Network Address Translation

Just ask any economist: When a commodity is in short supply, several things happen. The price goes up, rationing begins, and people start scrambling for substitutes. Globally unique Internet addresses, usually called Internet Protocol (IP) addresses, are no exception.

The Internet Engineering Task Force has been aware of the impending depletion of the current address space, called IPv4, for almost a decade. Although the forthcoming IPv6 is still seen as the long-term solution for continued Internet growth, other short-term fixes have been institutionalized in the past several years.

RFC 1631, "The IP Network Address Translator," published in 1994, describes one such fix. In the early days of the Internet, people were urged to apply for globally unique network addresses regardless of whether they ever intended to connect to the global Internet. The idea was to avoid problems when a formerly private network was eventually hooked up to the public Internet.

As the Internet continued to grow exponentially, however, assigning perfectly good network addresses to private networks came to be seen as a waste of valuable virtual real estate. Under the Network Address Translation (NAT) standard, certain IP addresses are set aside for reuse by private networks. As specified in RFC 1597, "Address Allocation for Private Internets," anyone can use addresses in the following ranges: 10.0.0.0 to 10.255.255.255; 172.16.0.0 to 172.31.255.255; and 192.168.0.0 to 192.168.255.255. By convention, routers aren't supposed to forward any packets to these addresses on the Internet.

The simplest NAT device has two network connections: one on the Internet and one on the private network. Hosts within the private network, using their private IP addresses (sometimes also called Network 10 addresses, from the 10.0.0.0 address set aside for private use) connect to the Internet by sending packets directly to the NAT device. Unlike normal routers, which merely read the source and destination addresses on each packet before forwarding them to their destinations, NAT devices actually modify the packet headers, changing the private network source address into its own Internet address.

NAT Drawbacks

In using NAT, hosts on the Internet appear to be communicating directly with the NAT device rather than with the actual host inside the private network. Inbound packets are sent to the NAT device's IP address, and the device changes the destination packet header from its own Internet address to the private network address of the true destination host.

The result is that, in theory, a single globally unique IP address can front for hundreds, thousands or even millions, of privately addressed hosts. In practice, however, there are drawbacks. For one thing, many Internet protocols and applications depend on the network being truly end-to-end, with packets forwarded entirely unmodified from the source to the destination. The IP security architecture, for example, can't work across a NAT device because the original headers, with original IP source addresses, are digitally signed. Change the source address, and the digital signature is no longer valid.

NAT raises administrative challenges as well. Although NAT is a niice solution for an organization, branch or even a department that can't get enough globally unique Internet addresses, it becomes a huge problem when reorganizations, mergers or acquisitions require the consolidation of two or more private networks. Even when organizational charts are stable, NAT systems can inadvertently be nested, causing routing nightmares.

Beyond the Device

While hosts inside a private network usually connect easily with servers on the outside, hosts on the Internet can't always easily connect to servers within the network. As far as external hosts are concerned, they're communicating directly with a single host -- the NAT device itself. The private network is effectively invisible to the outside world, which thinks all traffic from that network is actually traffic originating and terminating at the NAT device.

Network Address Port Translation (NAPT) helps alleviate this problem by translating not just the IP address but also the transport layer port. Thus, an inbound packet addressed to Port 80 (usually used for HTTP packets) on the NAPT device could be translated and passed along to the private network's Web server. Without port translation, the NAT device has no way of knowing which host in the private network to pass such packets to.

NAT is often positioned as a security solution. After all, the private network seems to be hidden from view. However, if an attacker can gain control of the NAT device, the entire network is vulnerable. NAT shouldn't be considered a replacement for a firewall, though simple devices implementing NAT can be useful for protecting small office and home office networks.

Although NAT fans proclaim it as the long-term solution to the IPv4 address shortage, it remains a short-term fix. Ignoring architectural and deployment problems, the IPv4 address space itself is still finite and would soon be overwhelmed if all networks were hidden behind NAT devices.

The NAT-enabled router in this diagram has an IP address of 10.25.1.1 for the inside network and an address of 126.22.99.144 for the outside network. Anytime a host on the inside network (10.25.1.x) makes a request to the Internet, the NAT device will translate the 10.25.1.x to 126.22.99.144. The internal machine can directly access any host on the external network, while from the outside, it appears that all outbound traffic is originating from the router’s single IP address.

This story, "Network Address Translation" was originally published by Computerworld.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies