Why is NAT used for mapping?

Network address translation is a critical technology, as the Internet becomes ever more widely used, with more devices becoming connected, and the availability of IP addresses is becoming a serious problem.

From: Embedded Software (Second Edition), 2012

Network Security

Ido Dubrawsky, in Eleventh Hour Security+, 2010

Network Address Translation

Network Address Translation (NAT) was developed because of the explosive growth of the Internet and the increase in home and business networks—the number of available IP addresses was simply not enough. A computer must have an IP address in order to communicate with other computers on the Internet. NAT allows a single device, such as a router, to act as an agent between the Internet and the local network. This device or router provides a pool of addresses to be used by your local network. Only a single, unique IP address is required to represent this entire group of computers. Common types of NAT include:

Static NAT—Used by businesses to connect Web servers to the Internet.

Dynamic NAT—Larger businesses use this type of NAT because it can operate with a pool of public addresses.

Port Address Translation (PAT)—Most home networks using Digital Subscriber Line (DSL) or cable modems use this type of NAT.

NAT has several benefits, one of which is its ability to hide the IP address and network design of the internal network. The ability to hide the internal network from the Internet reduces the risk of intruders gleaning information about the network and exploiting that information to gain access. NAT enables internal clients to use nonroutable IP addresses, such as the private IP addresses defined in RFC 1918, but still enables them to access Internet resources. The three ranges of IP addresses RFC 1918 reserved includes:

10.0.0.0-10.255.255.255 (10/8 prefix)

172.16.0.0-172.31.255.255 (172.16/12 prefix)

192.168.0.0-192.168.255.255 (192.168/16 prefix)

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597494274000058

VoIP Security

Xinyuan Wang, Ruishan Zhang, in Advances in Computers, 2011

8.6 NAT Traversal

NAT is a technique to automatically map internal, private IP address and port number to external, public IP address and port number. Specifically, when a host in a private network wants to access the public Internet, it initiates the connection to the destination on the public Internet. When the NAT sees the outgoing packet with a private source IP address, it automatically replaces the private source IP address with the public IP address and change the source port number. The NAT creates a mapping between pair 〈PrivateSrcIP, PrivateSrcPort〉 and pair 〈PublicSrcIP, PublicSrcPort〉 so that it knows how to translate the destination IP address and the destination port number of the returning traffic. NAT allows multiple hosts in a private network to share one public IP address and it protects the hosts behind NAT by blocking unsolicited incoming traffic. Since most homes only have one public IP address, most residential VoIP phones are behind NAT. Because the automatic mapping of NAT is set up by the initiating traffic from the private network to the public Internet, any unsolicited incoming traffic from the Internet will be blocked due to lack of NAT translation mapping.

On the other hand, VoIP needs to support unsolicited incoming calls. Due to performance considerations, many VoIP service providers have separate servers for VoIP signaling and voice stream, respectively. This means that the incoming voice stream will be from a different IP address than that of the signaling traffic. In these cases, NAT does not have the translation mapping for the incoming traffic thus does not know how to translate the destination IP and port number.

In addition, NAT makes it hard to enforce the integrity from end-to-end and, specifically, validate or authenticate the location of the VoIP phone. When the VoIP phone is behind NAT, it only knows its private IP address unless it uses some protocol to learn its public IP address. This means the VoIP phone has to use its private IP address in whatever authentication scheme that includes the source IP address of the VoIP phone. Due to NAT, the party that is communicating with the VoIP phone only sees the public IP address. Therefore, the other party cannot use the VoIP phone's private IP address to authenticate. This opens door for various attacks on VoIP such as registration hijacking, call hijacking, and MITM attack.

A number of NAT traversal solutions (e.g., UPnP [32], STUN [33], TURN [34], ICE [35]) have been proposed to help VoIP phone to discover the NAT public IP address. However, they are not widely support by existing VoIP phones. In addition, NAT traversal does not automatically solve the problem with unsolicited incoming calls. To allow unsolicited incoming VoIP traffic, NAT has to be SIP aware. Similar to SIP-aware firewall, SIP-aware NAT may introduce new security vulnerabilities—allowing the remote attacker to penetrate NAT and attack the devices behind NAT.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B978012385514500001X

Basics of IP Networks

Arun Handa, in System Engineering For IMS Networks, 2009

3.6 NAT/Firewall Traversal — Session Border Control

Network Address Translation (NAT) has been an effective technique used to insulate a private internal IP network and map these to a single external IP address. This function is normally implemented on an edge device, and is mostly combined with a firewall function. This method of enabling private networks while giving them access to the public internetworks helps conserve the pool of IP addresses, which are quite limited. NAT enables the address translation using an external port number for each connection. The 16-bit port address space extends the IP addressing capability to augment 65K potential assignments to a single IP address. We see this in Figure 3.6. Consider a typical internal Class-C network 192.168.1.x. D1 is an IP device that needs to make a session request to an external network entity E. Since E is not accessible to D1, the request goes to its internal firewall 192.168.1.1. The NAT function translates this request to the external entity. It maps its external IP address 72.16.1.69 and a port 40001 from its pool.

Why is NAT used for mapping?

Figure 3.6. Network Address Translation.

NAT seems easy and quite effective in solving our address limitation, so what is the problem? If we recollect from Figure 3.1, the focus of NAT has been toward the network stack layer. The application layers of the protocols pose a challenge. Most application protocols exchange address-related information about the source or the destination, especially to enable the return response. The problem is that an internal address or external address used will be unknown to the device on the other side of the firewall. The solution requires being able to open application layer packets and do the similar translation. This function is performed by an application level gateway (ALG).

The most well known ALG today is the session-border-controller (SBC). The SBC is an edge network device that was designed to solve the NAT traversal problem for SIP in Voice over Internet Protocol (VoIP) networks. The SBC has to open the SIP packets and perform address translation.

It was believed that with IPv6, unlimited IP addresses will proliferate and the NAT traversal problem will go away and so will the need for SBCs. Given the advantages of secure private networks and acceptance of IPv4 interim for IMS, NAT traversal is still a challenge and SBCs still continue to be a viable solution.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780750683883000034

Security and Privacy Architecture

James D. McCabe, in Network Analysis, Architecture, and Design (3), 2007

9.5.4 Network Perimeter Security

For network perimeter security, or protecting the external interfaces between your network and external networks, we consider the use of address translation mechanisms and firewalls.

Network address translation, or NAT, is the mapping of IP addresses from one realm to another. Typically this is between public and private IP address space. Private IP address space is the set of IETF-defined private address spaces (RFC 1918):

Class A 10.x.x.x 10/8 prefix

Class B 172.16.x.x 172.16/12 prefix

Class C 192.168.x.x 192.168/16 prefix

NAT is used to create bindings between addresses, such as one-to-one address binding (static NAT); one-to-many address binding (dynamic NAT); and address and port bindings (network address port translation, or NAPT).

While NAT was developed to address the issues of address space exhaustion, it was quickly adopted as a mechanism to enhance security at external interfaces. Routes to private IP address spaces are not propagated within the Internet; therefore, the use of private IP addresses hides the internal addressing structure of a network from the outside.

The security architecture should consider a combination of static and dynamic NAT and NAPT, based on the devices that are being protected. For example, static NAT is often used for bindings to multiple-user devices such as servers or high-end computing devices, while dynamic NAT is used with generic computing devices.

Firewalls are combinations of one or more security mechanisms, implemented in network devices (routers) placed at strategic locations within a network. Firewalls can be filtering gateways, application proxies with filtering gateways, or devices running specialized “firewall” software.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780123704801500104

Networking

Colin Walls, in Embedded Software (Second Edition), 2012

8.6 NAT Explained

Network address translation is a critical technology, as the Internet becomes ever more widely used, with more devices becoming connected, and the availability of IP addresses is becoming a serious problem. NAT is essentially a “kluge” that deals with the issue extremely well in some situations. Longer term, the next generation of IP protocol, IPv6, is likely to be the solution—this is described in “IPv6—The Next Generation Internet Protocol,” earlier in this chapter. This article introduces NAT and is based upon an Accelerated Technology white paper written by Glen Johnson and Tammy Leino.

