9
NAT: NETWORK ADDRESS TRANSLATION SURINDER KAUR 2012CS13 02-10-2012

NAT

Embed Size (px)

DESCRIPTION

A report on NAT

Citation preview

Page 1: NAT

NAT:NETWORK

ADDRESS TRANSLATION

SURINDER KAUR2012CS13

02-10-2012

Page 2: NAT

1 Introduction

It is well known fact that the computer communicates with each other usingtheir IP address over the interrnet. The IP address is a 32 bit address(in IPv4 scheme) and it uniquely identifies a computer overthe network ofcomputers i.e. internet. It is evident that only 232 unique addresses arepossible in with 32 bit scheme.However the available adreessses are evenless due to various reasons as such as some of them are reserved for specialpuposes like multicasting, broadcasting.Looking at the immense use of networking and therby the exponential growthin the numberr of computers requiring unique IP address it seems that verysoon the adresses avialable inIPv4 saheme will be out of the stock. and thenno new IP adresses can be provided. Is it really going to happen? .Certainlynot. The solution proposed to this scheme is use 64 bit IP addresses, knownas IPv6.In this scheme all the IP addresses will be of 64-bit. Hence theaddress space will grow from 232 to 264, definitely it’s a huge space andhopefully sufficient for a long time.However it is required to convert all the current IPv4 address into corre-sponding IPv6 addresses to implement IPv6 scheme across the intrernet.Butit is not an easy task, since it requires entire networking structure to beconverted from 32-bit to 64-bit, all the routing table entries, the securityalgorithms etc need to be changed. Which defintely requires lots of time andcare also.So for the meantime two major solutions were proposed:

CIDR CIDR stands forClassless InterDomain Routing. In thisthe conventional claasful IP addressing is converted into classless ad-dressing. In this scheme the IP address is divided into - netid i.e. the idof network and host id i.e. the id of individual machine in the networkusing the slash notation, the number after the slash gives the numberof bits in the net id and the remaining bits are host id.

172.31.100.29/23 implies that the 23 bits from MSB are netid and theremaining 9 bits are the host id.

Hence in this case the net id is: 172.31.100 and the host is : 29

NAT A new technology is introduced to prevent the outrun of the IP ad-dresses. This technology is termed as NAT i.e. Network AddressTranslation. NAT is a standard that allows the LAN to group its sys-tem such that they use a set of IP addresses for communicating withthe external networks, this set of address is called publicIPaddress

1

Page 3: NAT

and another set of IP addresses for communication within the network,which is called privateIPaddress.

2 NAT: Brief sescription

The gist of NAT in one line is that NAT maps private IPs to Public IPs.Itmaps the IPaddress-port pair int he packet to another set of IP address-portpair.There are three address ranges reserved for private IPs:

• 10.0.0.0/8

• 172.16.0.0/16 to 172.31.0.0/16

• 192.168.0.0/24 to 192.168.255.0/24

The NAT technology is implemented in any of the devices that are at theedge i.e. at the boundary of the LAN and the rest of the internet, like routers,firewalls.NAT can use one of the following mapping technique:

StaticIn this there is one-to-one correspondence between the private IP ad-dress and the public IP address. A private IP address always maps tothe same public IP always.

DynamicIn this there is one-to-many mapping between the private and thepublic IP address. A private IP address can be mapped to any one ofthe available public IP address.

OverloadingIn this there is many-to-one correspondence between the private andpublic IP address. Many private IP address can be mappped to singlepublic IP address but with a different port. Hence this scheme is alsoknown as port− address− translation or port- level-multiplexedNAT.

overlapping The solution to this dilemma is to use a more sophisticatedform of NAT. The other versions we have seen so far always trans-late either the source address or the destination address as a datagrampasses from the inside network to the outside network or vice versa.To cope with overlapping addresses, we must translate both the sourceaddress and the destination address on each transition from the inside

2

Page 4: NAT

to the outside or the other direction. This technique is called Overlap-ping NAT in reference to the problem it solves, or Twice NAT due tohow it solves it. (Incidentally, despite the latter name, regular NAT isnot called Once NAT.)

