Basic Principles and Applications of NAT

1 Overview 1.1 Introduction 1.1.1 Glossary

Public IP Address:A global address refers to a valid IP address. It is an IP address allocated by the NIC (Network Information Center) or ISP (Network Service Provider). It represents one or more internal IP addresses, is a globally Unified Address for retrieval.

Private IP Address:It is also called an internal address, which is a non-registered address and used internally by an organization. The Internet allocation numbering Board (IANA) retains three IP addresses as private IP addresses:

10.0.0.0 --- 10.20.255.255

172.16.0.0 --- 172.16.255.255

192.168.0.0 --- 192.168.255.255

Address pool:The address pool is composed of some external addresses (globally unique IP addresses). We call this an address set an address pool. When packets in the internal network arrive at the external network through address translation, an IP address will be selected as the source IP address of the data packet in the address pool, which can effectively use the user's external address, improve the ability to access external networks.

1.1.2 about Nat

Nat stands for "Network Address Translation", which means "Network Address Translation". It is an IETF (Internet Engineering Task Force, Internet Engineering Task Group) standard, allows an entire organization to appear on the Internet with a public IP address (Internet Protocol. As the name suggests, it is a technology that translates an internal private network address (IP address) into a valid network IP address, as shown in. Therefore, we can think that Nat can effectively solve the problem of insufficient public addresses to a certain extent.

To put it simply, Nat uses an internal address in the Intranet of the LAN. When an internal node needs to communicate with an external network, for example, replace the internal address with a public address in the same way as the courtyard door, so that the external public network (Internet) can be used normally. Nat allows multiple computers to share Internet connections, this function solves the shortage of public IP addresses. In this way, you can apply for only one valid IP address to connect the computer in the LAN to the Internet. In this case, Nat shields the internal network, and all Intranet computers are invisible to the public network, while Intranet computer users generally do not realize the existence of Nat. As shown in. The internal address mentioned here refers to the private IP address assigned to the node in the internal network. This address can only be used in the internal network and cannot be forwarded by a route.

Nat functions are usually integrated into routers, firewalls, ISDN routers, or individual NAT devices. For example, if the Cisco router has already added this function, the network administrator only needs to set the NAT Function in the IOS of the router to shield the internal network. For example, the firewall maps the internal address 192.168.1.1 of the Web server to the external address 202.96.23.11, and the external access address 202.96.23.11 is actually access 192.168.1.1. In addition, for small enterprises with limited funds, this function can now be implemented through software. Windows 98 SE and Windows 2000 all contain this function.

1.2 category

There are three types of NAT: static Nat, dynamic address Nat, and network address port translation (napt ).

1.2.1 static Nat

By manually setting, the communication between Internet customers can be mapped to a specific private network address and port. Static ing is required for computers connected to the Internet to use servers (such as website servers) and applications (such as games) on a private network. Static mappings are not deleted from the NAT translation table.
If a ing exists in the NAT translation table, Nat only transmits data from the Internet to the private network in one way. In this way, NAT provides some protection for computers connected to the private network. However, if you consider the security of the Internet, NAT must be used with a full-featured firewall.

For the above network topology, when the Intranet host 10.1.1.1 needs to communicate with the Internet host 201.0.0.11, when the host (IP: 10.1.1.1) packets pass through the router, the router changes the source IP address (10.1.1.1) of the IP packet to the corresponding global IP address (201.0.0.1) by searching the NAT table, and the destination IP address 201.0.0.11 remains unchanged, so that the packet can reach 201.0.0.11. When the data packet returned by the host hostb (IP: 201.0.0.11) arrives at the vro connected to the Intranet, the vro also looks for the NAT table and changes the destination IP address of the IP data packet to 10.1.1.1, in this way, the Intranet host can receive packets sent from the Internet host. In static Nat mode,The internal IP address and public IP address are a one-to-one ing relationship.Therefore, the premise of using this method is that the Organization can apply for a sufficient number of global IP addresses.

1.2.2 dynamic Nat

Dynamic Address Nat only converts IP addresses. It allocates a temporary external IP address for each internal IP address, which is mainly used for dialing. Dynamic Nat can also be used for frequent remote connections. When a remote user is connected, the dynamic address NAT will assign an IP address to the user. When the user is disconnected, the IP address will be released for future use.

The dynamic Nat mode is suitable when the organization applies for a small number of global IP addresses, but a large number of internal network hosts. The Intranet Host IP address and the Global IP address are multiple-to-one.When a data packet enters or leaves the Intranet, the device with the NAT Function processes the IP data packet in the same way as the static Nat,Only records in the NAT table are dynamic. If the Intranet host does not communicate with the external network for a certain period of time, the IP address ing relationship will be deleted, in addition, the Global IP address is allocated to the new IP packet to form a new NAT table ing record.

