Network Address Translation

An Internet packet-forwarding technique which is, depending on your point of view, either a grotesque perversion of the way the Internet was supposed to work, or an elegant hack for both extending the IP address space and gaining useful functionality in the face of someone else's restrictive routing or address-allocation policies.

Network Address Translation, or NAT, is performed in a gateway or router or some device which has two different network connections, to two different subnets, one of them on the "real" Internet and one of them on a private subnet. This device has, as far as the "real" Internet is concerned, one publicly-addressible IP address. It then allows any number of machines on the private subnet behind it to share that single IP address.

The machines on the private subnet behind the NAT-forwarding router are, by definition, not on the public Internet. They will typically all have addresses in one of the private-use ranges. Their only connection to the Internet is through the NAT-forwarding router; all of them are configured with the NAT-forwarding router as the gateway to which they forward all their packets.

The NAT-forwarding router is therefore in the position to play the following game, which is what Network Address Translation is. When a machine on the private subnet attempts to contact some machine on the real internet, the NAT-forwarding router notices this, and makes the same attempt to contact that public machine, listing its own public IP address as the machine making the contact. Then, when responses come back from that public machine, the NAT-forwarding router rewrites the headers and forwards the packets back to the real originating machine on the private subnet behind it.

An example will of course make this much clearer. Suppose that the NAT-forwarding router has as its public IP address 200.1.2.3. Suppose that machine "beeblebrox" on the private subnet has the (private) address 192.168.0.10. Suppose that a user on beeblebrox attempts to visit http://slashdot.org, at 64.28.67.150.

beeblebrox will construct packets with a source address of 192.168.0.10 and a destination address of 64.28.67.150. But it doesn't have a route to 64.28.67.150, so it sends the packets to its gateway, the NAT-forwarding router, instead.

The NAT-forwarding router has been configured to do NAT for all 192.168.xxx.yyy addresses on the private subnet behind it. So when the packet comes through for slashdot from beeblebrox, the router rewrites the source address as 200.1.2.3, and forwards the modified packet to slashdot, and makes a note to itself that it's done this.

With luck, packets eventually arrive back from slashdot, with source IP addresses of 64.28.67.150 and destination IP addresses of 200.1.2.3. The router receives these, but recognizes that they're really destined for beeblebrox. So it rewrites the destination addresses to 192.168.0.10, and forwards the packets to the private subnet, where beeblebrox receives them. Voila!

(There are some nuances here with respect to TCP and UDP port numbers which I've glossed over, and also with respect to the way in which protocols other than TCP, e.g. ICMP, can work across NAT in the absence of port numbers.)

The nice thing about NAT is that it's almost completely transparent. In the example above, neither beeblebrox nor slashdot care (or have any way of knowing) that any translation is being done. They just sit there and work, as if they're on the same internet with each other, after all.

One obvious use for Network Address Translation is a home LAN, where you've got several machines all trying to share a single connection, whether it be DSL, cable, or some other technology, out to the Internet. Your ISP probably gives you only a single IP address. But if you've connected your home LAN to your Internet connection using a router that can do NAT, it's just as if all the machines in your house are on the net. (Naturally, since they're sharing the same, relatively narrow pipe, anybody who tries to hog it with a large data transfer will noticeably degrade throughput for the rest.)

Perhaps best of all, nobody can really tell you're doing this. If your ISP is greedy, and says you can connect but a single machine to the net at a time, and that you have to buy two services if you want to connect two machines, you can (rightly) say that the one machine you're connecting to the net with your one public IP adddress is your router, and what your router does with the packets it sends to and receives from the Internet is your business, not your ISP's. In fact, it's not just home consumers who play this game with ISP's -- I've heard tell that it's not uncommon for a workgroup in a large company with a repressive or incompetent IT department to set up a NAT-forwarding router rather than put up with the IT department's foot-dragging policies for allocating new IP addresses (whether external or internal).

Lots of devices can do NAT. Besides routers (large and small) I've also seen it done in Apple's AirPort base station, and in multiport Palm-to-Ethernet cradles. Not too surprisingly, a Linux machine can (using "ipchains") do NAT and other forms of IP masquerading.