CW

The IP Network Address Translator (NAT) protocol is a router protocol that allows nodes on a private network to transparently communicate with nodes on an external network and vice versa. Nodes on a private network have not been assigned a globally unique IP address; therefore, communication with the external network would otherwise be impossible. This transparent communication is accomplished by modifying the IP and protocol-specific headers of packets flowing to and from the private network. NAT solves three common problems with growing networks: shortage of globally unique IP addresses, firewall-like protection for the private network, and flexibility of network administration.

8.6.1 NAT Explained

There are a variety of flavors of NAT. Basic NAT maps an IP address on the private network to a globally unique IP address. Basic NAT performs translation on only the IP address and requires the NAT router to have a pool of globally unique IP addresses, which can be mapped. Basic NAT also limits the number of nodes on the private network that can communicate with the external network to the number of globally unique IP addresses that are available. This means that in order for five nodes on the private network to communicate with the external network at the same time, there must be five globally unique IP addresses available for translation. While these five addresses are in use, no other nodes on the private network can communicate with the external network.

NAPT (Network Address Port Translator) solves some of the problems with basic NAT and does a much better job of solving the problem of a shortage of globally unique IP addresses by allowing all nodes on a private network to communicate with the external network by sharing a single globally unique external IP address. This is advantageous for homes and businesses with limited globally unique IP addresses, because all users can access the external network simultaneously. NAPT accomplishes this by replacing, within the protocol headers, the IP address and TCP/UDP port number of the private node with the globally unique external IP address and TCP/UDP port number. In other words, NAPT performs translation on the UDP/TCP port numbers as well as on the IP address. With NAPT, the theoretical limit is up to 64,000 simultaneous sessions (address/port combinations) at a time. NAPT is also known as IP masquerading.

Bidirectional NAT enables connections to be initiated from hosts on the external network as well as the private network. Specific ports on the NAT router are mapped to services on a private node or server via a portmap service (see the section “The Portmap Service” later in this article). The NAT router relays all matching requests from the external network to the specific private server. This enables servers on the private network to be accessible to nodes on the external network. For example, an FTP client on the external network could establish a connection with an FTP server on the private network. Without bidirectional NAT support, all connections have to be initiated from nodes on the private network.

Since all connections must be initiated from the private network or registered with the portmap service, NAT provides firewall-like protection for the private network. An intruder would have to first gain access to the NAT router to infiltrate the private network. Also, the size and topology of the private network are hidden behind the NAT router. Note that NAT does not necessarily preclude the need for a real firewall.

No modifications need to be made to the NAT router when a new node is added or existing nodes are removed or reconfigured. This provides for flexibility of network administration.

The theory of operation for NAT is illustrated in Figure 8.6.

Why is NAT used for mapping?

Figure 8.6. NAT theory of operation

The private network 192.168.16.x is hidden from the external network behind a NAT router. The NAT router has one external interface (201.100.67.1) used to communicate with the external network and to protect the anonymity of the private nodes. The NAT router has one private interface (192.168.16.1) used to communicate with the private network.

When a private node sends a packet to the external network, the NAT router intercepts the packet and replaces all instances of the private source IP address (192.168.16.xxx) and TCP/UDP source port with the external IP address (201.100.67.1) and an assigned external TCP/UDP source port. NAT assigns the port number. No user intervention or configuration is necessary for private nodes to initiate communication with external nodes. However, if a server on the private network needs to service clients located on the external network, then the server’s port must be registered with NAT via the portmap service.

When an external node responds to a private node or initiates an acceptable connection with a private node, the NAT router intercepts the packet and replaces all instances of the external destination IP address (201.100.67.1) and assigned external destination TCP/UDP port with the private IP address (192.168.16.xxx) and destination TCP/UDP port.

The Portmap Service

As mentioned previously, NAT may be bidirectional. This means that servers can be supported on the private network. NAT achieves this via a portmap service, which is used to register services (servers) on the private network as accessible to the external network.

