Network Address Translation (NAT) Don McGregor Research Associate MOVES Institute Understanding global peace and conflict means understanding of human communities in the midst of and in response to change. US Joint Forces Command noted that “changes in the strategic landscape… new technologies, and the adaptation and creativity of our adversaries will alter….operations a great deal. Here too, the past can suggest much about the future – the nature of change, its impacts on human societies….” This presentation provides an overview of the project and research methodology, progress to date and planned go-forward efforts. 2008. The Joint Operating Environment, United States Joint Forces Command Center for Joint Futures (J59). mcgredo@nps.edu
Network Address Translation In the original “classic” internet IPs were all publicly addressable. You could contact any host from any other host IPs have become a somewhat rare commodity now, so people are trying to conserve them. One way to do this is via NAT The idea is to use a single “classic” IP on the internet-facing side of a network, and “private” IPs on the other side
NAT Router Router Public IP Private IP Internet 205.155.65.17 192.168.1.1 Home Router Laptop Private IP 192.168.1.2
NAT Your home router, when it boots, usually receives a public IP from your ISP on its internet-facing side. This IP can be addressed by the internet. On your home network side, it usually assigns itself an IP of 192.168.1.1. This is a “private IP” that is not usable on the big internet Your router runs DHCP itself, and hands out private IPs to anything on your home network (but not the public-facing network!) So a laptop on your home network might get assigned an IP of 192.168.1.2 Everything in your home network has a unique IP and everything is happy
Private IPs The IETF has assigned certain blocks of Ips to be “private IPs”. They are 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255 These IPs can only be used within a private network. If any packets have a destination address from the above blocks, they are simply discarded on the big internet. You can still use them on your private network, though.
Example: Send a packet from your laptop in your home network to a desktop in your home network. OK; source and destination IPs of 192.168.1.x are OK on your private network Send a packet with a source or destination IP of 192.168.1.x to www.apple.com Not OK! Packet must traverse the big internet, and there are millions of hosts with an IP of 192.168.1.2 in private networks. We wouldn’t know where to send the response, determined by the source IP! As a result routers on the public internet discard packets using private IPs
Getting Out So how can we allow our laptop to contact Amazon from inside our private network? This is done via Network Address Translation A TCP/IP packet has a source and destination IP address Src IP Dest IP 192.168.1.2 209.191.122.70 …Other stuff Payload
NAT When the packet is received by your home router it does a change: the source IP is changed from 192.168.1.2 to the public IP assigned to the home router, 205.155.65.17 This IP is unique in the internet; no other host anywhere in the world should have it When a response is received, the home router does a switch again: the destination IP is changed from the public IP to 192.168.1.2
NAT The NAT router maintains a table that maps each private network socket connection, so multiple hosts inside the private network can use the same NAT host
Configuration (Home) Usually you just point your web browser at 192.168.1.1. There’s a web-based configuration tool there. Log on (probably with the pw and username in the documentation) and configure
Port Forwarding Notice that a host external to the NAT can’t talk to a host internal to the NAT—there’s no way to know which internal host it should go to unless an internal host first establishes a connection out and creates an entry in the NAT table This is a big problem for games and simulations exchanging state information One way around this is “port fowarding”. The NAT box is pre-configured so that traffic from outside to the router is automatically forwarded to a specific host and port
Port Forwarding (LinkSys)
Why? Suppose you’re running a network in a secure facility that is completely cut off from the internet. No need for routable IPs, and in fact you don’t want routable IPs It saves public IPs. A company can have only a few public IPs but hundreds or thousands of hosts with private IPs. The internet is running out of public IPs Can be more secure; an outsider can’t directly establish a connection to a private host Allows clients to contact outside servers
Why Not? Sometimes you want to have others connect to you (peer-to-peer): Voice over IP, games and virtual environments, etc. There are some techniques for allowing this (“NAT Punch-through” or “NAT traversal”) but they’re pretty complex and because home routers vary so much are difficult to standardize See RFC 5128 for details on NAT traversal See also “port forwarding”