[daily] [network] Nat principle

Write before Forwarding:

All along, I have always had a doubt, when snat, if two intranet hosts happen to use the same source port number what should I do? My own guess is to get rid of a port number, map ports together (and, of course, another idea is to broadcast the package to two hosts at the same time, but this will cause security problems, to leave the hacker convenient, pass). Then the question came, if a particular service, the two sides agreed to the respective port number, the peer service will check the source port and what to do?

In this article, I mentioned this question and gave me a solution, his answer is that this is the inherent flaw of NAT. So a mature developer, to consider that many people in the world have no public ip, to avoid this DESIGN.

Above. Please read the original text, This is a full-fledged system article that I have read about NAT Writing. ：）

Reprinted from: http://www.cnblogs.com/derrick/p/4052401.html?utm_source=tuicool&utm_medium=referral#undefined

1 Overview 1.1 Introduction 1.1.1 noun explanation

public IP address: also known as the global address, refers to a legitimate IP address, which is the NIC (network information center) or ISP (network service Provider) assigned address, External representative of one or more internal local address, is a globally unified addressable ADDRESS.

Private IP address: also known as internal address, is a non-registered address, specifically for the internal use of the Organization. The Internet Allocation Numbering Committee (IANA) retains 3 IP addresses as private IP addresses:

10.0.0.0 ——— 10.255.255.255

172.16.0.0 ——— 172.16.255.255

192.168.0.0 ——— 192.168.255.255

address pool: The address pool is a combination of some external addresses (globally unique IP addresses), which we call a collection of addresses as an address Pool. When a packet of an internal network arrives at an external network through address translation, an IP address is selected in the address pool as the source IP address of the packet, which effectively leverages the User's external address to improve the ability to access the external Network.

1.1.2 About NAT

Nat English full name is "network address translation", the Chinese meaning is "the net addresses translates", it is an IETF (internet Engineering task force, Internet Engineering Tasks Group) standard, Allows a whole organization to appear on the internet with a public IP (internet Protocol) address. As the name implies, it is a technique for translating an internal private network address (ip Address) into a legitimate network IP address, as shown in. therefore, we can think that Nat to a certain extent, can effectively solve the problem of insufficient public network address.

In short, NAT is the use of internal addresses in the LAN internal network, and when the internal node to communicate with the external network, the gateway (can be understood as an exit, like a yard door) place, the internal address is replaced by the public address, so that the external public network (the Internet) Normal use, NAT allows multiple computers to share an Internet connection, a feature that solves the problem of a shortage of public IP addresses. This way, you can only request a legitimate IP address, the entire local area network computer access to the Internet. At this point, NAT masks the internal network, and all intranet computers are invisible to the public network, and intranet computer users are not usually aware of the existence of NAT. as shown in. The internal address mentioned here refers to the private IP address assigned to the node in the internal network, which can only be used in the internal network and cannot be routed Forward.

NAT functionality is typically integrated into routers, firewalls, ISDN routers, or separate NAT Devices. For example, The Cisco router has joined this feature, the network administrator only need to set the NAT function in the Router's ios, can realize the shield to the internal Network. For example, the firewall maps the internal address of the Web server 192.168.1.1 to the external address 202.96.23.11, and the external access 202.96.23.11 address is actually the access 192.168.1.1. In addition, for small businesses with limited funding, this capability can now be achieved through Software. This feature is included in Windows 98 SE, Windows 2000.

1.2 Classification

There are three types of nat: static nat, dynamic address NAT (pooled nat), network address port translation napt (port-level nat).

1.2.1 Static NAT

By setting up manually, communications from Internet customers can be mapped to a specific private network address and Port. Static mapping is required if you want to enable computers connected to the Internet to use a server on a private network, such as a web server, and applications such as Games. Static mappings are not removed from the NAT translation Table.
If a mapping exists in a NAT translation table, NAT simply transfers data from the Internet to the private network in one Direction. In this way, NAT provides some level of protection for computers connected to the private network Portion. however, If you consider the security of the Internet, NAT should be used with a fully functional firewall.

For the above network topology diagram, when the intranet host 10.1.1.1 if you want to communicate with the host 201.0.0.11 of the external network, the host (ip:10.1.1.1) packet passes through the router, the router finds the NAT table The IP packet's source IP address (10.1.1.1) is changed to the corresponding global IP address (201.0.0.1), and the destination IP address 201.0.0.11 remains the same, so that the packet can reach 201.0.0.11. When the host HostB (ip:201.0.0.11) response packet arrives at the router connected to the intranet, the router also looks for the NAT table, changing the IP packet's destination IP address to 10.1.1.1, so that the intranet host can receive packets sent from the external network Host. In the static NAT mode, the internal IP address and the public IP address is a mapping relationship , so in this way, the premise is that the organization can apply to a sufficient number of global IP address.