(Disclaimer: there probably is a way for an ISP to detect -- or at least suspect -- that you're using NAT to share a connection and an IP adddress. I don't know how cranky ISP's tend to get about this. But don't blame me if one catches you doing it and tries to repress you, despite my claim above that "nobody can tell you're doing this" or "the one machine you're connecting to the net is your router".)

Various forms of NAT

NAT which is defined in RFC 1631, can be used for 3 main reasons:

• to extend the address-space
• security
• administration

For each one of those reasons, NAT can be used in one of its various forms. These include:

Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network.

 _____________
/             \ _                                                      _________
| 192.168.0.1 |  \_                             155.207.113.80        /         \
\_____________/    \_                          ---------------->      |         |
                      \_                                              |         |
                        \_                                            | PUBLIC  |
 _____________            \-> ____________                            |         |
/             \              /            \     155.207.113.69        | NETWORK |
| 192.168.0.2 | --------->  |    ROUTER    |   ---------------->      |         |
\_____________/             |              |                          |         |
                        _/-> \____________/                           |         |
 _____________        _/                        155.207.113.51        |         |
/             \     _/                         ---------------->      \_________/
| 192.168.0.3 |   _/
\_____________/ _/

In static NAT, the computer with the IP address of 192.168.0.2 will always translate to 155.207.113.69.

---

Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. In dynamic NAT, the router/NAT device/whatever, maintains a pool of routable IPs, from which assigns IPs to the hosts of the internal LAN that need to communicate with the public network.

 
 _____________
/             \ _                                                      _________
| 192.168.0.7 |  \_                             155.207.113.18        /         \
\_____________/    \_                          ---------------->      |         |
                      \_                                              |         |
                        \_                                            | PUBLIC  |
 _____________            \-> ____________                            |         |
/             \              /            \     155.207.113.25        | NETWORK |
| 192.168.0.3 | --------->  |    ROUTER    |   ---------------->      |         |
\_____________/             |              |                          |         |
                        _/-> \____________/                           |         |
 _____________        _/                        155.207.113.101       |         |
/             \     _/                         ---------------->      \_________/
| 192.168.0.5 |   _/
\_____________/ _/

In the case of dynamic NAT, the first station who wants to communicate with the public network, is assigned by the router the first available IP address from the address pool. Here is the pool for example:

• 155.207.113.18 , assigned to 192.168.0.7
• 155.207.113.25 , assigned to 192.168.0.3
• 155.207.113.101, assigned to 192.168.0.5
• 155.207.113.107, available
• 155.207.113.31 , available

Dynamic NAT can be very useful in case you have a large local LAN (say 30 stations), but your ISP has given you only 5 IP addresses.

Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.

 _____________
/             \ _                                                      _________
| 192.168.0.7 |  \_                           155.207.113.100:1001    /         \
\_____________/    \_                          ---------------->      |         |
                      \_                                              |         |
                        \_                                            | PUBLIC  |
 _____________            \-> ____________                            |         |
/             \              /            \   155.207.113.100:1002    | NETWORK |
| 192.168.0.3 | --------->  |    ROUTER    |   ---------------->      |         |
\_____________/             |              |                          |         |
                        _/-> \____________/                           |         |
 _____________        _/                      155.207.113.100:1003    |         |
/             \     _/                         ---------------->      \_________/
| 192.168.0.5 |   _/
\_____________/ _/

As we can see, in overloading, each computer on the private network is translated to the same IP address (155.207.113.100) but with a different port number assignment.

How to share a single internet connection using PAT

One can use NAT overloading (PAT) when he has a single connection to the internet which he wants to share to a LAN. Say, for example, that I have a DSL router and a computer lab consisting of 20 PCs running various OSs (Windows, Linux, OpenBSD, MACOS, etc). When the router connects, my ISP assigns to its interface an IP address, say 155.207.113.100. So, my router also has an ethernet 100Mbps interface which connects to the lab's ethernet switch. All the PCs in the lab are also connected to the switch and the router effectively shares the internet connection to all the PCs. We just have to activate NAT overloading inside the router configuration and, in addition, declare to every PC in our lab to use the ethernet interface IP address of the router (say 192.168.0.100) as a gateway, et voila!

There is also NAT overlapping. When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. But that's a rather rare case.

Bibliography: http://www.cisco.com