Internet Security - this has become the most important goal of network administrators. The first step of any security plan, is to make users anonymous.
Internet Addresses - these are limited, and have become a very valuable commodity.
NAT & PAT
Network Address Translation
Port Address Translation
Two common problems are tackled here :
|
Internet Security - this has become the most important goal of network administrators. The first step of any security plan, is to make users anonymous. |
|
Internet Addresses - these are limited, and have become a very valuable commodity. |
NAT enhances security by changing the IP address and port of each user, so that the outside world (the Internet) sees them as someone else (much like the Government's witness protection program). Their identities are changed, and they become anonymous. PAT allows groups of users to share one common IP address, which is a Godsend to corporations, small businesses, and the Internet itself, which is running out of available IP addresses. NAT and PAT are very simple, yet extremely powerful concepts.
NAT vs PAT
NAT translates IP addresses only. PAT translates ports only, but is always used with NAT - never alone. This means you can configure a router for pure NAT, or NAT with PAT. Sounds like a movie, eh . . . The "Adventures of Nat and Pat".
NAT (1 to 1 translation) - utilizes Source IP addresses and maps them to outside Internet IP addreses. This is also called Static NAT.
NAT with PAT (Many to 1 translation - overload) - utilizes Source Port IP addresses and ports to uniquely identify user workstations by their socket. A socket is simply an IP address and a port number. This allows mapping of up to 65,536 inside "socket" addresses to 1 outside address (hence the term 'overload'). This is also called Dynamic NAT.
NAT with PAT is also given yet another name - NAPT (Network Address Port Translation) and may be used to allow many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers as well as IP addresses.
For example, suppose local private hosts 10.0.0.1 and 10.0.0.2 both send packets from source port 2000. A NAPT device might translate these to a single public IP address 207.29.194.28 but two different source ports, say 2998 and 2999. Response traffic received for port 2998 is routed to 10.0.0.1 while port 2999 traffic is routed to 10.0.0.2.
NAT (Network Address Translation)
Network Address Translation (NAT) is simply that – it takes a network address, and “translates” it to another network address. It is a simple lookup table, where each row is created by a router command with the two addresses. The user address is behind the router on the LAN interface, and the Internet address is sent out across the serial interface.
The NAT table (lookup table) in the router can be configured in two ways. So, for "n" users:
Static NAT - for security - requires n Internet IP addresses - assign unique, unregistered local IP addresses to all users, and use unique Internet addresses as well. Users can all use the same port !!!
Static
NAT offers enhanced security - the actual IP address of the user is
hidden. A router running NAT (RFC1631) allows the users to maintain anonymity,
because their addresses are not sent out to the world.
Users will typically use addresses from one of three reserved address
spaces, the most famous being the “10” Class A address range.
|
Source |
Source |
NAT
Router's |
|
A |
10.0.0.1 |
215.37.32.201 |
|
B |
10.0.0.2 |
215.37.32.202 |
|
C |
10.0.0.3 |
215.37.32.203 |
Dynamic NAT (NAT & PAT) - for overloading - requires 1 outside Internet IP address - assign unique, unregistered local IP addresses to all users. Must use unique ports for each user !!!
Dynamic NAT allows overloading - multiple users access the Internet via one IP address. This is used by Microsoft ICS (Internet Connection Sharing) and by DSL routers that have several home user PC’s connected. In fact, every Cable/DSL Broadband Router on the market accomplishes its job with NAT.
|
Source |
Source |
Source |
NAT
Router's |
|
A |
10.0.0.1 |
400 |
215.37.32.201 |
|
B |
10.0.0.2 |
50 |
215.37.32.201 |
|
C |
10.0.0.3 |
3750 |
215.37.32.201 |
Unregistered IP Ranges
IANA
has actually set aside specific ranges of IP addresses for use as non-routable
internal network addresses. These addresses are considered unregistered, ( for more information check out
RFC
1918: Address Allocation for Private Internets
which defines these address ranges) which means that no company or
agency can claim ownership of them and use them on public computers. Routers are
designed to not forward unregistered addresses. What this means is that a packet
from a computer with an unregistered address could reach a registered
destination computer, but the reply would be discarded by the first router it
came to.