1.2.2 Dynamic NAT

Dynamic address Nat is simply a translation of an IP address, which assigns a temporary external IP address to each internal IP address, is primarily used for dialing, and can also be used for frequent remote joins with dynamic NAT. When a remote user joins, The dynamic address Nat is assigned to an IP address that will be released for later use when the user Disconnects.

The dynamic NAT method is suitable for the situation when the organization requests the global IP address less, and the internal network host is More. Intranet host IP and global IP address are many-to-one relationships. When the packet goes in and out of the intranet, the nat-enabled device handles the IP packet the same as the static nat, except that the record in the NAT table is dynamic, and if the intranet host does not communicate with the external network for a certain period of time, the IP address mapping relation will be Deleted. The global IP address is assigned to the new IP packet for use, creating a new NAT table mapping Record.

1.2.3 Network address port conversion napt

The network address port conversion, napt, is where the internal address is mapped to a different port on an IP address of the external Network. It can hide small and medium-sized networks behind a legitimate IP address. Unlike dynamic address nat, NAPT maps An internal connection to a separate IP address in the external network, adding a port number selected by the NAT device to the Address.

napt is the most common form of conversion , and it contains two ways of Converting: Snat and Dnat.

(1) Source NAT (source nat,snat): modifies the source address of the Packet. Source NAT changes the source address of the first packet, which is always done before the packet is sent to the network, and packet spoofing is a snat example.

(2) Purpose NAT (Destination nat,dnat): modifies the destination address of the Packet. Destination Nat is just the opposite of snat, which is changing the destination address of the first packet, such as balanced load, port forwarding, and transparent Proxy.

Belongs to Dnat.

source Nat Example: for the above network topology diagram, the number of hosts in the intranet is more, but the organization has a legitimate IP address, when the intranet host (10.1.1.3) outgoing packets, you need to modify the packet IP address and TCP/UDP Port number, for example, the

SOURCE ip:10.1.1.3

SOURCE port:1493

Change into

SOURCE ip:201.0.0.1

SOURCE port:1492 ( note: The source port number can be the same as the original )

When the external network host (201.0.0.11) responds to the intranet host (10.1.1.3), it should:

Objective ip:201.0.0.1

Objective port:1492

Change into

Objective ip:10.1.1.3

Objective port:1493

In this way, by modifying the IP address and port method, all the hosts in the intranet can access the external network, such NAT is applicable to only one legitimate IP address within the organization or agency, and is also a special case of dynamic NAT.

Purpose NAT for example, This approach applies to some servers in the intranet that need to provide certain services to the Extranet. for example, The above topology, intranet server farm (ip address is: 10.1.1.1,10.1.1.2,10.1.1.3, etc.) need to provide Web services for the external network, when the external network host HOSTB access to the intranet, The destination IP address of the packet being sent is 10.1.1.127, the port number is: 80, when the packet arrives at the intranet connected router, the router looks for NAT table, the router by modifying the destination IP address and port number, the packet of the external network is sent on average to different host (10.1.1.1 , 10.1.1.2,10.1.1.3, etc.), so that load balancing is Achieved.

2 NAT principle 2.1 address Translation

Nat basically works by converting the source IP or destination IP in the IP packet between the private IP and the NAT public IP when the IP packet that the private network host communicates with the public network host passes through the NAT Gateway.

As shown, the NAT Gateway has 2 network ports, where the IP address of the public network port is the uniformly allocated public ip, 202.20.65.5; the IP address of the private network port is the reserved address of 192.168.1.1. The host 192.168.1.2 in the private network sends 1 IP packets (dst=202.20.65.4,src=192.168.1.2) to the host 202.20.65.4 in the public Network.

When the IP packet passes through the NAT gateway, NAT gateways translates the IP packet's source IP into the NAT Gateway's public IP and forwards it to the public network, where the IP packet (dst=202.20.65.4,src= 202.20.65.5) does not already contain any private network IP Information. Because the IP packet's source IP has been converted to NAT gateway, the response IP packet (dst= 202.20.65.5,src=202.20.65.4) emitted by the public Ip,web server will be sent to the NAT Gateway.

At this point, NAT gateway translates the IP packet's destination IP into the IP of the host in the private network, and then forwards the IP packet (des=192.168.1.2,src=202.20.65.4) to the private Network. The conversion process for this address is completely transparent to both sides of the Communication. The conversion is as Follows.

If the request packet sent by the intranet host is not nat, then when the Web server receives the request packet, the destination address in the response packet of the reply is the private network IP address and cannot be delivered correctly on the internet, causing the connection to Fail.

2.2 Connection Tracking

In the above process, when a response packet is received by the NAT gateway, it is necessary to determine who forwarded the packet to. At this time, such as the fruit net only a small number of clients, can be manually specified with static nat, but if the intranet has more than one client, and each visit to different sites, then the need for connection tracking (connection track). As shown in the Following:

After the Nat gateway receives the request packet from the client, it makes the source address translation and saves the connection record, when the Nat gateway receives the response packet from the server, finds the track Table, determines the forwarding target, makes the destination address translation, and forwards it to the Client.

