Network Address Translation

Network Address Translation (NAT) is in computer networks is the collective term for procedures that automatically replace the address information in data packets by other, to connect different networks. Therefore, they are typically used on routers used.

• 3.1 NAT router, NAT Session and NAT Table
• 3.2 Source NAT 3.2.1 Source NAT and IP routing on the example

• 9.1 specifications
• 9.2 External links
• 9.3 Notes and references

NAT types

NAT is in Source NAT ( SNAT ) and Destination NAT ( DNAT ) divided. While the source NAT, the address of the computer is rewritten, establishes the connection, when destination NAT address of the addressed computer is changed.

Using NAT

Using Source NAT

Large dissemination found source NAT by the scarcity of public IPv4 addresses, and the tendency to combine private subnets to the Internet. The simplest solution to this problem was often possible through NAT using multiple private IP addresses with only one public IP address, the figure on this because of the port numbers 16 bits wide to about 65,000 sessions (Port Address Translation entries ) remains limited (see cons ).

Especially in private or as cheaply as possible running network installation source NAT is used as a safety feature and for the separation of internal and external network. While a NAT installation superficial actually achieved this desired effect, it can not replace security infrastructure nor effective measures for the separation of networks. Thus, the source NAT function of a router in the professional field is often supported by an additional run Application Layer Gateway ( ALG).

Using Destination NAT

Destination NAT is used for example in order to provide several different server services that run on different computers on a single IP address.

Also, it is sometimes used in hot spots to redirect accesses to Web pages before logging onto the computer, which offers the application.

Operation

NAT router, NAT Session and NAT Table

A system with NAT is stateful and is also referred to as a NAT router. For each compound constituting a NAT router, it starts a NAT session. The associated connection information (IP addresses, ports, and timeouts) it stores in its NAT table. The stored information of the NAT router can assign the respective response data packet that client correctly. After a NAT session her entry in the NAT table is deleted. The number of sessions that can hold a NAT router open simultaneously is limited by the performance of each used in the NAT router hardware and software.

Source NAT

For each connection by an internal client internal source IP address is replaced with the public IP address of the router. In addition, the source port of the internal clients through a free port of the router is replaced, which is evidenced by the fact. This mapping is stored in the NAT table of the router. The process is referred to as PAT (port and Address Translation).

Source NAT and IP routing on the example

In this example, the private network uses the IP address 192.168.0.0/24. There is a source NAT router with the public address 205.0.0.2/32 between this network and the public Internet.

General routing is still required when sender and receiver are on different networks. Want to send a tethered via a source NAT router station a packet to a receiver outside their private network, for example to a Telnet server somewhere away on the Internet, the communication process works ( in simplified form ) as follows: First, the station determines the for the desired target nearest router ( see routing table ), it was here the source NAT router, then determines the station via ARP its MAC address and builds a package as follows: It receives as destination MAC address is the MAC address the source NAT router, the recipient's destination IP address ( 170.0.0.1 here ), the destination port address 23 for the Telnet server and the MAC address and IP address of the sender (in this case 192.168.0.4 ) and a the source port (any straight free port, here 1001) for the currently requesting Telnet session and other data. The source NAT router receives and processes the packet, because it is addressed to the MAC address. When processing in the router to forward the packet in a modified form: the router determined using the receiver's IP address to the next router, identified by its MAC address and ARP builds it as follows in order: It now receives notwithstanding the MAC address the next router, the destination IP address of the receiver ( 170.0.0.1 ), destination port 23 and the public MAC and IP address of the source NAT router ( 205.0.0.2 ), just a free source port from the reservoir of the router (in this case 4806 ) and the payload, which remain the same. This assignment of the original sender's address and the port ( 192.168.0.4:1001 ) for one now address tuple ( 205.0.0.2:4806 ) is kept stored in the router until the Telnet session expires or is terminated. With NAT the packet at layer 3 (IP ) is thus changed significantly.