Multiple nodes on the private network may be registered on the same port using the same protocol. For example, multiple nodes may be registered as FTP servers. As requests for connections come in through the NAT router from the external network, NAT will forward these requests in a round-robin manner to the respective servers on the private network. This is done to distribute the work evenly across multiple servers.

Note that since the external network sees the NAT router as the one and only final destination, there is no way to specify to which of the multiple private servers the packet may have been intended. For example, if a certain file is stored on one of three private servers, and an external user FTPs to retrieve that file, it is not guaranteed that the request will be sent to the proper server. If multiple servers of the same type are to be used effectively on the private network they must be mirrored.

8.6.2 RFC Support

The requirements for a NAT router are outlined in RFC 1631 and clarified in RFC 2663. Since the implementation of a NAT router is so closely related to the private network it is hiding, the RFCs are more informational overviews than stringent requirements documents.

8.6.3 Protocol Support

NAT may support a wide variety of networking protocols. Note that support in this case means that NAT can forward data sent by these protocols from the private network to the external network. Any networking protocol can be executed on the NAT router itself. For example, if TFTP client is not listed as supported by a particular NAT implementation, this means that NAT does not support a TFTP client on the private network communicating with a TFTP server on the external network. However, a TFTP client could execute on the NAT router. This TFTP client could communicate with TFTP servers on both the private and external network. Examples of protocols that are likely to be supported include IP, TCP, UDP, DNS, ICMP, HTTP client-server, Telnet client-server, TFTP client-server, and FTP client-server.

8.6.4 Application Level Gateways

An Application Level Gateway (ALG) is an extension to NAT, which modifies the payload of a packet aside from the IP and/or protocol headers. Note that only those applications that embed IP addresses and/or port numbers within the application payload require an ALG.

Commonly implemented ALGs are:

ICMP: Provides functionality for ICMP error codes.

FTP: Provides functionality for FTP PORT and PASV commands.

8.6.5 The Private Network Address Assignment

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private Internets:

10.0.0.0–10.255.255.255

172.16.0.0–172.31.255.255

192.168.0.0–192.168.255.255

An organization that decides to use IP addresses in this address space can do so without coordination with any Internet registry. This address space information is taken from RFC 1918.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780124158221000088

Connecting to the outer world

Fabrizio Granelli, in Computing in Communication Networks, 2020

24.2.2 Using NAT service

In several intranets today, Network Address Translation technology is used for both enabling the connection of multiple devices sharing the same public IP address and improved security. Typically, this is also a service offered by virtualization environments such as VirtualBox or VMWare, which provides a local NAT service to the VMs. Therefore it would be useful to connect the emulation Virtual Machine with the Internet exploiting the already available NAT service.

Indeed, it is possible to enable NAT connectivity by using a Mininet primitive addNAT(), as is demonstrated in the following example. In this case, a tree topology is implemented with one switch and provided Internet connectivity:

Why is NAT used for mapping?

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128204887000402

Home Networks

Walter Ciciora, ... Michael Adams, in Modern Cable Television Technology (Second Edition), 2004

25.6.2 Network Address Port Translation (NAPT)

Network address port translation (NAPT), a special type of NAT, is commonly used in the residential gateway to allow a single public address to be shared by several hosts (PCs or other network devices). Figure 25.3 illustrates a typical arrangement where an RG performs NAPT. The RG has to choose to route an incoming packet to only one of the three PCs, the one from which the original request came. To do this, the RG must maintain the state of each IP flow and multiplex packets at the transport layer.

As explained in Chapter 5, the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) maintain endpoint identifiers at the transport layer called ports. The RG creates a table of port translations (shown in Figure 25.5) so that each IP flow is identified by assigning it a unique source port number. As the packet is routed from the PC to the WAN, the original source port number is replaced. Figure 25.4 illustrates an example where PC (B) sends an HTTP request to an application server. The original packet has a source port number of 80, which is translated to a source port number of 1025 by the RG. As the packet is routed, the RG dynamically creates an entry in the address and port translation table in the RG (see Figure 25.5, second row).

