Charles M. Kozierok The TCP-IP Guide

Подождите немного. Документ загружается.

Key Concept: IP Network Address Translation (IP NAT or NAT) is a technique that

allows an organization to set up a network using private addresses, while still being

able to communicate on the public Internet. A NAT-capable router translates private

to public addresses and vice-versa as needed. This allows a small number of public IP

addresses to be shared amongst a large number of devices, and provides other benefits as

well (but also has some drawback).

Advantages of NAT

NAT is one of those technologies that has a long list of both advantages and disadvan-

tages. This means it can be extremely useful in a variety of scenarios, but also problematic

in others. The main advantages are:

☯ Public IP Address Sharing: A large number of hosts can share a small number of

public IP addresses. This saves money and also conserves IP address space.

☯ Easier Expansion: Since local network devices are privately addressed and a public

IP address isn't needed for each one, it is easy to add new clients to the local network.

☯ Greater Local Control: Administrators get all the benefits of control that come with a

private network, but can still connect to the Internet.

☯ Greater Flexibility In ISP Service: Changing the organization's Internet Service

Provider (ISP) is easier because only the public addresses change. It isn't necessary

to renumber all the client machines on the network.

☯ Increased Security: The NAT translation represents a level of indirection. Thus, it

automatically creates a type of firewall between the organization's network and the

public Internet. It is more difficult for any client devices to be accessed directly by

someone malicious because the clients don't have publicly-known IP addresses.

☯ (Mostly) Transparent: NAT implementation is mostly transparent, because the

changes take place in one or perhaps a few routers. The dozens or hundreds of hosts

themselves don't need to be changed.

Disadvantages of NAT

The above are all good reasons to use NAT, but there are drawbacks to the technique as

well. Some of these take away part of the benefit in certain items in the list above:

☯ Complexity: NAT represents one more complexity in setting up and managing the

network. It also makes troubleshooting more confusing due to address substitutions.

☯ Problems Due to Lack of Public Addresses: Certain functions won't work properly

due to lack of a “real” IP address in the client host machines.

☯ Compatibility Problems With Certain Applications: I said above that NAT was only

mostly transparent. There are in fact compatibility issues with certain applications that

arise because NAT “tinkers” with the IP header fields in datagrams but not in the appli-

cation data. This means tools like FTP, which pass IP addresses and port numbers in

commands, must be specially handled, and some applications may not work.

☯ Problems With Security Protocols: Protocols like IPSec are designed to detect

modifications to headers and commonly balk at the changes that NAT makes, since

they cannot differentiate those changes from malicious datagram “hacking”. It is still

possible to combine NAT and IPSec, but this becomes more complicated.

☯ Poor Support for Client Access: The lack of a public IP address for each client is a

double-edged sword; it protects against hackers trying to access a host but also

makes it difficult for legitimate access to clients on the local network. “Peer-to-peer”

applications are harder to set up, and something like an organizational web site

(accessed from the Internet as a whole) usually needs to be set up without NAT.

☯ Performance Reduction: Each time a datagram transitions between the private

network and the Internet, an address translation is required. In addition, other work

must be done as well, such as recalculating header checksums. Each individual trans-

lation takes little effort but when you add it up, you are giving up some performance.

Many organizations feel that the advantages outweigh the disadvantages, especially if they

do use the Internet in primarily a client/server fashion, as most do. For this reason NAT has

become quite popular. One should always bear in mind, however, that the main problem

that led to NAT is lack of address space. IPv6 fixes this problem, while NAT merely finds a

clever “workaround” for it. For this reason, many people consider NAT a “kludge”. Once

IPv6 is deployed, it will no longer be needed, and some folks don't like it even for IPv4. On

the other hand, some feel its other benefits make it worthy of consideration even in IPv6.

Note: A “kludge” (or “kluge”) is something that is used to address a problem in an

inelegant way, like hammering a nail using the side of an adjustable wrench. (I

would never do such a thing, of course not…)

IP NAT Address Terminology

As its name clearly indicates, IP Network Address Translation is all about the translation of

IP addresses. When datagrams pass between the private network of an organization and

the public Internet, one or more of the addresses in these datagrams are changed by the

NAT router. This translation means that every transaction in a NAT environment involves

not just a source address and a destination address, but potentially multiple addresses for

each of the source and destination.

In order to make more clear the explanation of how NAT operates, several special designa-

tions have been developed to refer to the different types of addresses that can be found in

an IP datagram when NAT is used. Unfortunately, the terminology used for addressing in

NAT can be confusing, because it's hard to visualize what the differences are between the

(often similar-sounding) names. However, without knowing what these addresses mean a

proper understanding of NAT operation is impossible, so we need to start by explaining

them.

NAT Address Terms Based on Device Location (Inside/Outside)

The first way that addresses are differentiated is based on where in the network the device

is that the address refers to:

☯ Inside Address: Any device on the organization's private network that is using NAT is

said to be on the inside network. Thus, any address that refers to a device on the local

network in any form is called an inside address.

☯ Outside Address: The public internet—that is, everything outside the local network—

is considered the outside network. Any address that refers to a public Internet device

is an outside address.

Key Concept: In NAT, the terms inside and outside are used to identify the location

of devices. Inside addresses refer to devices on the organization’s private network;

outside addresses refer to devices on the public Internet.

NAT Address Terms Based on Datagram Location (Local/Global)

An inside device always has an inside address; an outside device always has an outside

address. However, there are two different ways of addressing either an inside or an outside

device, depending on in which part of the network the address appears in a datagram:

☯ Local Address: This term describes an address that appears in a datagram on the

inside network, whether it refers to an inside or outside address.

☯ Global Address: This term describes an address that appears in a datagram on the

outside network, again whether it refers to an inside or outside address.

Key Concept: In NAT, the terms local and global are used to indicate in what

network a particular address appears. Local addresses are used on the organi-

zation’s private network (whether to refer to an inside device or an outside device);

global addresses are used on the public Internet (again, whether referring to an inside or

outside device).

Combining Inside/Outside and Local/Global Address Designations

This is a bit confusing, so I will try to explain further. The NAT translating router has the job

of interfacing the inside network to the outside network (the Internet). Inside devices need

to be able to talk to outside devices and vice-versa, but inside devices can only use

addressing consistent with the local network addressing scheme. Similarly, outside devices

cannot use local addressing. Thus, both inside and outside devices can be referred to with

local or global address versions. This yields four different specific address types:

1. Inside Local Address: An address of a device on the local network, expressed using

its normal local device representation. So for example, if we had a client on a network

using the 10.0.0.0 private address block, and assigned it address 10.0.0.207, this

would be its inside local address.

2. Inside Global Address: This is a global, publicly-routable IP address used to

represent an inside device to the outside world. In a NAT configuration, inside global

addresses are those “real” IP addresses assigned to an organization for use by the

NAT router.

Let's say that device 10.0.0.207 wants to send an HTTP request to an Internet server

located at address 204.51.16.12. It forms the datagram using 10.0.0.207 as the source

address. However, if this datagram is sent out to the Internet as is, the server cannot reply

back because 10.0.0.207 is not a publicly-routable IP address. So the NAT router will

translate 10.0.0.207 in the datagram into one of the organization's registered IP addresses,

say it's 194.54.21.10. This is the inside global address that corresponds to 10.0.0.207. It will

be used as the destination when the server sends its HTTP response. Note that in some

situations the inside local address and outside local address may be the same.

3. Outside Global Address: An address of an external (public Internet) device as it is

referred to on the global Internet. This is basically a regular, publicly-registered

address of a device on the Internet. In the example above, 204.51.16.12 is an outside

global address of a public server.

4. Outside Local Address: An address of an external device as it is referred to by

devices on the local network. In some situations, this may be identical to the outside

global address of that outside device.