Twice NAT functions by creating a set of mappings not only for theprivate network the NAT router serves, but also for the overlappingnetwork (or networks) that conflict with the inside network’s addressspace. In order for this to function, Twice NAT relies on the use ofthe TCP/IP Domain Name System (DNS), just like bidirectional NAT.This lets the inside network send requests to the overlapping networkin a way that can be uniquely identified. Otherwise, the router can’ttell what overlapping network our inside network is trying to contact.

2.1 NAT Table

It is the table maintained by the NAT server. It contains the entries of of theeach node behind the NAT. It contains the private IP address of the nodeand the its corresponding public address.The NAT table is refreshed periodically.

2.2 Working of NAT

The working of NAT can be summarized in the following points:

• When two systems witihn the LAN wants to communicate, they com-municate using their private IP address, in this case no private to publicmapping is required.

• When a system within the LAN wants to communicate with an systemthat is outside the LAN. As the packet reaches the router that imple-ments the NAT technology, the NAT server first verifies that the packetis inside to outside packet and it specifies the criteria specified fortranslation, if so it checks its NAT table, if it has enttry correspond-ing to the private IP address this table it map the private IP to thecorresponding public IP address. and then forward the packet to thedestination with the source IP as the public IP.

• When the response from an external network reaches to the LAN’sNAT router, the destination IP of the corresponding packet is one ofthe public IP of the LAN. the NAT router then checks the translationtable for the IP and amp it to the corresponding private IP.

3

Page 5: NAT

• However it is not possible to make outside to inside connectio that isinitiated by some outside system.

3 NAT TRAVERSAL

3.1 The NAT TRAVERSAL PROBLEM

A system outside a LAN can not initiate a connection to any system insidethe LAN that is using the NAT. This problem is termed the NAT traver-sal problem. This is due to the reason that the NAT is unab;le to performthe reverse mapping i.e it can map private IP to public IP and the pub-lic IP in response to the private IP but can not perform the mapping ofpublic IP to private IP in case of outside initiated queries.

3.2 Traversal approches

To overcome the NAT traversal problem the various NAT traersal approacheshave been proposed. Most of them make use of third party server for outsideto inside connection. However some other approaches have been proposedmost promising one is the autonomous NAT traversal.

Using third paty server for connection revarsal To have the outsideto inside connection in the NAT is using thied party server. It is themost populr approach for the above ssaid purpose. The third partyserver are located outsise the LAN behind the NAT.

What it actually does is that it involves a third party seerver. When aclient ouside the NAT wants to establish the connection with the serverbehind NAT, the process proceeds as follows:

• The client request the third party server to help establish connec-tion with the server.

• Then the third party server notifies the server that the clientwants to establish the connection.

• The server then initiates the connection with the client.

This approach is termed as connection revarsal approach be-cause the thirdd party server turns the client initiated communica-tion to the sever initiated communication. However it is requiredthat the serveralways nees d to maintain connection to third partyserver

4

Page 6: NAT

The major drawback of third party server approach is that it

• It require third party to be involved.

• It is a complex pproach

• An attacker can easily attack the system by analyzing the traffic.

The major third party server are:

TURNTURN stands for Traversal Using Relays around NAT. Itis a protocoll that facilitate outside to inside connection in theNAT. However it does not alow the system behind hte NAT to beserver but only to connect to single system outside the NAT. i.e.the TURN allows to establish the connection between one systeminside the NAT and other one outside the NAT but not to multiplesystem.

In this way it is as secure as the NAT but it turns the table sothat the connection in NAT can be established from outside toinside

Interactive Connectivity EstablishmentIt is used for the same purpose. It uses STUN and TURN andother likewise protocols as tools. The ICE resides within the sys-tem outside the NAT i.e. the client.Using the various tools theclient gets the list of addresses. ICE perform connectivity test oneach of them. and uses the best address.

The major advantage of this protocol is thst it always find thepath if one exists and the path it uses is the best one.

However the drawback is that it requires several iterations.

Relaying When both the peers are behind NAT then the relayingmethod is used. A third party server is used and peers communicatevia this server. The method works as follwing:

• Both the peers have aeither TCP or UDP connection with theserver.

• The peer that wants to initiate the communication with anotherpeer, it transmits it message to the server.

• Since server has connection with the peer Hence the server thenrelay this message to the other peer.

5

Page 7: NAT

• when the other peer respond to the initating peer, it can notdirectly communicate. So it transmit tje message to thr serverinvolved and the server in turn relay the mesasge back to thepeer.

this approach is considered to be the most reliable approach. But itrequires lot of network bandwidth, consumes server processing power.Also the communication latency increases. Hence it is the least efficientapproach.

Autonomous Traversal

In this approach no third party server involves. In this way it reducescomplexity and decreases the chances of attack.

The basic assumption of this approach is that the outside system knowsthe public IP address(s) of the NAT router behind which the intendedsystem resides. It is possible due to the previous exchange betweenthe outside system and the inside system. The outside system can betermed asclient and the inside system as server. The steps involved inthe autonomous NAT traversal can be dscribed as following:

Communicate the public IP of client to the serverThe sever periodically sends a message to a known IP address.It may use ICMP ECHO REQUEST message to an unallo-cateed IP address i.e. for which no entry exis in the routing table.Since no entry teh server sent request for an unallocated IP. Hencethe NAT router will not be able to route this request and willresponse with message like ICMP DESTINATION UNREACH-ABLE. Server simply ignores such message.As the result of this message the NAT router will enable routingof replies in response to this request.The client will also fake such reply.Actually client transmits aTTL EXPIRED message to the NAT router. The sever listenfor such fake ICMP replies and when it recieves any such reply itinitiates connection to the sender’s address specified in the fakemessage.In this manner the sever get the public IP of the client. If the clientlistens on the pre-agreed port, the port number can be sent as thepart of payload of the ICMP ECHO RESPONSE message.

Server connects to the clientNow the server has the public IP of the client. So it can initiate

6

Page 8: NAT

the communication with the client. The communication proceedin the same way as in the normarl NAT.

A problem arissees in the autonomous approach when client isalso behind the NAT. The NAT disallows the client to make thefake ICMP response.However there is theoritical solution to thisproblemm but the solution does not work practically. Hence themajor drawback of the autonomous approach is that it fails forNAT-to-NAT communication.

4 NAT Punching or Hole Punching

The NAT traversal techniques are also called NAT punching or hole punchingtechniques. This is termed so, because these technique create a hole in theNAT system to enable outside to inside connection.Hole punching tecchniques are classified on the basis of the messsages in-volved to create a hole in hte system. The major approaches are as following:

UDP Hole PunchingFor hhole punching this technoque uses the UDP messages i.e. UserDatagram messages. In this method the server behind the NAT needto maintain comnnection with the third party server permanently.Themetod can be described as following:

• Since there is a pemanent UDP connection betweent he serverand the third party server. Hence the NAT table has an entrycorresponding to the third party server.

• When the client requests the third party server to help him toestablish connection with the server behind the NAT.

• The third party server replies the client with the private and thepublic IP of the server behind the NAT. At the same time thesever also notifies hte server behind th e NAT that a client wantsto establish connection. The notification message contains the IPaddress of the client.

• Now Bothe the client and the server behind the NAT know the IPof each other. So the server behind the NAT can start the UDPsession with the client.

7

Page 9: NAT

TCP Hole PunchingHole punching in the TCP session if far more complicated than thatin the UDP session. Since TCP involve a secure, reliable end-to-endconnection and also involve many more mechanisms like sequencingand synchronization of packets. Hence while applying NAT punchingthee issues should be addressed fairly. Which in turn increasse thecomplexity of NAT punching to grea extent. The process of TCP holepunching is as following:

• Theer is a permanent TCP connection between the server and thethird party server. Hence the NAT table has the correspondingentry.

• The cient request the third party server to help it to establish TCPconnection with the server behin the NAT.

• The server then replies the client the private IP and the public IPof the client. At the same time the third party server notifies theserver behind the NAT that a client with this IP address wants toestablish TCP connectio with you.

• Now the server sends the SYN packet to the client. And it alsolisten for any incoming connection attempts from the client.

• The server waits for its SYN-ACK response to the already sentSYN packet. If it recieves it it send another ACK packet toacknowledge the SYN-ACK.

• Thus the three-way handshake process completes, the client andthe server starts TCP communication.

5 Conclusion

NAT is required for the whole IPv4 to IPv6 transition period. It is workingefficiently. There are various NAT traversal approaches but none of themis standardized. Hence some problems also arises. It is also a matter ofdebate, whether NAT traversal or hole punching is threat to the networksecurity. However the hole punching techniques used are classified on thebasis of the type of the network, type of the connection etc. These all areshowing satisfactory performance.

8


Índex - UPC Universitat Politècnica de Catalunya · Jarauta Bragulat, Eusebio Nat Josa Garcia-Tornel, Alejandro Nat Marí Bernat, Antonio R. Nat Molins Borrell, Climent Nat

Índex - UPC Universitat Politècnica de Catalunya · Jarauta Bragulat, Eusebio Nat Josa Garcia-Tornel, Alejandro Nat Marí Bernat, Antonio R. Nat Molins Borrell, Climent Nat

Documents
NAT Traversal in SIP - StarTrinitystartrinity.com/VoIP/Resources/sip26.pdf · NAT Traversal in SIP. NAT Traversal in SIP ... Network Address Translation (NAT) ... NAT, and the proxy

NAT Traversal in SIP - StarTrinitystartrinity.com/VoIP/Resources/sip26.pdf · NAT Traversal in SIP. NAT Traversal in SIP ... Network Address Translation (NAT) ... NAT, and the proxy

Documents
Needs Assessment Tool (NAT) Webinar. Training Agenda Welcome Background of the Needs Assessment Tool (NAT) Introduction to the NAT What’s New? NAT Review

Needs Assessment Tool (NAT) Webinar. Training Agenda Welcome Background of the Needs Assessment Tool (NAT) Introduction to the NAT What’s New? NAT Review

Documents
TP NAT NAT

TP NAT NAT

Documents
APPENDIX E NAT DATA LINK PERFORMANCE REPORT 2015 and NAT Documents/NAT...E-3 NAT SPG/52 Report – Appendix E E-3 NATSPG52_Rpt_AppxE JUNE 2016 Figure 1. NAT Data link equipage and

APPENDIX E NAT DATA LINK PERFORMANCE REPORT 2015 and NAT Documents/NAT...E-3 NAT SPG/52 Report – Appendix E E-3 NATSPG52_Rpt_AppxE JUNE 2016 Figure 1. NAT Data link equipage and

Documents
Nat Doc 009, Ed1 - Nat Sdr (Aug2014)

Nat Doc 009, Ed1 - Nat Sdr (Aug2014)

Documents
 · CERDISACERDISA Stonemix Anthracite 60x60 Nat. Rett.. White 60x120 Nat. Rett. 60x60 Nat. Rett. 8 9

 · CERDISACERDISA Stonemix Anthracite 60x60 Nat. Rett.. White 60x120 Nat. Rett. 60x60 Nat. Rett. 8 9

Documents
NAT & NAT Class 4 E Gellner

NAT & NAT Class 4 E Gellner

Documents
Tabelle /Table - portailbatiment.fr poesia nat. >40 ant. >40 out2 >40 prestigio soft >40 lucido npd lapp. npd tenax nat. >40 trail nat. >40 velvet ground nat. >40 voyager nat >40 wood2

Tabelle /Table - portailbatiment.fr poesia nat. >40 ant. >40 out2 >40 prestigio soft >40 lucido npd lapp. npd tenax nat. >40 trail nat. >40 velvet ground nat. >40 voyager nat >40 wood2

Documents
NAT-MCH Users Manual · NAT-MCH – User’s Manual

NAT-MCH Users Manual · NAT-MCH – User’s Manual

Documents
Nat Doc 008, Ed1 - Nat Asm (Nov2010)

Nat Doc 008, Ed1 - Nat Asm (Nov2010)

Documents
PRODUCT GUIDE ToGo! Foodservice Packaging · = Product Item# NAT-F344RAF NAT-F505RAVF NAT-F608RAVF NAT-E883RAVF NAT-F113RAVF NAT-F505RAVTWF NAT-F542RAVMWF NAT-F608RAVTWF NAT-F663RAVTWF

PRODUCT GUIDE ToGo! Foodservice Packaging · = Product Item# NAT-F344RAF NAT-F505RAVF NAT-F608RAVF NAT-E883RAVF NAT-F113RAVF NAT-F505RAVTWF NAT-F542RAVMWF NAT-F608RAVTWF NAT-F663RAVTWF

Documents
Configure AnyConnect VPN Client on FTD: Hairpining and NAT ...€¦ · NAT Exemption and Hairpining Step 1. NAT Exemption Configuration The NAT exemption is a preferred translation

Configure AnyConnect VPN Client on FTD: Hairpining and NAT ...€¦ · NAT Exemption and Hairpining Step 1. NAT Exemption Configuration The NAT exemption is a preferred translation

Documents
NAT 강사 김성훈. Scaling the Network with NAT and PAT Cisco 라우터에서의 NAT 의 특징 및 작동법을 안다. NAT 를 구성할 수 있다. NAT 와 PAT 의 구성을

NAT 강사 김성훈. Scaling the Network with NAT and PAT Cisco 라우터에서의 NAT 의 특징 및 작동법을 안다. NAT 를 구성할 수 있다. NAT 와 PAT 의 구성을

Documents
SL... · 2015-01-22 · Nat. Harm. Nat. Harm, Xll 1010 Nat. Harm. 2/311 11211

SL... · 2015-01-22 · Nat. Harm. Nat. Harm, Xll 1010 Nat. Harm. 2/311 11211

Documents
· PDF fileSANCHEZ ILONA FALLETTI LAURIE Nom ... MILON Loic COUDRAY Goran ... WEIL CHRISTIAN FAURE ALBERT Nat Nat Nat Nat Doss. n0214

· PDF fileSANCHEZ ILONA FALLETTI LAURIE Nom ... MILON Loic COUDRAY Goran ... WEIL CHRISTIAN FAURE ALBERT Nat Nat Nat Nat Doss. n0214

Documents
Application of Separation Minima and NAT Documents/NAT Documents/NAT... · Minima, Lateral non-intersecting and NAT Table of Separation Minima, Longitudinal Distance Based related

Application of Separation Minima and NAT Documents/NAT Documents/NAT... · Minima, Lateral non-intersecting and NAT Table of Separation Minima, Longitudinal Distance Based related

Documents
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP

Documents
Aramco ExPats€¦ · Kennecott Copper Lee Rubber Liggett & Wrers Montgomery Ward Motorola Nash Kelvinator Nat. Biscuit Nat. Cash Register Nat. Dai Nat. Stei{ Nat Sugar NY tentral

Aramco ExPats€¦ · Kennecott Copper Lee Rubber Liggett & Wrers Montgomery Ward Motorola Nash Kelvinator Nat. Biscuit Nat. Cash Register Nat. Dai Nat. Stei{ Nat Sugar NY tentral

Documents
NAT and NAT Traversal

NAT and NAT Traversal

Documents
cenere - Emilgroup · 2020. 9. 9. · E2UL Cenere Opaco Nat. Rett. E90Y Terra Opaco Nat. Rett. E2UN Grigio Opaco Nat. Rett. E2UK Crema Opaco Nat. Rett. E2UP Nero Opaco Nat. Rett

cenere - Emilgroup · 2020. 9. 9. · E2UL Cenere Opaco Nat. Rett. E90Y Terra Opaco Nat. Rett. E2UN Grigio Opaco Nat. Rett. E2UK Crema Opaco Nat. Rett. E2UP Nero Opaco Nat. Rett

Documents
Implementing NAT-PT for IPv6 · Information About Implementing NAT-PT for IPv6 Users can configure NAT-PT using one of the following operations--static NAT-PT, dynamic NAT-PT, Port

Implementing NAT-PT for IPv6 · Information About Implementing NAT-PT for IPv6 Users can configure NAT-PT using one of the following operations--static NAT-PT, dynamic NAT-PT, Port

Documents
a Grab a map · national park bogandyera nat res benambra nat pk tabletop nat res livingstone nat pk lake urana nat res woomargama st f ... are independently assessed by star ratings

a Grab a map · national park bogandyera nat res benambra nat pk tabletop nat res livingstone nat pk lake urana nat res woomargama st f ... are independently assessed by star ratings

Documents
NAT Region Aeronautical Radio Stations Network 2013 Data ... and NAT Documents/NAT Documents/NAT... · NAT Region Aeronautical Radio Stations 2016 Data Consolidation Report Page 7

NAT Region Aeronautical Radio Stations Network 2013 Data ... and NAT Documents/NAT Documents/NAT... · NAT Region Aeronautical Radio Stations 2016 Data Consolidation Report Page 7

Documents
Nat doc007 edition 2013 with bkmrks nat mnps

Nat doc007 edition 2013 with bkmrks nat mnps

Career
Chapter 8210.70.254.122/chingyu/RoutingProt-Ch8.pdf · 5Dynamic NAT with overload Network Address Translation ... Configuring Static NAT Configure NAT ... Router(config)# ip nat pool

Chapter 8210.70.254.122/chingyu/RoutingProt-Ch8.pdf · 5Dynamic NAT with overload Network Address Translation ... Configuring Static NAT Configure NAT ... Router(config)# ip nat pool

Documents
BAUGI SUNSTONE - EnergieKer · 30,2x30,2 . 12”x12” Decori - decors - decors - Dekore BAUGI NAT. 12,04 FREYA NAT. 12,04 ALOF NAT. 12,04 LOKI NAT. 12,04 GROA NAT. 12,04 NORNE NAT

BAUGI SUNSTONE - EnergieKer · 30,2x30,2 . 12”x12” Decori - decors - decors - Dekore BAUGI NAT. 12,04 FREYA NAT. 12,04 ALOF NAT. 12,04 LOKI NAT. 12,04 GROA NAT. 12,04 NORNE NAT

Documents
日本語NAT-TESTueno.daiichi-koudai.ac.jp ... nihongo NAT-TEST

日本語NAT-TESTueno.daiichi-koudai.ac.jp ... nihongo NAT-TEST

Documents
NAT-PT for IPv6 · NAT-PTforIPv6 NAT—PTisanIPv6-to-IPv4translationmechanism,asdefinedinRFC2765andRFC2766,thatallows IPv6-onlydevicestocommunicatewithIPv4-onlydevicesandviceversa

NAT-PT for IPv6 · NAT-PTforIPv6 NAT—PTisanIPv6-to-IPv4translationmechanism,asdefinedinRFC2765andRFC2766,thatallows IPv6-onlydevicestocommunicatewithIPv4-onlydevicesandviceversa

Documents
Angostura Resource Management Plan - usbr.gov file- Remove Fence along park boundary. LUM 1.2, LUM 1.3, LUM 1.4, LUM 1.5 NAT 1.2, NAT 1.9, NAT 1.10, NAT 1.11, NAT 1.12, NAT 1.13 REC

Angostura Resource Management Plan - usbr.gov file- Remove Fence along park boundary. LUM 1.2, LUM 1.3, LUM 1.4, LUM 1.5 NAT 1.2, NAT 1.9, NAT 1.10, NAT 1.11, NAT 1.12, NAT 1.13 REC

Documents