Slide 1
1
Networking I
NAT
© Janice Regan, 2006-2013
© Janice Regan, 2006-2013
2
Private networks
Recall that several blocks of addresses are reserved for local addresses
10.0.0.0/8 (10.0.0.0 – 10.255.255.255)
172.16.0.0/12 (172.16.0.0 – 172.31.255.255)
192.168.0.0/16 (192.168.0.0 – 192.168.255.255)
These addresses can be utilized by using network address translation (NAT)
© Janice Regan, 2006-2013
3
IPv4 local addresses
A local network may use local addresses taken from the blocks on the previous slide
These addresses are non-routable addresses and may be used on within the local network
To communicate with the internet one or more routable addresses are needed
Network address translation must occur on the router connecting the local network to the internet
© Janice Regan, 2006-2013
4
Types of NAT implementation
Static NAT
Dynamic NAT
Overloaded NAT
(NAPT network address port translation)
Overlapping NAT
© Janice Regan, 2006-2013
5
Static NAT
Some machines on the internal network need internet access
There are several globally valid internet addresses available to the router connected to the local network
Each of the hosts that need internet access are allocated one of the available globally valid internet addresses
All other hosts have no connectivity to the internet
© Janice Regan, 2006-2013
6
Static NAT
192.168.3.1
192.168.3.6
192.168.3.5
192.168.3.3
192.168.3.4
192.168.3.2
NAT
router
192.168.3.7
24.16.33.47
internet
24.16.47.23
24.16.77.12
Private network
24.16.33.49
© Janice Regan, 2006-2013
7
Static NAT
Some machines on the internal network need internet access (192.168.3.3, 192.168.3.6)
There are several globally valid internet addresses available to the router connected to the local network (24.16.33.47, 24.16.33.49)
Each of the hosts that need internet access are allocated one of the available globally valid internet addresses
192.168.3.3 ↔ 24.16.33.47
192.168.3.6 ↔ 24.16.33.49
© Janice Regan, 2006-2013
8
Packet transmission through a static NAT (1)
When 192.168.3.3 sends a packet to 24.16.47.23 it is received by the NAT router
The sending host is unaware of the NAT.
The NAT replaces the local source address 192.168.3.3 with the corresponding globally valid address 24.16.47.23, recalculates the TCP or UDP checksum if necessary (if packet is TCP or UDP) then forwards the packet toward the destination.
© Janice Regan, 2006-2013
9
Packet transmission through a static NAT (2)
The destination host sees the NAT’s replacement address, 24.16.47.23, as the IP of the source and sends its reply to that IP address
The NAT receives the reply
Removes the destination address (its own address) from the packet
Replaces the destination address with the corresponding internal address, 192.168.3.3
For UDP or TCP packets recalculates the checksum
Forwards the packet to the internal source
© Janice Regan, 2006-2013
10
Dynamic NAT
Establishes a 1-1 relationship between non-routable internal addresses and the globally valid IP addresses assigned to the NAT.
The non routable address bound to each globally valid address may change over time as communications are initiated and completed
© Janice Regan, 2006-2013
11
Dynamic NAT (2)
Similar to Static NAT except
Pool of available globally valid IP addresses
Each time an internal host begins communication with the internet the first packet destined for the internet will reach the NAT enabled router
The NAT enabled router will take the next available globally valid IP address from the pool and assign it to the internal host
When communication is complete address will be replaced into the pool
© Janice Regan, 2006-2013
12
NAPT (network address port translation)
NAT overloading or NAPT
Again, the local network uses locally valid non-routable IP addresses (not globally valid)
This time the NAT allows more than one local host to use the same globally valid internet address
The NAT has one or more globally valid IP addresses
Communications with different hosts are differentiated by using different port numbers (transport layer)
This is not a use of port numbers that is consistent with the layered design of the protocol stack, port numbers are not part of the network layer addresses, ports are designed for end to end communications not to be changed at each intermediate station
Using ports in this way also causes other problems
© Janice Regan, 2006-2013
13
Overloaded NAT
192.168.3.1
192.168.3.6
192.168.3.5
192.168.3.3
192.168.3.4
192.168.3.2
NAT
router
192.168.3.7
internet
24.16.47.23:
24.16.77.12
Private network
24.16.33.47
24.16.33.49
© Janice Regan, 2006-2013
14
Overloaded NAT Example
Source Computer Source Port NAT IP NAT port
192.168.3.1 1350 24.16.33.47 1200
192.168.3.2 1352 24.16.33.47 1201
192.168.3.3 1400 24.16.33.47 1202
192.168.3.4 1450 24.16.33.49 1200
192.168.3.5 555 24.16.33.49 1201
192.168.3.6 1666 24.16.33.47 1203
© Janice Regan, 2006-2013
15
Overloaded NAT example (1)
A host on the local network, say 192.168.3.5, sends a packet to an external host, 24.16.47.23 through port 555
The NAT enabled router receives the packet from the local host 192.168.3.5
The NAT enabled router stores the source IP and port number in its address translation table
The NAT enabled router replaces the IP and port number in the packet with those it stores in the address translation table for this connection (for this example 24.16.33.49 and 1201)
The NAT enabled router recalculates the UDP or TCP checksum (for UDP and TCP packets) before forwarding the packet to the destination
© Janice Regan, 2006-2013
16
Overloaded NAT example (2)
When the destination receives the packet it will appear to have come from the NAT (24.16.33.49).
Any responses will be sent to 24.16.33.49, and thus be received by the NAT router
The NAT router will check the destination port in the response packet
By referring to the address translation table the NAT router will find the local non-routable address and port that corresponds.
The NAT router will replace the destination port and IP address with the local non-routable address and the corresponding port, recalculate the checksums as needed, and forward the packet to the original source host
© Janice Regan, 2006-2013
17
Problems with NAPT
Although NAPT is the most commonly used form of NAT it causes some serious difficulties
The most common encryption and authentication mechanisms used in the IP layer do not function when NAPT is used. It requires yet more serious violations of design principles to patch these problems (only some can be patched
© Janice Regan, 2006-2013
18
Problems with NAPT
Although NAPT is the most commonly used form of NAT it causes some serious difficulties
Servers that require connection to a particular port can only be run on one machine (the one that is using that port in the NAPT mapping).
© Janice Regan, 2006-2013
19
Problems with NAPT
Although NAPT is the most commonly used form of NAT it causes some serious difficulties
P2P applications require servers run on each peer, therefore P2P applications will break unless extraordinary measures are taken. (connect to a machine outside local net directly, P2P connection goes through that machine, breaks security: Hole punching)
19
/docProps/thumbnail.jpeg