Local/Global Address Designations from the Perspective of Device Location

Phew, it's still confusing, isn't it? Let's try another way of looking at this. Of these four

addresses, two types are the addresses as they are known “natively” by either an inside or

outside device, while two are translated addresses:

☯ Inside Device Designations: For an inside device, the inside local address is its

“normal” or “native” address. The inside global address is a translated address used to

represent the inside device on the outside network, when necessary.

☯ Outside Device Designations: For an outside device, the outside global address is

its “normal/native” address. The outside local address is a translated address used to

represent the outside device on the inside network, when necessary.

So, what NAT does then is translate the identity of either inside or outside devices from

local representations to global representations and vice-versa. Which addresses are

changed, and how, depends on the specific type of NAT employed. For example, in tradi-

tional NAT, inside devices refer to outside devices using their proper (global) representation,

so the outside global and outside local addresses of these outside devices are the same.

Key Concept: A NAT router translates local addresses to global ones, and vice-

versa. Thus, an inside local address is translated to an inside global address (and

vice-versa) and an outside local address is translated to an outside global address

(and vice-versa).

Graphical Illustration of NAT Terminology

And after all that… it's still confusing. ☺ One of the big problems is that the words “inside”

and “local” are somewhat synonymous, as are “outside” and “global”, yet they mean

different things in NAT. And the typical paradox in trying to explain networking concepts

rears its ugly head here again: I wanted to define these addresses to make describing NAT

operation easier, but find myself wanting to use an example of NAT operation to clarify how

the addresses are used.

Even after writing this section I find these terms confusing, so I created Figure 111, which

shows this same terminology in graphical form and may be of some help. That diagram is

also used as a template for the illustrations of each of the different types of NAT in subse-

quent topics, which use the same color coding for each of the four address types for

consistency. As you read the topics that discuss NAT operation, remember to look back

here if you want to double-check the meaning of address types. Don't get discouraged if it

takes a couple of times to get the addresses straight.

IP NAT Static and Dynamic Address Mappings

NAT allows us to connect a private (inside) network to a public (outside) network such as

the Internet, by using an address translation algorithm implemented in a router that

connects the two. Each time a NAT router encounters an IP datagram that crosses the

boundary between the two networks it must translate addresses as appropriate. But how

does it know what to translate, and what to use for the translated address?

The NAT software in the router must maintain a translation table to tell it how to operate.

The translation table contains information that maps the inside local addresses of internal

devices (their regular addresses) to inside global address representations (the special

public addresses used for external communication). It may also contain mappings between

outside global addresses and outside local addresses for inbound transactions, if

appropriate.

There are two basic ways that entries can be added to the NAT translation table.

Static Mappings

When static mappings are used, a permanent, fixed relationship is defined between a

global and a local representation of the address of either an inside or an outside device. For

example, we can use a static translation if we want the internal device with an inside local

address of 10.0.0.207 to always use the inside global address of 194.54.21.10. Whenever

10.0.0.027 initiates a transaction with the Internet, the NAT router will replace that address

with 194.54.21.10.

Dynamic Mappings

With dynamic mappings, global and local address representations are generated automati-

cally by the NAT router, used as needed, and then discarded. The most common way that

this is employed is in allowing a pool of inside global addresses to be shared by a large

number of inside devices.

For example, say we were using dynamic mapping with a pool of inside global addresses

available from 194.54.21.1 through 194.54.21.20. When 10.0.0.207 sent a request to the

Internet it would not automatically have its source address replaced by 194.54.21.10. One

of the 20 addresses in the pool would be chosen by the NAT router. The router would then

Figure 111: IP Network Address Translation (NAT) Terminology

Hopefully this diagram will help you better understand the whole “inside/outside/local/global” thing. ☺

Client

10.0.0.207

Server

204.51.16.12

NAT

Router

Internet

Local Network

("Inside")

Public Internet

("Outside")

Inside Local Address Outside Local Address Inside Global Address

Outside Global Address

All Devices Inside The Local Network

Are Referenced Using An Inside Address

(Inside Local or Inside Global)