When processing in subsequent IP routers, the packet is changed only on Layer 2: The router determines the next router, determined by the MAC address of ARP and builds it as below: It now receives as deviating destination MAC address is the MAC address of the next router and the source MAC address is replaced with your own. The recipient's IP address ( 170.0.0.1 ), destination port 23 as well as the source IP address of the source NAT router ( 205.0.0.2 ), whose source port 4806 and the user data are preserved. This means that on Layer 3 ( IP), the packet is not changed here. This process is repeated until a last router finds the destination station in a network directly connected; then the package is as follows: it receives as a source MAC address of the last router as the destination MAC address of the destination station, the recipient's IP address ( = destination station, 170.0.0.1 ), destination port 23 and the IP address of the sender source NAT router ( 205.0.0.2 ), whose source port 4806 and of course user data.

After successful processing by the Telnet server the response is then compiled as follows: MAC address for the return competent router (the return route is not necessarily the same ), the IP address of the requesting source NAT router ( 205.0.0.2 ), the destination port address 4806 as well as the MAC address and IP address of the Telnet server ( 170.0.0.1 ) and its source port, as well as response data. After all routers have been run, resulting finally in the Source NAT router ( 205.0.0.2 ): MAC address and IP address of the requesting computer (in this case 192.168.0.4 ) and the port address 1001 and the MAC of the source NAT router and the IP address of the Telnet server ( 170.0.0.1 ) and its source port, as well as response data. If this Telnet session is terminated even port 1001 is enabled again.

Destination NAT

For each connection by the client, the destination IP address is replaced by the actual recipient of the LAN. In addition, the destination port will be replaced by a free port of the router, which is evidenced by the fact. This mapping is stored in the NAT table of the router.

Categorization

RFC 3489, which describes the protocol STUN traversal of NAT gateways, these arranged into four different classes, which are often used outside of the context of STUN to classify:

This prototypical basic scenarios often form in modern NAT systems, however, only a guide for classification selective behavior of the gateways. This partly use the mixed forms of the classical approaches to address implementation or dynamically switch between two or more behavior patterns. RFC 3489 has been replaced by RFC 5389 ​​, which no longer tried this categorization.

Benefits

• IP addresses of a network can be hidden from another network. Thus, NAT can be used to improve network security.

Disadvantages

• NAT is often considered only as a last resort to avoid the problem of scarce IPv4 addresses when not permanently connected network installations.
• The biggest problem with NAT is that the clean Assignment " one host with a unique IP address" is not respected. By the definition of protocol headers, which resembles a man-in -the -middle attack, so have especially older protocols and encryption methods on network and transport level by this design breakage problems (eg IPsec AH). Protocol Complications with NAT are described in RFC 3027.
• Likewise suffer especially network services, the out-of- band signaling and reverse channels use, about IP telephony protocols, including complications caused by NAT gateways.
• NAT gateways pick up the strict separation of the OSI layer model.
• End -to-end connectivity is broken, since the NAT - transfer location, the destination of incoming connections can not be determined automatically.

NAT Traversal

NAT -Traversal (partly as a NAT traversal translated) refers to techniques for establishing and maintaining connections via NAT over points of time. Network Address Translation breaks the end -to-end connectivity. Therefore typically require applications that connect from client to client (for example, peer-to -peer and IP telephony applications or network games) NAT Durchdringungstechniken. There are several techniques, which not every work in every situation, since the behavior of NAT is not standardized. Many techniques require the assistance of a directly accessible to the public for both parties server. Some methods use such a server for the connection, others derive all the traffic of the connection over this auxiliary server, which increases the cost of data transmission as well as the latency and thus is detrimental to real-time applications.

Most behavior-based methods circumvent corporate security policies. Therefore, in corporate networks techniques are preferred, which expressly cooperatively integrate with NAT and firewalls and allow administrative procedures on the NAT - over point. Therefore, the most promising standards Realm -Specific IP and middlebox communication are ( MIDCOM ).

SOCKS, the oldest protocol for NAT traversal is still widespread. In the application at home or in small offices Universal Plug and Play ( UPnP) is supported by most NAT - transfer points. NAT -T is commonly used in IPsec VPN client to bring Encapsulating Security Payload packets through the NAT.

An example of a NAT -Traversal Protocol STUN.