第四章 第二節 網路位址轉換器 NAT Network Address Translation
動機 解決 IP addresses 不夠的問題 IPv6 – 現有的網路設備需要重新設計 – 代價昂貴 Virtual IP Gateway(VIP Gateway) – 架構於目前的 IPv4 上 – 更多的主機連上 Internet
NAT: Network Address Translation local network (e.g., home network) /24 rest of Internet Datagrams with source or destination in this network have /24 address for source, destination (as usual) All datagrams leaving local network have same single source NAT IP address: , different source port numbers
NAT: Network Address Translation Motivation: local network uses just one IP address as far as outside world is concerned: –range of addresses not needed from ISP: just one IP address for all devices –can change addresses of devices in local network without notifying outside world –can change ISP without changing addresses of devices in local network –devices inside local net not explicitly addressable, visible by outside world (a security plus).
NAT: Network Address Translation Implementation: NAT router must: –outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)... remote clients/servers will respond using (NAT IP address, new port #) as destination addr. –remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair –incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table
NAT: Network Address Translation S: , 3345 D: , : host sends datagram to , 80 NAT translation table WAN side addr LAN side addr , , 3345 …… S: , 80 D: , S: , 5001 D: , : NAT router changes datagram source addr from , 3345 to , 5001, updates table S: , 80 D: , : Reply arrives dest. address: , : NAT router changes datagram dest addr from , 5001 to , 3345
NAT: Network Address Translation 16-bit port-number field: –60,000 simultaneous connections with a single LAN-side address! NAT is controversial: –routers should only process up to layer 3 –violates end-to-end argument NAT possibility must be taken into account by app designers, eg, P2P applications –address shortage should instead be solved by IPv6
NAT traversal problem client want to connect to server with address –server address local to LAN (client can ’ t use it as destination addr) –only one externally visible NATted address: solution 1: statically configure NAT to forward incoming connection requests at given port to server –e.g., ( , port 2500) always forwarded to port NAT router Client ?
NAT traversal problem solution 2: Universal Plug and Play (UPnP) Internet Gateway Device (IGD) Protocol. Allows NATted host to: learn public IP address ( ) enumerate existing port mappings add/remove port mappings (with lease times) i.e., automate static NAT port map configuration NAT router IGD
NAT traversal problem solution 3: relaying (used in Skype) –NATed server establishes connection to relay –External client connects to relay –relay bridges packets between to connections NAT router Client 1. connection to relay initiated by NATted host 2. connection to relay initiated by client 3. relaying established
NAT 概述
NAT Gateway 內部之運作
NAT Gateway 計算之圖示
NAT Gateway 可提供多少主機 連上 Internet? 在 IPv4 下所能連上 Internet 的主機數量 平均全球每個人能分到的主機數 IPv4(class A) IPv4(class B) IPv4(class C)
Address Allocation for Private Internets b RFC 1597 b IANA reserves the IP address space for the private LAN ~ ~ ~
Client-based 以交大資工系為例, 全系分配到的 IP address space 有.17,.209,.214,.215,.216,.235. 共 1536 個 IP addresses. 對外所提供的各種 server( 如 mail server, ftp server, BBS server,proxy server 等等 ) 約 有十三台. 因此 server 數量和 client 比起來 是小很多. Server 所佔比例約百分之一.
推動 IPv6 所耗費的資金 美國 NGI 耗資 60 億美金,推動 IPv6 在 各大學校園內試驗。 我國國科會亦投入 3 億美金資助美方做 此項試驗。 預計公元 2000 年將 IPv6 商業化。 * 摘自經濟日報
IPv6 的問題 IPv6 與 IPv4 的相容問題。 各層 Layer 的軟體都為必須配合 IPv6 而 改寫 (TCPv6 、 UDPv6 、 ……) 。 所有現行的硬體設備如: Gateways 、 Routers 都必須撤換更新。 IP header 加大,會增加資料傳輸時的 overhead 。
NAT 的優點 避免 IP 的浪費 減少駭客入侵的機會 當主機真正要接上 Internet ,不需要重新 指派 IP 位址
架設 NAT 的缺點 購置 NAT 的成本 效能 – 位址轉換、重新計算 Checksum 穩定性 安全性 – 限制加密編碼與身份驗證的使用