2.3-port Conversion

Taking the client Access server as an example, when only one client accesses the server, NAT gateway only needs to change the source IP or destination IP of the packet to communicate properly. however, if client A and client B are accessing the Web Server at the same time, when the Nat gateway receives the response packet, it cannot determine which client to forward the packet to, as shown in.

At this point, the NAT gateway will add port information to the connection track to differentiate it. If the two clients access the same server source port is different, then add the port information in the track table can be distinguished, if the source port is exactly the same, then the implementation of Snat and dnat the source port as well as the corresponding conversion, as shown in.

3 Applications

Nat can implement several functions: packet spoofing, load balancing, port forwarding, and transparent proxy .

data camouflage: The address information in the intranet packet can be changed into a unified external address information, not allow the intranet host directly exposed to the internet, to ensure the security of the intranet Host. At the same time, this feature is also commonly used to achieve shared Internet access. For example, when an intranet host accesses an extranet, the private address is replaced with a global address in order to hide the intranet Topology.

Port Forwarding : When the intranet host external service, because of the use of internal private IP address, The external network can not directly access. therefore, port forwarding is required on the gateway to forward packets for a particular service to the intranet Host. For example, the Company's king set up a Web site on his server, his IP address is 192.168.0.5, using the default port 80, now he wants to let users outside the LAN can also directly access his web Site. With Nat it is easy to solve this problem, the IP address of the server is 210.59.120.89, then assign a port to Xiao wang, for example 81, all requests to access 210.59.120.89:81 automatically turn to 192.168.0.5 : 80, and the process is transparent to the User.

load balancing: Destination address translation NAT can redirect some servers to connect to other randomly selected Servers. For example 1.2.3 for the purpose of the NAT Example.

End of failure: Destination address translation NAT can be used to provide high reliability services. If a system has a critical server accessed through a router, once the router detects the server, it can use the destination address to translate the NAT transparently to transfer the connection to a backup server to improve the system Reliability.

Transparent proxy : for example, you set up a lack of server space, you need to point some links to the existence of another server space, or a computer does not have IIS services installed, but want to let users access to the content on the computer, This time using IIS Web site redirection can easily help us to take care of.

4 NAT Defects

NAT is perfect at the very beginning, but with the development of the network, a variety of new applications are emerging, Nat also exposes the Shortcomings. The disadvantages of NAT are mainly manifested in the following aspects:

(1) cannot process embedded IP address or port

The NAT device cannot translate the IP address or port information that is embedded in the application data section, it can only translate the address information that is normally located in the IP header and the port information in the TCP/UDP header, for example, because the other party uses the address and port embedded in the received packet to Communicate. This can create a connection failure, if both sides are using the public ip, this will not cause any problems, but if the embedded address and port is the intranet, it is obvious that the connection is not possible to attack, the reason is the same as the opening SAID. Some features of MSN Messenger Use this method to pass IP and port information, which causes a connection failure for the client network application after the NAT Device.

(2) cannot access the internal network service from the public network

Because the intranet is a private ip, it is not possible to access the internal network services directly from the public network, such as Web services, for this problem, we can use the establishment of static mapping method to Solve. For example, there is a static mapping, 218.70.201.185:80 and 192.168.0.88:80 mapping, when the public network users to access the internal Web server, it is first connected to the 218.70.201.185 : 80, then the NAT device passes the request to the 192.168.0.88:80,192.168.0.88 to return the response to the NAT device, which is then transmitted by the NAT device to the public access User.

(3) some applications, Although the use of a port to send data, but the use of B port to receive, but the NAT device is not aware of this, it still establishes a map for a port, the result of the response of the other side of the data to the B port, the NAT device can not find the relevant mapping entries and discard the Packet.
(4) Some peers cannot be used after NAT
For Pure-to-peer applications that do not have intermediate servers (such as videoconferencing, entertainment, etc.), If everyone is behind a NAT device, the two sides cannot establish a connection. Because there is no intermediate server relay, the Peer-to program behind the NAT device on the NAT device will not have a mapping bar, that is, the other side is unable to initiate a connection to YOU. There is now a technique called Peer-to-peer NAT traversal to solve this problem.

5. Conclusion

NAT technology is undeniably a mitigating function in the absence of the IPv4 address resource, which brings a number of benefits in terms of reducing the cost of user requests for ISP services and providing a more complete load balancing Function. But the IPv4 address will be depleted in the next few years, and NAT technology cannot change the nature of the lack of IP address space. however, There is also a potential threat to the security mechanism, which is also a challenge in configuration and Management. If you want to fundamentally solve the problem of IP address resources, IPv6 is the most fundamental way. Nat technology is really a good choice in the IPv4 transition to ipv6, and it is also obvious relative to other scenarios.

[daily] [network] Nat Principle (rpm)