Network Address Translation (NAT) is a way of reassigning one address space to another by changing the network address information in IP (Internet Protocol). That is, the packet headers change while they are in transit through the traffic routing device. This method was originally used to easily redirect traffic on IP networks without renumbering each host. It has become a popular and important tool for maintaining and distributing global address space in the face of a lack of IPv4 addresses.
What is NAT?
The original use of network address translation is to map each address from one address space to the corresponding address in another space. For example, this is necessary if the Internet service provider has changed, and the user is not able to publicly announce a new route to the network. In the face of foreseeable global depletion of IP address space, NAT has been increasingly used since the late 1990s in combination with IP encryption (which is a method of moving multiple IP addresses into one space). This mechanism is implemented in a routing device that uses stateful translation tables to map “hidden” addresses to a single IP address, and redirects outgoing IP packets to the output. Thus, they are displayed exiting the routing device. In the reverse link, responses are displayed in the source IP address using rules stored in the translation tables. The rules of the translation table, in turn, are cleared after a short period if the new traffic does not update its state. This is the basic mechanism of NAT. What does that mean?
This method allows you to communicate through the router only when the connection is on an encrypted network, as this creates translation tables. For example, a web browser inside such a network can view a site outside it, but, being installed outside it, it cannot open a resource hosted on it. However, most NAT devices today allow the network administrator to configure translation table entries for permanent use. This feature is often referred to as static NAT or port forwarding, and it allows traffic originating in an “external” network to reach designated hosts on an encrypted network.
Due to the popularity of this method, which is used to preserve the IPv4 address space, the term NAT (what it actually is - indicated above) has become almost synonymous with the encryption method.
Since the translation of network addresses changes the information about the address of IP packets, this has serious consequences for the quality of Internet connection and requires close attention to the details of its implementation.
The uses of NAT differ from each other in their specific behavior in various cases regarding the impact on network traffic.
Base NAT
The simplest type of Network Address Translation (NAT) provides one-to-one IP address translation. RFC 2663 is the main type of this broadcast. In this type, only the IP addresses and the checksum of the IP headers are changed. The basic types of translation can be used to connect two IP networks that have incompatible addressing.
What is NAT in a one-to-many connection?
Most variations of NAT can map multiple private hosts to a single publicly designated IP address. In a typical configuration, the local area network uses one of the assigned "private" IP subnet addresses (RFC 1918). A router on this network has a private address in this space.
The router also connects to the Internet using the “public” address assigned by the provider. Since traffic passes from the local network to the Internet, the source address in each packet is translated on the fly from a private address to a public one. The router monitors the basic data about each active connection (in particular, the address and destination port). When the response returns to it, it uses the connection data that is stored during the exit phase to determine the private address of the internal network to which the response should be directed.
One of the advantages of this functionality is that it serves as a practical solution to the impending exhaustion of IPv4 address space. Even large networks can be connected to the Internet using a single IP address.
All packet datagrams on IP networks have 2 IP addresses - source and destination. Typically, packets going from a private network to a public network will have a packet source address that changes during the transition from the public network back to the private network. More complex configurations are also possible.
Features
Configuring NAT may have some features. To avoid difficulties in translating returned packages, further modifications are required. The vast majority of Internet traffic goes through the TCP and UDP protocols, and their port numbers are changed in such a way that the combination of IP address and port number in the reverse direction of the data begins to be matched.
Non-TCP and UDP based protocols require other translation methods. The Internet Messaging Protocol (ICMP), as a rule, correlates the transmitted data with an existing connection. This means that they must be displayed using the same IP address and the number set initially.
What to consider?
Configuring NAT in the router does not allow it to connect “from end to end”. Therefore, such routers cannot participate in some Internet protocols. Services that require initiating TCP connections from an external network or users without protocols may not be available. If the NAT router does not make much effort to support such protocols, inbound packets cannot reach their destination. Some protocols can be placed in the same broadcast between participating hosts (“passive mode” FTP, for example), sometimes using an application layer gateway, but the connection will not be established when both systems are separated from the Internet using NAT. Using network address translation also complicates tunneling protocols such as IPsec because it changes the values in the headers that interact with request integrity checks.