There
is a range for each of the three classes of IP addresses used for networking.
·
Range 1
is for Class A: 10.0.0.0 through 10.255.255.255
·
Range 2
is Class B: 172.16.0.0 through 172.31.255.255
·
Range 3
is Class C: 192.168.0.0 through 192.168.255.255
Although
each range is in a different class, there is no requirement that you use any
particular range for your internal network. It is good practice though because
it greatly diminishes the chance of an IP address conflict.
The following image shows how 3 users can all communicate on the Internet with just one IP address. The router shown must be capable of performing NAT:
NAT
Overloading Example
For this example, you have four users (each using non-routable internal network addresses ) behind a router with NAT capability. The router has one legal IP address, 215.37.32.203, that it advertises to the Internet, but four unique ports. A remote server may communicate with multiple workstations on this LAN by also using it's one IP address but four unique ports
|
Source |
Source |
Source |
NAT
Router's |
NAT
Router's |
|
A |
192.168.32.10 |
400 |
215.37.32.203 |
1 |
|
B |
192.168.32.13 |
50 |
215.37.32.203 |
2 |
|
C |
192.168.32.15 |
3750 |
215.37.32.203 |
3 |
|
D |
192.168.32.18 |
3750 |
215.37.32.203 |
4 |
Here's
how the overloading works. They key
is an "address translation table" set up and stored by the router:
·
An
internal network (stub domain) has been set up with non-routable IP addresses
that were not specifically allocated to that company by IANA.
·
The
company sets up a router with NAT enabled. The router has a unique IP address
given to the company by IANA.
·
A
computer on the stub domain attempts to connect to a computer outside the
network, such as a Web server.
·
The
router receives the packet from the computer on the stub domain.
·
The
router saves the computer's non-routable IP address and port number to an
address translation table. The router replaces the sending computer's
non-routable IP address with the router's IP address. The router also replaces
the sending computer's source port - it is simplest to use the row number of
that entry in the address translation table.
For example, the first entry is for computer A, and that computer's
source port (400) is stored, along with the translated port number ( 1 ).
The translation table now has a mapping of the computer's non-routable IP
address and port numbers along with the router's IP address.
NOTE1: so now, anyone in the outside world communicating with
computer A, will believe that Computer A's address and port is 215.37.32.203,
port 1 (the router's
address, with port 1). The router
receives the data, translates it to 192.168.32.10,
port 400, and delivers it to Computer A via the Ethernet segment.
NOTE2: the port numbers 1,2,3, and 4 are reserved
"well-known" port numbers (Well-Known
ports are those in the range from 1 to 1023).
It is unclear how they can instead be used for the purpose of address
translation, but apparently it does not cause problems.
·
When a
packet comes back from the destination computer, the router checks the
destination port on the packet. It then looks in the address translation table
to see which computer on the stub domain the packet belongs to. It changes the
destination address and destination port to the one saved in the address
translation table and sends it to that computer.
·
The
computer receives the packet from the router and the process repeats as long as
the computer is communicating with the external system.
·
Since the
NAT router now has the computer's source address and source port saved to the
address translation table, it will continue to use that same port number for the
duration of the connection. A timer is reset each time the router accesses an
entry in the table. If the entry is not accessed again before the timer expires,
the entry is removed from the table.
As
you can see, the NAT router stores the IP address and port number of each
computer in the address translation table. It then replaces the IP address with
its own registered IP address and the port number corresponding to the location
of the entry for that packet's source computer in the table. So any external
network sees the NAT Router's IP address and the port number assigned by the
router as the source computer information on each packet.
You
can still have some computers on the stub domain that use dedicated IP
addresses. You can create an access list of IP addresses that tells the router
which computers on the network require NAT. All other IP addresses will pass
through untranslated.
The
number of simultaneous translations that a router will support is determined
mainly by the amount of DRAM (Dynamic
Random Access Memory) it has. But since a typical entry in the address
translation table only takes about 160 bytes, a router with 4 MB of DRAM could
theoretically process 26,214 simultaneous translations! Which is more than
enough for most applications.