1.2.3 network address and port conversion napt

Network Address port translation (napt) maps internal addresses to different ports of an IP address in an external network. It can hide Small and Medium networks behind a valid IP address. Unlike Dynamic Address Nat, napt maps internal connections to a separate IP address in the external network, and adds a port number selected by the NAT device to the address.

NaptIs the most common conversion method.It contains two conversion methods: SNAT and DNAT.

(1) Source NAT (SNAT): modifies the source address of a data packet. Source Nat changes the source address of the first packet, which is always completed before the packet is sent to the network. Packet disguise is an example of SNAT.

(2) Destination NAT (DNAT): modifies the destination address of a data packet. Destination Nat is the opposite of SNAT. It is used to change the destination address of the first packet, such as load balancing, port forwarding, and transparent proxy.

Belongs to DNAT.

Source Nat example:For the above network topology, the number of Intranet hosts is large, but the organization has only one valid IP address. When the Intranet host (10.1.1.3) sends data packets out, modify the IP address and TCP/UDP port number of the data packet. For example

Source IP Address: 10.1.1.3

Source Port: 1493

Change

Source IP Address: 201.0.0.1

Source Port: 1492 (Note: The source port number can be the same or different from the original one.)

When the Internet host (201.0.0.11) responds to the Intranet host (10.1.1.3:

Destination IP Address: 201.0.0.1

Destination Port: 1492

Change

Destination IP Address: 10.1.1.3

Destination Port: 1493

In this way, you can modify the IP address and port to allow all hosts in the Intranet to access the Internet. Such Nat is applicable to situations where the organization or organization has only one valid IP address, it is also a special case of dynamic Nat.

Destination NatFor example, this method is applicable when some servers on the Intranet need to provide services on the Internet.For example, in the above topology, the Intranet server group (IP addresses: 10.1.1.1, 10.1.1.2, 10.1.1.3, and so on) needs to provide web services for the internet. When the Internet host hostb accesses the Intranet, the destination IP address of the sent packet is 10.1.1.127 and the port number is 80. When the packet arrives at the vro connected to the Intranet, the vronat searches for the NAT table. The vro modifies the destination IP address and port number, packets from the Internet are evenly sent to different hosts (such as 10.1.1.1, 10.1.1.2, and 10.1.1.3) to achieve load balancing.

2 Nat principle 2.1 address translation

The basic principle of NAT is that when an IP packet for communications between a private network host and a public network host passes through the NAT gateway, convert the source IP address or destination IP address in the IP package between the private IP address and the Public IP address of the NAT gateway.

As shown in, NAT Gateway has two network ports. The IP address of the public network port is the uniformly assigned public IP address, which is 202.20.65.5. the IP address of the private network port is the reserved IP address 192.168.1.1. Host 192.168.1.2 in the private network sends an IP packet (DST = 202.20.65.4, src = 192.168.1.2) to the host 202.20.65.4 in the public network ).

When an IP packet passes through the NAT gateway, the NAT gateway will convert the source IP address of the IP packet to the public IP address of the NAT Gateway and forward it to the public network. In this case, the IP packet (DST = 202.20.65.4, src = 202.20.65.5) does not contain any private IP information. Because the source IP address of the IP packet has been converted to the public IP address of the NAT gateway, the response IP packet (DST = 202.20.65.5, src = 202.20.65.4) sent by the web server will be sent to the NAT gateway.

At this time, the NAT gateway will convert the destination IP address of the IP packet to the IP address of the host in the private network, and then forward the IP packet (des = 192.168.1.2, src = 202.20.65.4) to the private network. For both parties, the address conversion process is completely transparent. The conversion is as follows.

If the request packet sent by the Intranet host has not been Nat, when the web server receives the request packet, the destination address in the response packet is the private network IP address, which cannot be delivered correctly on the Internet, the connection fails.

2.2 Connection Tracking

In the above process, after the NAT gateway receives the response packet, it needs to determine to whom the packet is forwarded. In this case, if there are only a few clients in the subnet, You can manually specify them using static Nat. However, if there are multiple clients in the intranet and each of them accesses different websites, you need to connect to the tracking (connection track ). As shown in:

After the NAT gateway receives a request packet from the client, it converts the source address and saves the connection record. When the NAT gateway receives a response packet from the server, it searches for the track table, determine the forwarding target, convert the destination address, and forward it to the client.

