10/31/12

Network address translation - Wikipedia, the free encyclopedia

Networkaddresstranslation
FromWikipedia,thefreeencyclopedia

Incomputernetworking,networkaddresstranslation(NAT)istheprocessofmodifyingIPaddressinformationinIPpacketheaderswhile intransitacrossatrafficroutingdevice. ThesimplesttypeofNATprovidesaonetoonetranslationofIPaddresses.RFC2663referstothistypeofNATasbasicNAT.Itisoften alsoreferredtoasonetooneNAT.InthistypeofNATonlytheIPaddresses,IPheaderchecksumandanyhigherlevelchecksumsthat includetheIPaddressneedtobechanged.Therestofthepacketcanbeleftuntouched(atleastforbasicTCP/UDPfunctionality,somehigher levelprotocolsmayneedfurthertranslation).BasicNATscanbeusedwhenthereisarequirementtointerconnecttwoIPnetworkswith incompatibleaddressing. HoweveritiscommontohideanentireIPaddressspace,usuallyconsistingofprivateIPaddresses,behindasingleIPaddress(orinsome casesasmallgroupofIPaddresses)inanother(usuallypublic)addressspace.Toavoidambiguityinthehandlingofreturnedpackets,aoneto manyNATmustalterhigherlevelinformationsuchasTCP/UDPportsinoutgoingcommunicationsandmustmaintainatranslationtableso thatreturnpacketscanbecorrectlytranslatedback.RFC2663usesthetermNAPT(networkaddressandporttranslation)forthistypeof NAT.OthernamesincludePAT(portaddresstranslation),IPmasquerading,NATOverloadandmanytooneNAT.Sincethisisthe mostcommontypeofNATitisoftenreferredtosimplyasNAT. Asdescribed,themethodenablescommunicationthroughtherouteronlywhentheconversationoriginatesinthemasqueradednetwork,since thisestablishesthetranslationtables.Forexample,awebbrowserinthemasqueradednetworkcanbrowseawebsiteoutside,butaweb browseroutsidecouldnotbrowseawebsiteinthemasqueradednetwork.However,mostNATdevicestodayallowthenetworkadministrator toconfiguretranslationtableentriesforpermanentuse.Thisfeatureisoftenreferredtoas"staticNAT"orportforwardingandallowstraffic originatinginthe"outside"networktoreachdesignatedhostsinthemasqueradednetwork. Inthemid1990sNATbecameapopulartoolforalleviatingtheconsequencesofIPv4addressexhaustion.[1]Ithasbecomeacommon, indispensablefeatureinroutersforhomeandsmallofficeInternetconnections.MostsystemsusingNATdosoinordertoenablemultiple hostsonaprivatenetworktoaccesstheInternetusingasinglepublicIPaddress. NetworkaddresstranslationhasseriousdrawbacksonthequalityofInternetconnectivityandrequirescarefulattentiontothedetailsofits implementation.Inparticular,alltypesofNATbreaktheoriginallyenvisionedmodelofIPendtoendconnectivityacrosstheInternetand NAPTmakesitdifficultforsystemsbehindaNATtoacceptincomingcommunications.Asaresult,NATtraversalmethodshavebeen devisedtoalleviatetheissuesencountered.

en.wikipedia.org/wiki/Network_address_translation

1/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

Contents
1OnetomanyNATs 1.1MethodsofPorttranslation 1.2TypeofNATandNATTraversal 2Implementation 2.1EstablishingTwoWayCommunication 2.2AnAnalogy 2.3TranslationoftheEndpoint 2.4VisibilityofOperation 3NATandTCP/UDP 4Destinationnetworkaddresstranslation(DNAT) 5SNAT 5.1Securenetworkaddresstranslation 6Dynamicnetworkaddresstranslation 7ApplicationsaffectedbyNAT 8AdvantagesofPAT 9Drawbacks 10Specifications 11ExamplesofNATsoftware 12Seealso 13References 14Externallinks

OnetomanyNATs
ThemajorityofNATsmapmultipleprivatehoststoonepubliclyexposedIPaddress.Inatypicalconfiguration,alocalnetworkusesoneofthe designated"private"IPaddresssubnets(RFC1918).Arouteronthatnetworkhasaprivateaddressinthataddressspace.Therouterisalso connectedtotheInternetwitha"public"addressassignedbyanInternetserviceprovider.Astrafficpassesfromthelocalnetworktothe Internet,thesourceaddressineachpacketistranslatedontheflyfromaprivateaddresstothepublicaddress.Theroutertracksbasicdataabout eachactiveconnection(particularlythedestinationaddressandport).Whenareplyreturnstotherouter,itusestheconnectiontrackingdatait storedduringtheoutboundphasetodeterminetheprivateaddressontheinternalnetworktowhichtoforwardthereply.
en.wikipedia.org/wiki/Network_address_translation 2/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