Existing problem
An end-to-end connection is a basic principle of the Internet that has existed since its inception. The current state of the network indicates that NAT is a violation of this principle. Specialists have serious concerns about the widespread use of network addresses in IPv6 translation, and the problem is being raised about how to eliminate it effectively.
Due to the short-lived nature of the tables preserving the translation state in NAT routers, internal network devices lose their IP connection, usually within a very short period of time. Speaking about what NAT is in a router, one should not forget about this circumstance. This dramatically reduces the runtime of compact devices running on batteries and accumulators.
Scalability
In addition, when using NAT, only ports are monitored, which can be quickly depleted by internal applications that use several simultaneous connections (for example, HTTP requests for web pages with a large number of built-in objects). This problem can be mitigated by tracking the destination IP address in addition to the port (thus, one local port is shared by a large number of remote hosts).
Some difficulties
Since all internal addresses are disguised as one public, it becomes impossible for external hosts to initiate a connection to a specific internal host without a special configuration on the firewall (which should redirect connections to a specific port). Applications such as IP telephony, video conferencing, and similar services must use NAT bypass methods to function properly.
The return address and translation port (Rapt) allows the host, whose real IP address changes from time to time, to remain available as a server using the fixed IP address of the home network. In principle, this should allow the configuration of the servers to keep the connection. Although this is not an ideal solution to the problem, it can be another useful tool in the arsenal of the network administrator in solving the problem of how to configure NAT on the router.
Port Address Translation (PAT)
The Cisco Rapt implementation is Port Address Translation (PAT), which displays multiple private IP addresses as one public. Multiple addresses can be displayed as an address because each of them is tracked using a port number. PAT uses unique source port numbers on the internal global IP to differentiate the direction of data transfer. These numbers are 16-bit integers. The total number of internal addresses that can be translated to one external can theoretically reach 65536. The actual number of ports to which a single IP address can be assigned is about 4000. As a rule, PAT tries to preserve the original source port. If it is already in use, Port Address Translation assigns the first available port number, starting at the beginning of the corresponding group - 0-511, 512-1023 or 1024-65535. When there are no more ports available and there is more than one external IP address, PAT moves on to the next one to try and allocate the source port. This process continues until the available data runs out.
The address and port mapping is done by Cisco, which combines the address of the translation port with tunneling data for IPv4 packets over the internal IPv6 network. In fact, this is an unofficial alternative to CarrierGrade NAT and DS-Lite, which supports IP address / port translation (and therefore supports NAT configuration). Thus, this avoids the problems of establishing and maintaining a connection, and also provides a transition mechanism for deploying IPv6.
Translation Methods
There are several ways to implement translation of a network address and port. In some application protocols that use applications for working with IP addresses that work on an encrypted network, it is necessary to determine the external NAT address (which is used at the other end of the connection), and in addition, it is often necessary to study and classify the type of transmission. This is usually done because it is desirable to create a direct communication channel (either to maintain uninterrupted data transfer through the server, or to improve performance) between two clients, both of which are located behind separate NATs.
For this purpose (how to configure NAT) in 2003, a special protocol RFC 3489 was developed that provides a simple UDP bypass through NATS. Today it is obsolete, because such methods today are insufficient for a correct assessment of the operation of many devices. New methods were standardized in RFC 5389, which was developed in October 2008. This specification is today called SessionTraversal and is a utility for working with NAT.
Create two-way communication
Each TCP and UDP packet contains the source IP address and its port number, as well as the coordinates of the destination port.
In order to receive public services such as mail server functionality, the port number is important. For example, port 80 connects to the web server software, and 25 connects to the SMTP mail server. The IP address of the public server is also significant, similar to the mailing address or phone number. Both of these parameters should be reliably known to all nodes that intend to establish a connection.
Private IP addresses are relevant only on the local networks where they are used, as well as on host ports. Ports are unique communication endpoints on the host, so NAT connectivity is supported through a combination of port mapping and IP address mapping.
PAT (Port AddressTranslation) resolves conflicts that can arise between two different hosts using the same source port number to establish unique connections at the same time.