2.3 port Conversion

For example, if only one client accesses the server, the NAT gateway can communicate normally only by changing the source IP address or destination IP address of the data packet. However, if Client A and client B access the Web server at the same time, when the NAT gateway receives the response packet, it cannot determine which client to forward the packet to, as shown in.

In this case, the NAT Gateway adds port information to the connection track to distinguish between them. If the source ports of the two clients accessing the same server are different, add the port information in the track table to differentiate them. If the source ports are exactly the same, the source port must be converted at the same time as SNAT and DNAT, as shown in.

3 applications

NAT provides the following functions:Packet disguise, load balancing, port forwarding, and transparent proxy.

Data disguise:You can change the address information in the intranet data packet to a uniform external address, so that the Intranet host is not directly exposed on the Internet, ensuring the security of the Intranet host. At the same time, this function is also commonly used to achieve Internet sharing. For example, when an intranet host accesses the internet, to hide the Intranet topology, replace the private address with a global address.

Port forwarding:When an intranet host provides external services, it cannot be accessed directly from the Internet because it uses an internal private IP address. Therefore, port forwarding must be performed on the gateway to forward data packets of specific services to the Intranet host. For example, Mr. Wang sets up a Web website on his server, whose IP address is 192.168.0.5 and the default port is 80, now he wants users outside the LAN to directly access his website. Nat can easily solve this problem. If the IP address of the server is 210.59.120.89, a port is allocated to the server, for example 81. All requests that access 210.59.120.89: 81 are automatically directed to 192.168.0.5: 80, and the process is transparent to users.

Load Balancing:Destination Address Translation Nat can redirect some servers to other randomly selected servers. For example, 1.2.3 describes an example of destination Nat.

End of failure:Nat can be used to provide high-reliability services. If a system has a key server that is accessed through a vro, once the vro detects that the server is on the machine, it can use the destination address to switch the connection transparently to a backup server, improve system reliability.

Transparent proxy:For example, if the server you set up is insufficient, You need to point some links to the space of another server; or if the IIS service is not installed on a computer, however, they want to allow users to access the content on the computer. At this time, they can easily help us with IIS web site redirection.

4 Nat Defects

Nat was perfect at the beginning, but with the development of the network, various new applications emerge one after another. At this time, Nat also exposes its shortcomings. Nat defects are mainly manifested in the following aspects:

(1) cannot Process Embedded IP addresses or ports

The NAT device cannot translate the IP addresses or port information embedded in the application data. It can only translate the address information normally located in the IP header and the port information in the TCP/UDP header, for example, because the other party uses the IP address embedded in the received data packet to communicate with the port, connection failure may occur. If both parties use the public IP address, this will not cause any problems, however, if the embedded address and port are in the Intranet, it is obvious that the connection cannot be used as an attack. The reason is as described in the beginning. Some functions of MSN Messenger use this method to transmit IP and port information, which leads to a connection failure in the client network application after the NAT device.

(2) cannot access internal network services from the public network

Because the Intranet is a private IP address, you cannot directly access internal network services from the public network, such as web services. To solve this problem, we can use static ing. For example, there is a static ing that maps 218.70.201.185: 80 to 192.168.0.88: 80. When a public network user wants to access an internal Web server, it first connects to 218.70.201.185: 80, the NAT device then sends the request to 192.168.0.88: 80,192.168 .0.88 and returns the response to the NAT device. The NAT device then sends the response to the public network access user.

(3) Some applications use port A to send data, but use port B to receive data. However, the NAT device does not know this during translation, it still establishes a ing for port A. As a result, when the response data of the other party is sent to port B, the NAT device cannot find the corresponding ing entry and discards the data packet.
(4) Some P2P applications cannot be implemented after Nat
For P2P applications that do not have intermediate servers (such as video conferences and entertainment), the two parties cannot establish a connection if they are all behind the NAT device. Because there is no intermediate server transfer, the P2P program after the NAT device will not have a ing entry on the NAT device, that is, the peer cannot initiate a connection to you. Now there is a technology called P2P NAT traversal to solve this problem.

5. Conclusion

NAT technology is undeniable to play a role in mitigating the shortage of IPv4 address resources. It has brought many benefits in reducing the cost of applying for ISP services and providing Load Balancing functions. However, IPv4 addresses will be exhausted in the next few years. NAT technology cannot change the nature of insufficient IP address space. However, security mechanisms also pose potential threats and pose a challenge in configuration and management. IPv6 is the most fundamental path to fundamentally resolve IP Address resources. During IPv4 to IPv6 conversion, NAT technology is indeed a good choice and has obvious advantages over other solutions.

Basic Principles and Applications of NAT