Network Address Translation
Table of Contents
- Basic of NAT
- NAT and the Transport Layer
- NAT Non-Routable Address Space and the Limits of IPv4
- IPv4 Address Exhaustion
Basic of NAT
Unlike protocols like DNS and DHCP, network address translation or NAT, is a technique instead of a defined standard. This means that some of what we'll discuss in this lesson might be more high level than some of our other topics. Different operating systems and different network hardware vendors have implemented the details of NAT in different ways, but the concepts of what it accomplishes are pretty constant. Network address translation does pretty much what it sounds like, it takes one IP address and translates it into another. There are lots of reasons why you would want to do this. They range from security safeguards to preserving the limited amounts of available IPv4 space.We'll discuss the implications of NAT and the IPv4 address space later in this lesson. But for now, let's just focus on how NAT itself works and how it can provide additional security measures to a network. At its most basic level,
NAT(Network Address Translation) is a technology that allows a gateway, usually a router or firewall, to rewrite the source IP of an outgoing IP datagram while retaining the original IP in order to rewrite it into the response.
To explain this better, let's look at a simple NAT example. Let's say we have two networks. Network A consists of the 10.1.1.0/24 address space and network B consists of the 192.168.1.0/24 address space. Sitting between these networks is a router that has an interface on network A with an IP of 10.1.1.1 and an interface on network B of 192.168.1.1. Now, let's put two computers on these networks. Computer 1 is on network A and has an IP of 10.1.1.100. And computer 2 is on network B and has an IP of 192.168.1.100. Computer 1 wants to communicate with a web server on computer 2. So it crafts the appropriate packet at all layers and sends this to its primary gateway, the router sitting between the two networks. So far, this is a lot like many of our earlier examples, but in this instance, the router is configured to perform NAT for any outbound packets. Normally, a router will inspect the contents of an IP datagram, decrement the TTL by 1, re-calculate the checksum, and forward the rest of the data at the network layer without touching it. But with NAT, the router will also rewrite the source IP address, which in this instance, becomes the router's IP on network B or 192.168.1.1. When the datagram gets to computer 2, it'll look like it originated from the router, not from computer 1.
Now, computer 2 crafts its response and sends it back to the router. The router, knowing that this traffic is actually intended for computer 1, rewrites the destination IP field before forwarding it along. What NAT is doing in this example, is hiding the IP of computer 1 from computer 2. This is known as IP masquerading. IP masquerading is an important security concept. The most basic concept at play here is that no one can establish a connection to your computer if they don't know what IP address it has. By using NAT in the way we've just described, we could actually have hundreds of computers on network A, all of their IPs being translated by the router to its own. To the outside world, the entire address space of network A is protected and invisible. This is known as one-to-many NAT, and you'll see it in use on lots of LANs today.
NAT and the Transport Layer
NAT at the network layer is pretty easy to follow. One IP address is translated to another by a device usually a router. But at the transport layer things get a little bit more complicated and several additional techniques come into play to make sure everything works properly. With one to many NAT, we've talked about how hundreds even thousands of computers can all have their outbound traffic translated via NAT to a single IP. This is pretty easy to understand when the traffic is outbound, but a little more complicated once return traffic is involved. We now have potentially hundreds of responses all directed at the same IP and the router at this IP needs to figure out which responses go to which computer. The simplest way to do this, is through port preservation.
Port preservation is a technique where the source port chosen by a client, is the same port used by the router.
Remember that outbound connections choose a source port at random, from the ephemeral ports or the ports in the range 49,152 through 65, 535. In the simplest setup, a router setup to NAT outbound traffic, will just keep track of what this source port is, and use that to direct traffic back to the right computer. Let's imagine a device with an IP of 10.1.1.100. It wants to establish an outbound connection and the networking stack of the operating system chooses port 51,300 for this connection. Once this outbound connection gets to the router, it performs network address translation and places its own IP in the source address field of the IP datagram, but it leaves the source port in the TCP datagram the same and stores this data internally in a table.
Now, when traffic returns to the router and port 51,300, it knows that this traffic needs to be forwarded back to the IP 10.1.1.100.
Even with how large the set of ephemeral ports is, it's still possible for two different computers on a network to both choose the same source port around the same time. When this happens, the router normally selects an unused port at random to use instead.
Another important concept about NAT and the transport layer, is port forwarding.
Port forwarding is a technique where a specific destination ports can be configured to always be delivered to specific nodes.
This technique allows for complete IP masquerading, while still having services that can respond to incoming traffic. Let's use our network 10.1.1.0 \24 again to demonstrate this. Let's say there's a web server configured with an IP of 10.1.1.5. With port forwarding, no one would even have to know this IP. Prospective web clients would only have to know about the external IP of the router. Let's say it's 192.168.1.1. Any traffic directed at port 80 on 192.168.1.1, would get automatically forwarded to 10.1.1.5. Response traffic would have the source IP rewritten to look like the external IP of the router.