Why is NAT used for mapping?

Figure 25.5. Address and port translation table.

When the packet reaches the application server at the far end of the connection, it takes the source port number and places it in the destination port number field in the response packet. When the RG receives the response packet, the destination port number (1025) identifies the PC that made the request. The original port number (80) is restored before it is relayed to the PC so that it remains unaware of the port number substitution. Thus, multiple PCs and other network devices can use the same application behind a single WAN address without confusion.

Most of the time, network address port translation does not affect the applications at the endpoints of the network. Nevertheless, it is important to understand that NAPT violates an important Internet principle, called end-to-end network transparency. For example, File Transfer Protocol (FTP) uses multiple ports for a single transaction — one for control and others for data transfer. To support FTP, an application-level gateway (ALG) must be built that associates the multiple port numbers used by FTP and translates FTP-specific fields in the control messages so that they refer to the translated port numbers. The NAPT function in the residential gateway generally incorporates application-level gateways for all common protocols that need this type of special attention. The longer-term problem is that new Internet protocols are being developed all the time, and new application-level gateways may have to be built to support some of them.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781558608283500278

Addressing and Routing Architecture

James D. McCabe, in Network Analysis, Architecture, and Design (3), 2007

6.5 Addressing Strategies

During the requirements analysis process, it is important to gather information about device growth expectations, so that you can avoid having to change addressing schemes and reconfigure device addresses during the life cycle of the network.

When applying subnetting, variable-length subnetting, classful addressing, supernetting, private addressing and NAT, and dynamic addressing, we want to make sure that our network addresses and masks will scale to the sizes of the areas they will be assigned to. We also want to establish the degrees of hierarchy in the network. To scale the network addressing, we will use the numbers of

Functional areas within the network

Workgroups within each functional area

Subnets within each workgroup

Total numbers of subnets (current and future) in the organization

Total numbers of devices (current and future) within each subnet

By establishing the scaling and hierarchies for our network, we are applying addressing not only systemwide, but also across functional areas, workgroups, and subnets. The intent here is to look at addressing from many perspectives, so that we do not lose the detail of any particular area, nor fail to see the overall addressing picture. While each of the addressing strategies could be applied to any area of the network, there are areas where each strategy is more appropriate. Figure 6.20 shows where each strategy applies.

Why is NAT used for mapping?

Figure 6.20. Applying Various Addressing Strategies

At the bottom of the hierarchy, where devices and subnets are addressed, variable-length subnetting can provide the flexibility needed to map addresses to a variety of network/device sizes. In the middle of the hierarchy, where there are functional areas and workgroups, subnetting is often sufficient. At the top end of the hierarchy, where the entire network resides (along with most external interfaces), using the natural mask for the network address or applying subnetting is usually appropriate.

The hierarchies of variable-length subnetting, both internal and external to the network, are shown in Figure 6.21.

Why is NAT used for mapping?

Figure 6.21. An Example for Variable-Length Subnetting

In this figure, a hub router connects a number of workgroup routers to an ISP. This hub router can interconnect up to ten networks but is currently connected to only five. Each workgroup router should be configured to support four networks, each network having 10 to 20 devices attached to it. We have been assigned the CIDR block 192.92.240.0/20, which we are expected to summarize to the ISP router.

We can break this network into addressing areas, based on the numbers of functional areas, workgroup, networks, and devices. This will help us to choose address mask sizes that are appropriate for the scale of our network.

In this example there are three distinct areas to address. First, the workgroups have four networks with 10 to 20 devices per network. For this area, we could assign from the CIDR block a Class C per workgroup, subnetted with a mask of 255.255.255.224 (or/27), which will support up to six subnets with up to 30 devices per subnet. The next area is where the workgroup routers connect to the hub router. If addresses need to be assigned (if the routers do not support unnumbered links), we could subnet a single Class C from the CIDR block with a mask of 255.255.255.252 (or/30), supporting 63 subnets with two devices per subnet.

Since these connections are point-to-point between each workgroup router and the hub router, we only need to address two devices per connection. The third area is the connection between the hub router and the ISP router. Here we will provide the summary advertisement 192.92.240.0/20.