All Devices Outside The Local Network

Are Referenced Using An Outside Address

(Outside Local or Outside Global)

All Addresses Used In Datagrams

Inside The Local Network Are Local

All Addresses Used In Datagrams

Outside The Local Network Are Global

Source Inside Local

Destination Outside Local

Outbound Datagram

Source Inside Global

Destination Outside Global

Translated Datagram

Source Inside Global

Destination Inside Local

Translated Datagram

Source Outside Global

Destination Inside Global

Inbound Datagram

"Native" Address

(Inside Local)

"Native" Address

(Outside Global)

watch for replies back using that address and translate them back to 10.0.0.207. When the

session was completed, it would discard the entry to return the inside global address to the

pool.

Comparing Static and Dynamic Mappings

The trade-offs between static and dynamic NAT mappings are pretty much the same as

they always are when the choice is between “static” and “dynamic”; for example, the same

issues arises in ARP caching. Static mappings are permanent and therefore ideal for

devices that need to be always represented with the same public address on the outside

network. They may also be used to allow inbound traffic to a particular device; that is, for

transactions initiated on the public network that send to a special server on the inside

network. However, they require manual setup and maintenance, and they don't allow IP

sharing on the internal network.

Dynamic mapping is normally used for regular clients in order to facilitate public IP address

sharing, a prime goal of most NAT implementations. It is more complicated than static

mapping, but once set up is automatic.

It is possible to mix dynamic and static mapping on the same system, of course. We can

designate certain devices that are statically mapped and let the rest use dynamic mapping.

We just have to make sure that the static mappings don't overlap with the pool used for

dynamic assignment.

Incidentally, another way that dynamic mapping of global and local addressing is performed

is through domain name resolution using DNS. This is particularly common when external

devices access internal hosts using bidirectional NAT (inbound transactions). Since hosts

on the public Internet know nothing about the organization's private network, they issue a

request for the DNS name of the device they want to access. This causes a NAT translation

entry to be generated that maps the inside local public address of the host to an inside

global address for use by those outside the network. See the description of bidirectional

NAT for more details on how this works.

IP NAT Unidirectional (Traditional/Outbound) Operation

Now that we understand the motivation behind NAT and its pros and cons, and have also

covered NAT address terminology and translation table creation, it's time to get down to the

nitty gritty of how it works. There are many different flavors of NAT, and four common ones

are covered in this Guide. It makes sense to start by looking at the original variety of NAT

described in RFC 1631. This is the simplest NAT method and therefore the easiest one to

explain.

NAT was of course designed to allow hosts on a private network to share public IP

addresses in accessing an Internet. Since most hosts are clients that initiate transactions,

NAT was designed under the assumption that a client/server request/response communi-

cation would begin with a datagram sent from the inside network to the outside. For this

reason, this first type of NAT is sometimes called Unidirectional or Outbound NAT. Since it

is the oldest flavor it is also now called Traditional NAT, to differentiate it from newer

varieties.

Unidrectional NAT Example

To show how unidirectional NAT works, we will of course use an example. Explaining things

is always easier with examples, especially when it is a confusing thing like NAT. Let's use

the same numbers from the previous two topics. We'll assume the inside network has 250

hosts that use private (inside local) addresses from the 10.0.0.0/8 address range (which I

selected because it has small numbers!) These hosts use dynamic NAT sharing a pool of

20 inside global addresses from 194.54.21.1 through 194.54.21.20.

In our example, device 10.0.0.207 wants to access the World Wide Web server at public

address 204.51.16.12. Table 75 shows the four basic steps that are involved in this

(simplified) transaction. I did this in table form instead of bullet points so I could show you

explicitly what happens to the addresses in both the request datagram (in steps #1 and #2)

and the response datagram (steps #3 and #4). I have also highlighted the translated

address values for clarity, and provided Figure 112, which shows the process graphically.