AllInternetpacketshaveasourceIPaddressandadestinationIPaddress.Typicallypacketspassingfromtheprivatenetworktothepublic networkwillhavetheirsourceaddressmodifiedwhilepacketspassingfromthepublicnetworkbacktotheprivatenetworkwillhavetheir destinationaddressmodified.Morecomplexconfigurationsarealsopossible. Toavoidambiguityinhowtotranslatereturnedpackets,furthermodificationstothepacketsarerequired.ThevastbulkofInternettrafficis TCPandUDPpackets,andfortheseprotocolstheportnumbersarechangedsothatthecombinationofIPandportinformationonthereturned packetcanbeunambiguouslymappedtothecorrespondingprivateaddressandportinformation.ProtocolsnotbasedonTCPorUDPrequire othertranslationtechniques.ICMPpacketstypicallyrelatetoanexistingconnectionandneedtobemappedusingthesameIPandport mappingsasthatconnection.

MethodsofPorttranslation
Thereareseveralwaysofimplementingnetworkaddressandporttranslation.InsomeapplicationprotocolsthatuseIPaddressinformation,the applicationrunningonanodeinthemasqueradednetworkneedstodeterminetheexternaladdressoftheNAT,i.e.,theaddressthatits communicationpeersdetect,and,furthermore,oftenneedstoexamineandcategorizethetypeofmappinginuse.Usuallythisisdonebecause itisdesiredtosetupadirectcommunicationspath(eithertosavethecostoftakingthedataviaaserverortoimproveperformance)between twoclientsbothofwhicharebehindseparateNATs.Forthispurpose,theSimpletraversalofUDPoverNATs(STUN)protocolwas developed(RFC3489,March2003).ItclassifiedNATimplementationasfullconeNAT,(address)restrictedconeNAT,portrestrictedcone NATorsymmetricNATandproposedamethodologyfortestingadeviceaccordingly.However,theseprocedureshavesincebeendeprecated fromstandardsstatus,asthemethodshaveprovenfaultyandinadequatetocorrectlyassessmanydevices.Newmethodshavebeen standardizedinRFC5389(October2008)andtheSTUNacronymnowrepresentsthenewtitleofthespecification:SessionTraversalUtilities forNAT.

FullconeNAT,alsoknownasonetooneNAT Onceaninternaladdress(iAddr:iPort)ismappedtoanexternal address(eAddr:ePort),anypacketsfromiAddr:iPortwillbesent througheAddr:ePort. AnyexternalhostcansendpacketstoiAddr:iPortbysending packetstoeAddr:ePort.

en.wikipedia.org/wiki/Network_address_translation

3/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

(Address)restrictedconeNAT Onceaninternaladdress(iAddr:iPort)ismappedtoanexternal address(eAddr:ePort),anypacketsfromiAddr:iPortwillbesent througheAddr:ePort. Anexternalhost(hAddr:any)cansendpacketstoiAddr:iPortby sendingpacketstoeAddr:ePortonlyifiAddr:iPorthaspreviously sentapackettohAddr:any."Any"meanstheportnumberdoesn't matter.

PortrestrictedconeNAT LikeanaddressrestrictedconeNAT,buttherestrictionincludesport numbers. Onceaninternaladdress(iAddr:iPort)ismappedtoanexternal address(eAddr:ePort),anypacketsfromiAddr:iPortwillbesent througheAddr:ePort. Anexternalhost(hAddr:hPort)cansendpacketstoiAddr:iPortby sendingpacketstoeAddr:ePortonlyifiAddr:iPorthaspreviously sentapackettohAddr:hPort.

en.wikipedia.org/wiki/Network_address_translation

4/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

SymmetricNAT EachrequestfromthesameinternalIPaddressandporttoa specificdestinationIPaddressandportismappedtoaunique externalsourceIPaddressandport,ifthesameinternalhostsends apacketevenwiththesamesourceaddressandportbuttoa differentdestination,adifferentmappingisused. Onlyanexternalhostthatreceivesapacketfromaninternalhost cansendapacketback.

Thisterminologyhasbeenthesourceofmuchconfusion,asithasproveninadequateatdescribingreallifeNATbehavior.[2]ManyNAT implementationscombinethesetypes,anditisthereforebettertorefertospecificindividualNATbehaviorsinsteadofusingthe Cone/Symmetricterminology.Especially,mostNATtranslatorscombinesymmetricNATforoutgoingconnectionswithstaticportmapping, whereincomingpacketstotheexternaladdressandportareredirectedtoaspecificinternaladdressandport.Someproductscanredirect packetstoseveralinternalhosts,e.g.todividetheloadbetweenafewservers.However,thisintroducesproblemswithmoresophisticated communicationsthathavemanyinterconnectedpackets,andthusisrarelyused.