This technique not only allows for IP masquerading, it also simplifies how external users might interact with lots of services all run by the same organization.Let's imagine a company with both a web server and mail server, both need to be accessible to the outside world but they run on different servers with different IPs. Again, let's say the web server has an IP of 10.1.1.5, and the mail server has an IP of 10.1.1.6. With port forwarding, traffic for either of these services could be aimed at the same external IP and therefore the same DNS name, but it would get delivered to entirely different internal servers due to their different destination ports.
NAT Non-Routable Address Space and the Limits of IPv4
The IANA has been in charge of distributing IP addresses since 1988. Since that time, the internet has expanded at an incredible rate. The 4.2 billion possible IPv4 addresses have been predicted to run out for a long time and they almost have.
For some time now, the IANA has primarily been responsible with assigning address blocks to the five regional internet registries or RIRs. The five RIRs are AFRINIC, which serves the continent of Africa, ARIN which serves the United States, Canada and parts of the Caribbean. APNIC, which is responsible for most of Asia, Australia and New Zealand and Pacific Island nations. LACNIC which covers Central and South America and any parts of the Caribbean not covered by ARIN. And finally RIPE, which serves Europe, Russia and the Middle East and portions of Central Asia. These five RIRs have been responsible for assigning IP address blocks to organizations within their geographic areas and most have already run out. The IANA assigned the last unallocated slash eight network blocks to various RIRs on February 3rd, 2011. Then in April 2011, APNIC ran out of addresses. RIPE was next, in September of 2012. LACNIC ran out of addresses to assign in June 2014. And ARIN did the same in September 2015. Only AFNIC has some IPs left, but those are predicted to be depleted by 2018.
Wikipedia has a great article all about IPv4 exhaustion and the timelines involved(IPv4 Address Exhaustion). This is of course, a major crisis for the internet.IPv6 will eventually resolve these problems and we'll covered in more detail later in this course. But implementing IPv6 worldwide is going to take some time. For now, we wanted to continue to grow and we want more people and devices to connect to it but without IP addresses to assign, a workaround is needed. Spoiler alert, you already know about the major components of this workaround. NAT and non-routable address space. Remember that non-routable address space was defined in RFC1918 and consists of several different IP ranges that anyone can use. And unlimited number of networks can use non-routable address space internally because internet routers won't forward traffic to it. This means there's never any global collision of IP addresses when people use those address spaces. Non-routable address space is largely usable today because of technologies like NAT. With NAT, you can have hundreds even thousands of machines using non-routable address space.Yet, with just a single public IP, all those computers can still send traffic to and receive traffic from the internet. All you need is one single IPv4 address and via NAT, a router with that IP can represent lots and lots of computers behind it. It's not a perfect solution, but until IPv6 becomes more globally available, non-routable address space and NAT will have to do.
IPv4 Address Exhaustion
The IANA (Internet Assigned Numbers Authority) has been in charge of distributing IP addresses since 1988. Since that time, the internet has expanded at an incredible rate! The 4.2 billion possible IPv4 addresses have almost run out, as it’s long been predicted.
For some time now, the IANA has primarily been responsible for assigning address blocks to the five regional internet registries or RIRs. The five RIRs are:
AFRINIC, which serves the continent of Africa
ARIN, which serves the United States, Canada and parts of the Caribbean
APNIC, which is responsible for most of Asia, Australia and New Zealand and Pacific Island nations
LACNIC, which covers Central and South America and any parts of the Caribbean not covered by ARIN
RIPE, which serves Europe, Russia,the Middle East, and portions of Central Asia
These five RIRs have been responsible for assigning IP address blocks to organizations within their geographic areas and most have already run out. The IANA assigned the last unallocated /8 network blocks to various RIRs on February 3rd, 2011. Then on April 2011, APNIC reached its final /8 of addresses. RIPE was next, in September of 2012. LACNIC reached its final /10 in June 2014. ARIN exhausted its list of free IPv4 addresses in September 2015. Only AFRINIC has some IPs left.
Wikipedia has a great article all about IPv4 exhaustion and the timelines involved.
References:
https://www.coursera.org/learn/computer-networking/lecture/UnKO5/basics-of-nat
https://www.coursera.org/learn/computer-networking/lecture/Onnzx/nat-and-the-transport-layer
https://www.coursera.org/learn/computer-networking/lecture/R9sHu/nat-non-routable-address-space-and-the-limits-of-ipv4
https://www.coursera.org/learn/computer-networking/supplement/G55zR/supplemental-reading-foripv4-address-exhaustion