As you can see, this really isn’t rocket science, and it’s fairly easy to understand what is

going on as soon as you get used to the terminology and concepts. In unidirectional NAT

the source address is translated on outgoing datagrams and the destination address on

Table 75: Operation Of Unidirectional (Traditional/Outbound) NAT

Step

Description

Data-

gram

Type

Datagram

Source

Address

Datagram

Destination

Address

Inside Client Generates Request And Sends

To NAT Router: Device 10.0.0.207 generates an

HTTP request that is eventually passed down to

IP and encapsulated in an IP datagram. The

source address is itself, 10.0.0.207, and the

destination is 204.51.16.12. The datagram is sent

to the NAT-capable router that connects the

organization's internal network to the Internet.

Request

(from

inside

client to

outside

server)

10.0.0.207

(Inside Local)

204.51.16.12

(Outside Local)

NAT Router Translates Source Address and

Sends To Outside Server: The NAT router

realizes that 10.0.0.207 is an inside local address

and knows it must substitute an inside global

address in order to let the public Internet desti-

nation respond. It consults its pool of addresses

and sees the next available one is 194.54.21.11.

It changes the source address in the datagram

from 10.0.0.207 to 194.54.21.11. The destination

address is not translated in traditional NAT. In

other words, the outside local address and

outside global address are the same.

The NAT router puts the mapping from

10.0.0.207 to 194.54.21.11 into its translation

table. It sends out the modified datagram, which

is eventually routed to the server at 204.51.16.12.

194.54.21.11

(Inside Global)

204.51.16.12

(Outside Global)

Outside Server Generates Response And

Sends Back To NAT Router: The server at

204.51.16.12 generates an HTTP response. It of

course has no idea that NAT was involved; it sees

194.54.21.11 in the request sent to it, so that's

where it sends back the response. It is then

routed back to the original client's NAT router.

Response

(from

outside

server to

inside

client)

204.51.16.12

(Outside Global)

194.54.21.11

(Inside Global)

NAT Router Translates Destination Address

And Delivers Datagram To Inside Client: The

NAT router sees 194.54.21.11 in the response

that arrived from the Internet. It consults its trans-

lation table and knows this datagram is intended

for 10.0.0.207. This time the destination address

is changed but not the source. It then delivers the

datagram back to the originating client.

204.51.16.12

(Outside Local)

10.0.0.207

(Inside Local)

incoming ones. Traditional NAT only supports this sort of outbound transaction, which is

started by a device on the inside network. It cannot handle a device on the public Internet

sending a request to a private address.

Other Functions of the Router in NAT

Also note that even though I am focusing on the changes that the NAT router makes to

addresses, it also has to make other changes to the datagram. Changing any field in the IP

header means that the IP Header Checksum field will need to be recalculated. UDP and

TCP checksums need to be recalculated, and depending on the nature of the data in the

datagram, other changes may also be required. I discuss these issues in the topic on NAT

compatibility issues.

This simplified example assumes the existence of just one router between the private and

public networks. It is possible to have more than one router between these networks. If this

configuration is used, however, it is essential that they both use the same translation table.

Otherwise, if the request is processed by router R1 but the response received by router R2,

Figure 112: Operation Of Unidirectional (Traditional/Outbound) NAT

The four steps in this process can be seen by following the steps in clockwise order. Translated addresses are

shown in bold. Please refer to Table 75 for an explanation of the steps in this diagram, or to Figure 111 for an

explanation of the four address types.

Source 10.0.0.207

Destination 204.51.16.12

Request

Source

194.54.21.11

Destination 204.51.16.12

Translated Request

Source 204.51.16.12

Destination

10.0.0.207

Translated Response

Source 204.51.16.12

Destination 194.54.21.11

Response

1. Client Sends Request

Client

10.0.0.207

Server

204.51.16.12

2. NAT Router Translates

Source Address

NAT

Router

3. Server Sends Response

4. NAT Router Translates

Destination Address

Internet

Local Network

("Inside")

Public Internet

("Outside")

Inside Local Address

Outside Local Address

Inside Global Address

Outside Global Address