TypeofNATandNATTraversal
TheNATtraversalproblemariseswhentwopeersbehinddistinctNATtrytocommunicate.Onewaytosolvethisproblemistouseport forwarding,anotherwayistousevariousNATtraversaltechniques.ThemostpopulartechniqueforTCPNATtraversalisTCPhole punching,whichrequirestheNATtofollowtheportpreservationdesignforTCP,asexplainedbelow. ManyNATimplementationsfollowtheportpreservationdesignespeciallyforTCP,whichistosaythattheyusethesamevaluesasinternal andexternalportnumbers.NATportpreservationforoutgoingTCPconnectionsisespeciallyimportantforTCPNATtraversal,because programsusuallybinddistinctTCPsocketstoephemeralportsfordistinctTCPconnections,renderingNATportpredictionimpossiblefor TCP. Ontheotherhand,forUDP,NATsdonotneedtohaveportpreservationbecauseapplicationsusuallyreusethesameUDPsockettosend packetstodistincthosts,makingportpredictionstraightforward,asitisthesamesourceportforeachpacket.

en.wikipedia.org/wiki/Network_address_translation

5/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

Furthermore,portpreservationinNATforTCPallowsP2Pprotocolstoofferlesscomplexityandlesslatencybecausethereisnoneedtouse athirdpartytodiscovertheNATportsincetheapplicationalreadyknowstheNATport.[3] However,iftwointernalhostsattempttocommunicatewiththesameexternalhostusingthesameportnumber,theexternalportnumberused bythesecondhostwillbechosenatrandom.SuchNATwillbesometimesperceivedas(address)restrictedconeNATandothertimesas symmetricNAT. Recentstudieshaveshownthatroughly70%ofclientsinP2PnetworksemploysomeformofNAT.[4]

Implementation
EstablishingTwoWayCommunication
EveryTCPandUDPpacketcontainsbothasourceIPaddressandsourceportnumberaswellasadestinationIPaddressanddestinationport number.Theportaddress/IPaddresspairformsasocket.Inparticular,thesourceportandsourceIPaddressformthesourcesocket. Forpubliclyaccessibleservicessuchaswebserversandmailserverstheportnumberisimportant.Forexample,port80connectstotheweb serversoftwareandport25toamailserver'sSMTPdaemon.TheIPaddressofapublicserverisalsoimportant,similaringlobaluniquenessto apostaladdressortelephonenumber.BothIPaddressandportmustbecorrectlyknownbyallhostswishingtosuccessfullycommunicate. PrivateIPaddressesasdescribedinRFC1918aresignificantonlyonprivatenetworkswheretheyareused,whichisalsotrueforhostports. Portsareuniqueendpointsofcommunicationonahost,soaconnectionthroughtheNATdeviceismaintainedbythecombinedmappingof portandIPaddress. PAT(PortAddressTranslation)resolvesconflictsthatwouldarisethroughtwodifferenthostsusingthesamesourceportnumbertoestablish uniqueconnectionsatthesametime.

AnAnalogy
ANATdeviceissimilartoaphonesystematanofficethathasonepublictelephonenumberandmultipleextensions.Outboundphonecalls madefromtheofficeallappeartocomefromthesametelephonenumber.However,anincomingcallthatdoesnotspecifyanextensioncannot betransferredtoanindividualinsidetheoffice.Inthisscenario,theofficeisaprivateLAN,themainphonenumberisthepublicIPaddress, andtheindividualextensionsareuniqueportnumbers.[5]

TranslationoftheEndpoint
en.wikipedia.org/wiki/Network_address_translation 6/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

WithNAT,allcommunicationsenttoexternalhostsactuallycontaintheexternalIPaddressandportinformationoftheNATdeviceinsteadof internalhostIPsorportnumbers. Whenacomputerontheprivate(internal)networksendsapackettotheexternalnetwork,theNATdevicereplacestheinternalIP addressinthesourcefieldofthepacketheader(sender'saddress)withtheexternalIPaddressoftheNATdevice.PATmaythenassign theconnectionaportnumberfromapoolofavailableports,insertingthisportnumberinthesourceportfield(muchlikethepostoffice boxnumber),andforwardsthepackettotheexternalnetwork.TheNATdevicethenmakesanentryinatranslationtablecontainingthe internalIPaddress,originalsourceport,andthetranslatedsourceport.Subsequentpacketsfromthesameconnectionaretranslatedtothe sameportnumber. ThecomputerreceivingapacketthathasundergoneNATestablishesaconnectiontotheportandIPaddressspecifiedinthealtered packet,oblivioustothefactthatthesuppliedaddressisbeingtranslated(analogoustousingapostofficeboxnumber). ApacketcomingfromtheexternalnetworkismappedtoacorrespondinginternalIPaddressandportnumberfromthetranslationtable, replacingtheexternalIPaddressandportnumberintheincomingpacketheader(similartothetranslationfrompostofficeboxnumberto streetaddress).Thepacketisthenforwardedovertheinsidenetwork.Otherwise,ifthedestinationportnumberoftheincomingpacket isnotfoundinthetranslationtable,thepacketisdroppedorrejectedbecausethePATdevicedoesn'tknowwheretosendit. NATwillonlytranslateIPaddressesandportsofitsinternalhosts,hidingthetrueendpointofaninternalhostonaprivatenetwork.

VisibilityofOperation
NAToperationistypicallytransparenttoboththeinternalandexternalhosts. TypicallytheinternalhostisawareofthetrueIPaddressandTCPorUDPportoftheexternalhost.TypicallytheNATdevicemayfunctionas thedefaultgatewayfortheinternalhost.HowevertheexternalhostisonlyawareofthepublicIPaddressfortheNATdeviceandthe particularportbeingusedtocommunicateonbehalfofaspecificinternalhost.

NATandTCP/UDP
"PureNAT",operatingonIPalone,mayormaynotcorrectlyparseprotocolsthataretotallyconcernedwithIPinformation,suchasICMP, dependingonwhetherthepayloadisinterpretedbyahostonthe"inside"or"outside"oftranslation.Assoonastheprotocolstackistraversed, evenwithsuchbasicprotocolsasTCPandUDP,theprotocolswillbreakunlessNATtakesactionbeyondthenetworklayer. IPpacketshaveachecksumineachpacketheader,whichprovideserrordetectiononlyfortheheader.IPdatagramsmaybecomefragmented anditisnecessaryforaNATtoreassemblethesefragmentstoallowcorrectrecalculationofhigherlevelchecksumsandcorrecttrackingof
en.wikipedia.org/wiki/Network_address_translation 7/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

whichpacketsbelongtowhichconnection. Themajortransportlayerprotocols,TCPandUDP,haveachecksumthatcoversallthedatatheycarry,aswellastheTCP/UDPheader,plus a"pseudoheader"thatcontainsthesourceanddestinationIPaddressesofthepacketcarryingtheTCP/UDPheader.ForanoriginatingNAT topassTCPorUDPsuccessfully,itmustrecomputetheTCP/UDPheaderchecksumbasedonthetranslatedIPaddresses,nottheoriginal ones,andputthatchecksumintotheTCP/UDPheaderofthefirstpacketofthefragmentedsetofpackets.ThereceivingNATmustrecompute theIPchecksumoneverypacketitpassestothedestinationhost,andalsorecognizeandrecomputetheTCP/UDPheaderusingthe retranslatedaddressesandpseudoheader.Thisisnotacompletelysolvedproblem.OnesolutionisforthereceivingNATtoreassemblethe entiresegmentandthenrecomputeachecksumcalculatedacrossallpackets. TheoriginatinghostmayperformMaximumtransmissionunit(MTU)pathdiscoverytodeterminethepacketsizethatcanbetransmitted withoutfragmentation,andthensetthedon'tfragment(DF)bitintheappropriatepacketheaderfield.

Destinationnetworkaddresstranslation(DNAT)
DNATisatechniquefortransparentlychangingthedestinationIPaddressofanenroutepacketandperformingtheinversefunctionforany replies.Anyroutersituatedbetweentwoendpointscanperformthistransformationofthepacket. DNATiscommonlyusedtopublishaservicelocatedinaprivatenetworkonapubliclyaccessibleIPaddress.ThisuseofDNATisalsocalled portforwarding,orDMZwhenusedonanentireserver,whichbecomesexposedtotheWAN,becominganalogoustoanundefendedmilitary demilitarisedzone(DMZ).

SNAT
ThemeaningofthetermSNATvariesbyvendor.ManyvendorshaveproprietarydefinitionsforSNAT.AcommonexpansionissourceNAT, thecounterpartofdestinationNAT(DNAT).MicrosoftusestheacronymforSecureNAT,inregardtotheISAServer.ForCiscoSystems, SNATmeansstatefulNAT.ForWatchguardSystems,SNATmeansstaticNAT. Microsoft'sSecurenetworkaddresstranslation(SNAT)ispartofMicrosoft'sInternetSecurityandAccelerationServerandisanextensionto theNATdriverbuiltintoMicrosoftWindowsServer.Itprovidesconnectiontrackingandfilteringfortheadditionalnetworkconnections neededfortheFTP,ICMP,H.323,andPPTPprotocolsaswellastheabilitytoconfigureatransparentHTTPproxy.

Securenetworkaddresstranslation
en.wikipedia.org/wiki/Network_address_translation 8/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

Incomputernetworking,theprocessofnetworkaddresstranslationdoneinasecurewayinvolvesrewritingthesourceand/ordestination addressesofIPpacketsastheypassthrougharouterorfirewall.

Dynamicnetworkaddresstranslation
DynamicNAT,justlikestaticNAT,isnotcommoninsmallernetworksbutisfoundwithinlargercorporationswithcomplexnetworks.The waydynamicNATdiffersfromstaticNATisthatwherestaticNATprovidesaonetooneinternaltopublicstaticIPaddressmapping, dynamicNATdoesn'tmakethemappingtothepublicIPaddressstaticandusuallyusesagroupofavailablepublicIPaddresses.

ApplicationsaffectedbyNAT
SomeApplicationLayerprotocols(suchasFTPandSIP)sendexplicitnetworkaddresseswithintheirapplicationdata.FTPinactivemode,for example,usesseparateconnectionsforcontroltraffic(commands)andfordatatraffic(filecontents).Whenrequestingafiletransfer,thehost makingtherequestidentifiesthecorrespondingdataconnectionbyitsnetworklayerandtransportlayeraddresses.Ifthehostmakingthe requestliesbehindasimpleNATfirewall,thetranslationoftheIPaddressand/orTCPportnumbermakestheinformationreceivedbythe serverinvalid.TheSessionInitiationProtocol(SIP)controlsmanyVoiceoverIP(VoIP)calls,andsuffersthesameproblem.SIPandSDP mayusemultipleportstosetupaconnectionandtransmitvoicestreamviaRTP.IPaddressesandportnumbersareencodedinthepayload dataandmustbeknownpriortothetraversalofNATs.Withoutspecialtechniques,suchasSTUN,NATbehaviorisunpredictableand communicationsmayfail. Applicationlayergateway(ALG)softwareorhardwaremaycorrecttheseproblems.AnALGsoftwaremodulerunningonaNATfirewall deviceupdatesanypayloaddatamadeinvalidbyaddresstranslation.ALGsobviouslyneedtounderstandthehigherlayerprotocolthatthey needtofix,andsoeachprotocolwiththisproblemrequiresaseparateALG.Forexample,onmanyLinuxsystems,therearekernelmodules calledconnectiontrackerswhichservetoimplementALGs.However,ALGdoesnotworkifthecontrolchannelisencrypted(e.g.FTPS). AnotherpossiblesolutiontothisproblemistouseNATtraversaltechniquesusingprotocolssuchasSTUNorICE,orproprietaryapproaches inasessionbordercontroller.NATtraversalispossibleinbothTCPandUDPbasedapplications,buttheUDPbasedtechniqueissimpler, morewidelyunderstood,andmorecompatiblewithlegacyNATs.[citationneeded]Ineithercase,thehighlevelprotocolmustbedesignedwith NATtraversalinmind,anditdoesnotworkreliablyacrosssymmetricNATsorotherpoorlybehavedlegacyNATs. OtherpossibilitiesareUPnP(UniversalPlugandPlay)orNATPMP(NATPortMappingProtocol),buttheserequirethecooperationofthe NATdevice. Mosttraditionalclientserverprotocols(FTPbeingthemainexception),however,donotsendlayer3contactinformationandthereforedonot requireanyspecialtreatmentbyNATs.Infact,avoidingNATcomplicationsispracticallyarequirementwhendesigningnewhigherlayer
en.wikipedia.org/wiki/Network_address_translation 9/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

protocolstoday(e.g.theuseofSFTPinsteadofFTP). NATscanalsocauseproblemswhereIPsecencryptionisappliedandincaseswheremultipledevicessuchasSIPphonesarelocatedbehinda NAT.PhoneswhichencrypttheirsignalingwithIPsecencapsulatetheportinformationwithinanencryptedpacket,meaningthatNA(P)T devicescannotaccessandtranslatetheport.InthesecasestheNA(P)TdevicesreverttosimpleNAToperation.Thismeansthatalltraffic returningtotheNATwillbemappedontooneclientcausingservicetomorethanoneclient"behind"theNATtofail.Thereareacoupleof solutionstothisproblem:oneistouseTLS,whichoperatesatlevel4intheOSIReferenceModelandthereforedoesnotmasktheport numberanotheristoencapsulatetheIPsecwithinUDPthelatterbeingthesolutionchosenbyTISPANtoachievesecureNATtraversal. TheDNSprotocolvulnerabilityannouncedbyDanKaminskyonJuly8,2008isindirectlyaffectedbyNATportmapping.ToavoidDNS servercachepoisoning,itishighlydesirabletonottranslateUDPsourceportnumbersofoutgoingDNSrequestsfromaDNSserverwhichis behindafirewallwhichimplementsNAT.TherecommendedworkaroundfortheDNSvulnerabilityistomakeallcachingDNSserversuse randomizedUDPsourceports.IftheNATfunctionderandomizestheUDPsourceports,theDNSserverwillbemadevulnerable.

AdvantagesofPAT
InadditiontotheadvantagesprovidedbyNAT: PAT(PortAddressTranslation)allowsmanyinternalhoststoshareasingleexternalIPaddress. UserswhodonotrequiresupportforinboundconnectionsdonotconsumepublicIPaddresses.

Drawbacks
TheprimarypurposeofIPmasqueradingNATisthatithasbeenapracticalsolutiontotheimpendingexhaustionofIPv4addressspace.Even largenetworkscanbeconnectedtotheInternetwithaslittleasasingleIPaddress.Themorecommonarrangementishavingmachinesthat requireendtoendconnectivitysuppliedwitharoutableIPaddress,whilehavingmachinesthatdonotprovideservicestooutsideusersbehind NATwithonlyafewIPaddressesusedtoenableInternetaccess,however,thisbringssomeproblems,outlinedbelow. Some[6]havealsocalledthisexactfeatureamajordrawback,sinceitdelaystheneedfortheimplementationofIPv6: "[...]itispossiblethatits[NAT's]widespreadusewillsignificantlydelaytheneedtodeployIPv6.[...]Itisprobablysafetosay thatnetworkswouldbebetteroffwithoutNAT[...]" HostsbehindNATenabledroutersdonothaveendtoendconnectivityandcannotparticipateinsomeInternetprotocols.Servicesthatrequire theinitiationofTCPconnectionsfromtheoutsidenetwork,orstatelessprotocolssuchasthoseusingUDP,canbedisrupted.UnlesstheNAT
en.wikipedia.org/wiki/Network_address_translation 10/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

routermakesaspecificefforttosupportsuchprotocols,incomingpacketscannotreachtheirdestination.Someprotocolscanaccommodateone instanceofNATbetweenparticipatinghosts("passivemode"FTP,forexample),sometimeswiththeassistanceofanapplicationlevel gateway(seebelow),butfailwhenbothsystemsareseparatedfromtheInternetbyNAT.UseofNATalsocomplicatestunnelingprotocols suchasIPsecbecauseNATmodifiesvaluesintheheaderswhichinterferewiththeintegritychecksdonebyIPsecandothertunneling protocols. EndtoendconnectivityhasbeenacoreprincipleoftheInternet,supportedforexamplebytheInternetArchitectureBoard.CurrentInternet architecturaldocumentsobservethatNATisaviolationoftheEndtoEndPrinciple,butthatNATdoeshaveavalidroleincarefuldesign.[7] ThereisconsiderablymoreconcernwiththeuseofIPv6NAT,andmanyIPv6architectsbelieveIPv6wasintendedtoremovetheneedfor NAT.[8] BecauseoftheshortlivednatureofthestatefultranslationtablesinNATrouters,devicesontheinternalnetworkloseIPconnectivitytypically withinaveryshortperiodoftimeunlesstheyimplementNATkeepalivemechanismsbyfrequentlyaccessingoutsidehosts.Thisdramatically shortensthepowerreservesonbatteryoperatedhandhelddevicesandhasthwartedmorewidespreaddeploymentofsuchIPnativeInternet enableddevices.[citationneeded] SomeInternetserviceproviders(ISPs),especiallyinIndia,Russia,partsofAsiaandother"developing"regionsprovidetheircustomersonly with"local"IPaddresses,duetoalimitednumberofexternalIPaddressesallocatedtothoseentities[citationneeded].Thus,thesecustomersmust accessservicesexternaltotheISP'snetworkthroughNAT.Asaresult,thecustomerscannotachievetrueendtoendconnectivity,inviolation ofthecoreprinciplesoftheInternetaslaidoutbytheInternetArchitectureBoard[citationneeded]. ScalabilityAnimplementationthatonlytracksportscanbequicklydepletedbyinternalapplicationsthatusemultiplesimultaneous connections(suchasanHTTPrequestforawebpagewithmanyembeddedobjects).Thisproblemcanbemitigatedbytrackingthe destinationIPaddressinadditiontotheport(thussharingasinglelocalportwithmanyremotehosts),attheexpenseofimplementation complexityandCPU/memoryresourcesofthetranslationdevice. FirewallcomplexityBecausetheinternaladdressesarealldisguisedbehindonepubliclyaccessibleaddress,itisimpossibleforexternal hoststoinitiateaconnectiontoaparticularinternalhostwithoutspecialconfigurationonthefirewalltoforwardconnectionstoa particularport.ApplicationssuchasVOIP,videoconferencing,andotherpeertopeerapplicationsmustuseNATtraversaltechniquesto function.

Specifications
IEEE[9]ReverseAddressandPortTranslation(RAPT,orRAT)allowsahostwhoserealIPaddressischangingfromtimetotimetoremain reachableasaserverviaafixedhomeIPaddress.Inprinciple,thisshouldallowsettingupserversonDHCPrunnetworks.Whilenotaperfect mobilitysolution,RAPTtogetherwithupcomingprotocolslikeDHCPDDNS,itmayendupbecominganotherusefultoolinthenetwork
en.wikipedia.org/wiki/Network_address_translation 11/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

admin'sarsenal. IETF[10]RAPT(IPReachabilityUsingTwiceNetworkAddressandPortTranslation)TheRATdevicemapsanIPdatagramtoitsassociated CNand0MNbyusingthreeadditionalfields:theIPprotocoltypenumberandthetransportlayersourceanddestinationconnectionidentifiers (e.g.TCPportnumberorICMPechorequest/replyIDfield). CiscoRAPTimplementationisPAT(PortAddressTranslation)orNAToverloading,andmapsmultipleprivateIPaddressestoasinglepublic IPaddress.Multipleaddressescanbemappedtoasingleaddressbecauseeachprivateaddressistrackedbyaportnumber.PATusesunique sourceportnumbersontheinsideglobalIPaddresstodistinguishbetweentranslations.Theportnumberisencodedin16bits.Thetotal numberofinternaladdressesthatcanbetranslatedtooneexternaladdresscouldtheoreticallybeashighas65,536perIPaddress.Realistically, thenumberofportsthatcanbeassignedasingleIPaddressisaround4000.PATwillattempttopreservetheoriginalsourceport.Ifthissource portisalreadyused,PATwillassignthefirstavailableportnumberstartingfromthebeginningoftheappropriateportgroup0511,5121023, or102465535.WhentherearenomoreportsavailableandthereismorethanoneexternalIPaddressconfigured,PATmovestothenextIP addresstotrytoallocatetheoriginalsourceportagain.ThisprocesscontinuesuntilitrunsoutofavailableportsandexternalIPaddresses. MappingofAddressandPortisaCiscoproposalwhichcombinesA+PportaddresstranslationwithtunnelingoftheIPv4packetsoveranISP provider'sinternalIPv6network.Ineffect,itisan(almost)statelessalternativetoCarrierGradeNATandDSLitethatpushestheIPv4IP address/porttranslationfunction(andthereforethemaintenanceofNATstate)entirelyintotheexistingcustomerpremisesequipmentNAT implementation.thusavoidingtheNAT444andstatefulnessproblemsofCarrierGradeNAT,andalsoprovidesatransitionmechanismforthe deploymentofnativeIPv6atthesametimewithverylittleaddedcomplexity. 3COMU.S.Patent6,055,236(http://www.google.com/patents?vid=6055236)(Methodandsystemforlocatingnetworkserviceswith distributednetworkaddresstranslation)Methodsandsystemforlocatingnetworkserviceswithdistributednetworkaddresstranslation.Digital certificatesarecreatedthatallowanexternalnetworkdeviceonanexternalnetwork,suchastheInternet,torequestaservicefromaninternal networkdeviceonaninternaldistributednetworkaddresstranslationnetwork,suchasastublocalareanetwork.Thedigitalcertificatesinclude informationobtainedwithaPortAllocationProtocolusedfordistributednetworkaddresstranslation.Thedigitalcertificatesarepublishedon theinternalnetworksotheyareaccessibletoexternalnetworkdevices.Anexternalnetworkdeviceretrievesadigitalcertificate,extracts appropriateinformation,andsendsaservicerequestpackettoaninternalnetworkdeviceonaninternaldistributednetworkaddresstranslation network.Theexternalnetworkdeviceisabletolocateandrequestaservicefromaninternalnetworkdevice.Anexternalnetworkdevicecan alsorequestasecurityservice,suchasanInternetProtocolsecurity("IPsec")servicefromaninternalnetworkdevice.Theexternalnetwork deviceandtheinternalnetworkdevicecanestablishasecurityservice(e.g.,InternetKeyExchangeprotocolservice).Theinternalnetwork deviceandexternalnetworkdevicecanthenestablishaSecurityAssociationusingSecurityParameterIndexes("SPI")obtainedusinga distributednetworkaddresstranslationprotocol.Externalnetworkdevicescanrequestservices,andsecurityservicesoninternalnetwork devicesonaninternaldistributenetworkaddresstranslationnetworkthatwerepreviouslyunknownandunavailabletotheexternalnetwork devices.
en.wikipedia.org/wiki/Network_address_translation 12/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

ExamplesofNATsoftware
InternetConnectionSharing(ICS):WindowsNAT+DHCPsinceW98SE WinGate:likeICSpluslotsofcontrol iptables:theLinuxpacketfilterandNAT(interfaceforNetFilter) IPFilter:Solaris,NetBSD,FreeBSD,xMach. PF(firewall):TheOpenBSDPacketFilter. NetfilterLinuxpacketfilterframework

Seealso
AYIYA(IPv6overIPv4UDPthusworkingIPv6tunnelingovermostNATs) CarriergradeNAT Firewall Gateway InternetGatewayDevice(IGD)Protocol:UPnPNATtraversalmethod Middlebox InternetProtocolversion4 NATPT Portforwarding Porttriggering PrivateIPaddress Proxyserver Routing Subnet port Teredotunneling:NATtraversalusingIPv6

References
1. ^www.tcpipguide.com/free/t_IPNetworkAddressTranslationNATProtocol.htm (http://www.tcpipguide.com/free/t_IPNetworkAddressTranslationNATProtocol.htm) 2. ^FranoisAudetandCullenJennings(January2007)(text).RFC4787NetworkAddressTranslation(NAT)BehavioralRequirementsforUnicast UDP(http://www.ietf.org/rfc/rfc4787.txt).IETF.http://www.ietf.org/rfc/rfc4787.txt.Retrieved20070829.
en.wikipedia.org/wiki/Network_address_translation 13/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

