at price. Network
Address Translation (NAT) is a solution, currently being widely used, which can
make the transition smoother and more efficient at very low cost. NAT does not
require changing the length of an IP header; instead it rewrites the contents of
the header in such a way that allows one IP address to be used with multiple
hosts at the same time.

             What is Network Address Translation?

       Network address translation (NAT), which operates at the network layer of
the OSI reference model, is the procedure which allows one public (Internet-
legal) address to be used to connect multiple hosts instead of one host at the
same time. A great analogy to this “one to many” relationship can be expressed
by the following scenario: one calls a hotel using one publicly known phone
number to talk to a person, and with the help of receptionist, the call is
transferred to the desired person by a publicly unknown phone number. Hence
one number is being routed to many phone numbers. NAT is the receptionist and
it allows for a one-to-one or a many-to-one IP address translation.
       The process of this kind of mapping can only occur by replacing (or
rewriting) the contents of an IP header. Specifically, what changes is the port
numbers in the TCP/UDP header with the new port assigned by the translation.

CS158B                              Page 2 of 7                           3/25/2005
Project Report                                                        Tim Kaddoura

This will then require the checksum of both, the IP packet and the TCP header,
to be recalculated for integrity. These operations occur on a router or switch
between the local and global network.
      NAT is a stuffed term simply because it comes in many different flavors.
These are: Static NAT, Dynamic NAT, Overloading, and Overlapping. Each
routes an IP address differently depending on the scenario.
         Static NAT: isn’t particularly useful in terms of multiplexing because it
          works on a “one to one” mapping basis. All it does is connect one
          unregistered private IP address (local) to one registered IP address
          (global). The main reason for this kind of relationship is to allow foreign
          hosts remotely control the computer behind the Static NAT router. For
          example, using SNMP to monitor and control hosts.
         Dynamic NAT: also uses a “one to one” mapping similarly to Static
          NAT, but the difference is that it is mapping one unregistered address
          to one registered address from a group of registered addresses. NAT
          dynamically picks a registered address, that isn’t used by anyone else
          on the network, and maps it to the internal address.
         Overloading: is the most common NAT scenario seen in a home and
          small business environment. It involves connecting multiple computers
          using unregistered IP addresses to one single registered IP address.
          This is an efficient and economical way of having multiple computers
          accessing the internet all at the same time. The “one to many”
          mapping is accomplished by using port numbers in a routing table
          (please see diagrams below).
         Overlapping: this is used when both the internal and external IP
          addresses are registered addresses. The task of the NAT is to safely
          do a translation on both incoming and outgoing messages as to not
          overlap the same registered IP addresses and cause a conflict on the
      The first diagram depicts the generic NAT translation from private hosts to
public hosts and vice versa [4]. And the second diagram shows an Overloading

CS158B                              Page 3 of 7                           3/25/2005
Project Report                                                       Tim Kaddoura

NAT environment where pools of public hosts, using unregistered address,
connect to the public network using a single registered private network [4].


       I have described, with the help of two diagrams, what a NAT router does
to connect a host machine to the outside world. We now shall see technically
how this done inside the router.

                               NAT Operation

       While NAT in some cases, as mentioned above, translates one private
address to one public address, the challenging and mostly used aspect of NAT is
multiplexing. In other words, making use of the “one to many” relationship by
sending packets from private hosts on the network to public hosts on the internet
using a single registered IP address.
       The IP header, in an incoming/outgoing packet, is used to locate client
computers. The IP header constitutes in a source address, a source port, a
destination address, and a destination port. These fields are crucial to defining an
entire TCP/IP connection between two host machines. The address fields ensure

CS158B                              Page 4 of 7                          3/25/2005
Project Report                                                      Tim Kaddoura

the connection between hosts, and the port fields ensure a each connection is
separately acknowledged.
      Suppose one computer contacts a gateway that connects four different
hosts using the same IP address, how will it know which of the four computers it
should talk to? NAT intelligently changes the fields of the IP header to make this
possible. The changes made are on the source address and port fields on every
outgoing packet. To keep track of the changes that need to be made, the NAT
gateway uses a port mapping table as a reference to relate a public host’s local
IP address, real source port, and translated source port with both destination
address and port.
      Incoming packets from remote computers will then be monitored by the
NAT gateway over the lookup table stored. The destination address is the same
for all public machines, but the source port will be matched by the port assigned
by the NAT gateway upon outgoing packets. Using the table, the source port is
matched with the real destination address and source port, and hence sent to the
correct machine.

                                NAT Security

      Internet security has become an integral part of network solutions.
Nowadays, a network product is no longer viewed solely to its networking
capabilities, but to its security strengths as well. NAT gateways automatically
have a “built-in” firewall protection due to the way in which they map local
computers. In other words because NAT uses a mapping table, which stores
complete connection information, no incoming message is passed to a local host
unless the packet header has been screened, and the values contained are
matched with those in the table.
      This is effective when a small business wants to avoid being a target of
malicious content. The only way of receiving packets containing malicious
content, is for the local machine to actually send a packet of any sort to “Trudy”,

CS158B                             Page 5 of 7                          3/25/2005
Project Report                                                         Tim Kaddoura

reveling its source port address assigned by the NAT gateway. And the chances
for this to happen are very minimal compared to having unknown/random

                               NAT with SNMP

       Neither Dynamic NAT nor Overloading reveal the internal host’s real
address to anyone residing beyond its gateway. Unfortunately, SNMP is an
applications affected due to the nature of the entities involved with it.
       SNMP requires knowing the “real” source port of the machine if it wants to
either control or pool information from it. The reason for this is because SNMP is
a protocol based/operates on requests. If it cannot get/set request, then it cannot
properly function. So what is the solution?
       A work around is to use IBM’s Comprehensive Network Address
Translator (CNAT). It directly operates on SNMP data by managing networks
without having to reconfigure IP addresses [5].


       While we have just observed a disadvantage in using NAT, it is important
to note that CNAT is not needed with other NAT gateways using “one to one”
mappings (i.e. Static, or Overlapping). The advantages of using NAT switches
outnumber the disadvantages.
       Without having to wait for a major IP addressing infrastructure, Network
address translation offers a secure and shared access to the internet at an
excellent cost. NAT is clearly going to become the de facto standard for shared
internet access.

CS158B                               Page 6 of 7                            3/25/2005
Project Report                                                       Tim Kaddoura


[1] (Address Allocation for Private Internets)
[2] (The IP Network Address Translator)
[3] (Towards the Future Internet
[4] (How NAT Works)
[5] (Learning to Live with NAT)

CS158B                              Page 7 of 7                          3/25/2005

To top