The result is shown in Figure 6.22.

Why is NAT used for mapping?

Figure 6.22. An Example with Variable-Length Subnetting Applied

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780123704801500074

Hypervisors, Virtualization, and Networking

Bhanu Prakash Reddy Tholeti, in Handbook of Fiber Optic Data Communication (Fourth Edition), 2013

16.4.1.3 Networking with NAT

Networking through NAT is created by creating a PrivateLAN for the domU VMs. Traffic coming from the VMs is then networked to the outside network via NAT. dom0 will automatically perform all the NAT required.

The scenario is as follows:

domUs are in a private network 10.0.0.0/8.

domU machines must perform NAT via dom0 to reach the other LAN (168.192.0.0/24). Traffic appears as if coming from dom0 (9.122.0.3).

domU machines can be directly accessed from the other LAN (168.192.0.0/24, but a default route should be added to the default gateway of this LAN).

This approach has an advantage of domU machines being hidden and protected from the other LAN.

16.4.1.3.1 Routing

Routing creates a point-to-point link between dom0 and each domU. Routes to each domU are added to dom0’s routing table, so domU must have a known (static) IP.

When xend starts up, it runs a network route that enables IP forwarding within dom0.

When domU starts up, xend running within dom0 invokes a vif-route script that copies the IP address from eth0 to vif#.0, brings up vif#.0 and adds a host static route for domU’s IP address specified in the domU config file, pointing at interface vif#.

16.4.1.3.2 VLAN config

Multiple tagged VLANs can be supported by configuring 802.1Q VLAN support into dom0. A local interface in dom0 is needed for each desired VLAN although it need not have an IP address in dom0. A bridge can be set up for each VLAN, and guests can then connect the appropriate bridge.

16.4.1.3.3 Open vSwitch [9]

Open vSwitch has been the default network backend since XenServer 6.0.0 and XCP 1.5, replacing bridge networking. The Xen bridges discussed above can be replaced with the virtual switch.

Open vSwitch is a multilayer software switch well suited to function as a virtual switch in VM environments. In addition to exposing standard control and visibility interfaces to the virtual networking layer, it was designed to support distribution across multiple physical servers. Open vSwitch supports multiple Linux-based virtualization technologies including Xen/XenServer, KVM, and VirtualBox.

Some of the features that Open vSwitch supports are as follows:

Standard 802.1Q VLAN model with trunk and access ports

NIC bonding with or without LACP on upstream switch

QoS configuration plus policing

GRE, GRE over IPSEC, and CAPWAP tunneling

802.1ag connectivity fault management

Compatibility layer for Linux bridging code

High-performance forwarding using a Linux kernel module

The core vSwitch functionalities are same as discussed in the VMware vSwitch.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780124016736000167

Data Networks

James Sinopoli, in Smart Building Systems for Architects, Owners and Builders, 2010

Layer 4

While Layer 4 switches are not well defined they do have some traits common to the other layers. One is the capability to perform network address translation (NAT). Typically NAT is used to allow multiple users or devices to access the Internet using one public IP address. Years ago this type of translation was a tool to deal with the unavailability of IPv4 addresses. More recently it is used to hide an internal network structure by making it appear that all network traffic is originating from the Layer 4 switch rather than the devices on the internal network.

Because NAT involves translating IP addresses more processing is required and the model of the end-to-end connectivity across the Internet is somewhat blemished. Layer 4 switches may also do load balancing. With this feature the switch resource utilization and traffic throughput is optimized. An example is a server farm where the network switch may direct traffic across several servers to balance the load. The switch uses policies or filters to identify and manage application specific traffic.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781856176538000119

What is NAT and do I need it?

Network Address Translation or NAT is used by a firewall, router, or computer and sits between an internal network and the rest of the world. The primary purpose of NAT is to take any amount of devices you have on your local network and allow them to use a single and unique IP address on the Internet.

What is NAT mapping table?

The NAT table is exactly what it sounds like: a table of network address translations, where each row in the table is basically a mapping from one private address to one public address.