3. ^"CharacterizationandMeasurementofTCPTraversalthroughNATsandFirewalls"(http://nutss.gforge.cis.cornell.edu/pub/imc05tcpnat/). December2006.http://nutss.gforge.cis.cornell.edu/pub/imc05tcpnat/. 4. ^"Illuminatingtheshadows:Opportunisticnetworkandwebmeasurement"(http://illuminati.coralcdn.org/stats/).December2006. http://illuminati.coralcdn.org/stats/. 5. ^"TheAudiooverIPInstantExpertGuide"(http://www.tieline.com/Downloads/AudiooverIPInstantExpertGuidev1.pdf).Tieline.January2010. http://www.tieline.com/Downloads/AudiooverIPInstantExpertGuidev1.pdf.Retrieved20110819. 6. ^LarryL.PetersonandBruceS.DavieComputerNetworks:ASystemsApproach,MorganKaufmann,2003,pp.328330,ISBN155860832X 7. ^R.BushandD.MeyerRFC3439,SomeInternetArchitecturalGuidelinesandPhilosophy(http://www.ietf.org/rfc/rfc3439.txt),December2002 8. ^G.VandeVeldeetal.RFC4864,LocalNetworkProtectionforIPv6(http://tools.ietf.org/rfc/rfc4864.txt),May2007 9. ^http://ieeexplore.ieee.org/iel4/6056/16183/00749275.pdf 10. ^http://www3.ietf.org/proceedings/99nov/ID/draftietfnatrnat00.txt

Externallinks
NATTraversalTestandresults(http://nattest.net.in.tum.de) CharacterizationofdifferentTCPNATs(http://nutss.net/pub/imc05tcpnat/)PaperdiscussingthedifferenttypesofNAT Anatomy:ALookInsideNetworkAddressTranslatorsVolume7,Issue3,September2004 (http://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_73/anatomy.html) JeffTyson,HowStuffWorks:HowNetworkAddressTranslationWorks(http://computer.howstuffworks.com/nat.htm/printable) NATtraversaltechniquesinmultimediaNetworks(http://www.newportnetworks.com/whitepapers/nattraversal1.html)WhitePaper fromNewportNetworks NATtraversalforIPCommunications(http://www.voiptraversal.com/EyeballAnyfirewallWhitePaper.pdf)WhitePaperfromEyeball Networks PeertoPeerCommunicationAcrossNetworkAddressTranslators(http://www.brynosaurus.com/pub/net/p2pnat/)(PDF) (http://www.brynosaurus.com/pub/net/p2pnat.pdf)NATtraversaltechniquesforUDPandTCP http://www.zdnetasia.com/insight/network/0,39044847,39050002,00.htm RFCs RFC1631(Status:Obsolete)TheIPNetworkAddressTranslator(NAT) RFC1918AddressAllocationforPrivateInternets RFC3022(Status:Informational)TraditionalIPNetworkAddressTranslator(TraditionalNAT) RFC4008(Status:StandardsTrack)DefinitionsofManagedObjectsforNetworkAddressTranslators(NAT) RFC5128(Status:Informational)StateofPeertoPeer(P2P)CommunicationsacrossNetworkAddressTranslators(NATs) RFC4966(Status:Informational)ReasonstoMovetheNetworkAddressTranslatorProtocolTranslator(NATPT)toHistoric Status SpeakFreelyEndofLifeAnnouncement(http://www.fourmilab.ch/speakfree/unix/)JohnWalker'sdiscussionofwhyhestopped
en.wikipedia.org/wiki/Network_address_translation 14/15

10/31/12

Network address translation - Wikipedia, the free encyclopedia

developingafamousprogramforfreeInternetcommunication,partofwhichisdirectlyrelatedtoNAT natd(http://www.freebsd.org/doc/en_US.ISO88591/books/handbook/networknatd.html) SNAT,DNATandOCS2007R2(http://www.cainetworks.com/support/training/snatdnatocs.html)discussingtheSNATinMicrosoft OCS2007R2 AlternativeTaxonomy(PartofthedocumentationfortheIBMiSeries) StaticNAT(http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzajw/rzajwstatic.htm) DynamicNAT(http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzajw/rzajwdynamic.htm) MasqueradeNAT(http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzajw/rzajwaddmasq.htm) NetworkAddressTranslationNAT(http://blog.ipexpert.com/2009/09/07/networkaddresstranslationnat/) CiscoSystems DocumentID6450:HowNATWorks (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml) DocumentID26704:NetworkAddressTranslation(NAT)FAQ (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml) WhitePaper:CiscoIOSNetworkAddressTranslationOverview (http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html) CiscoIOSNATCommandsCiscoIOScommands (http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/cs/csprtd/csprtd11/csnat.htm) AnimationCiscoNATsample(http://www.cisco.com/image/gif/paws/6450/nat.swf) Retrievedfrom"http://en.wikipedia.org/w/index.php?title=Network_address_translation&oldid=518178584" Categories: Networkaddresstranslation Internetarchitecture Thispagewaslastmodifiedon16October2012at20:02. TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionaltermsmayapply.SeeTermsofUsefordetails. WikipediaisaregisteredtrademarkoftheWikimediaFoundation,Inc.,anonprofitorganization.

en.wikipedia.org/wiki/Network_address_translation

15/15