NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate
1/8/2002 NAT Presentation2 NAT: Is it Necessary? n Scenario: One High Speed Dial Up, Multiple Devices How to Share ? –Solution: Gateway, but it requires that each device should have a unique IP address.. n IP addresses may become an endangered species very soon..
1/8/2002 NAT Presentation3 NAT:The Solution n NAT: –Instead of requiring that each device behind the gateway have a globally unique IP address, then, we can allocate private addresses to such devices and the gateway can then translate private IP addresses in all traffic that passes through the connection.
1/8/2002 NAT Presentation4 NAT: Scenario II n Network Security: –Denial of Service –Trojan Horse Attacks n NAT drops all unsolicited inbound traffic, which minimizes threats of this kind.
1/8/2002 NAT Presentation5 NAT:What is It? n NAT: NAT exists primarily to allow machine on a local network to share a single internet connection by replacing the source address of each outgoing message with the address assigned to the shared connection.
1/8/2002 NAT Presentation6 NAT: Components
1/8/2002 NAT Presentation7 NAT: Requires n To function NAT requires to: –Maintain a mapping between the original addressing information and the replaced addressing information. –Update the checksums to reflect the modifications made.
1/8/2002 NAT Presentation8 NAT: NAT Gateway n The main component is the NAT Gateway. A basic NAT Gateway has two interfaces. One interface to public network and the other interface to private network. n A more advanced NAT gateway may have multiple interface i.e corporate network.
1/8/2002 NAT Presentation9 NAT: Mapping Table
1/8/2002 NAT Presentation10 NAT:Operation n Traffic generated by client is received on the private interface. Gateway looks into the packet header, extracts the header in to and creates an entry in the mapping table. When the reply comes back, NAT looks up in the mapping table and directs the packet to the private client.
1/8/2002 NAT Presentation11 NAT: Application I n Address Port Translation: –Modification of source address and source ports (out going packets). –Modification of destination address and ports (Incoming packets).
1/8/2002 NAT Presentation12 NAT: Application II n Address Mapping: –A pool of private addresses is to be mapped to a smaller pool of public addresses. –Mapping from private to public addresses are established until no more addresses are available. –At this point, NAT may switch over to translation of port information.
1/8/2002 NAT Presentation13 NAT: Application III n Static Mapping: –To achieve security, the most important feature is that no unsolicited traffic may pass through NAT. But this feature prevents from hosting any service behind NAT. –Static mapping allows a static entry to be made in the mapping table which allows for unsolicited incoming traffic, only for that entry.
1/8/2002 NAT Presentation14 NAT: Constraints I n Limited Port Numbers. n Using IP addresses in Payload: –When the server on the public domain reads the address of the client in payload it doesn’t recognize the private address. n Using Port number in payload: –This may cause a failure because some time the port requested by a client is not available and so NAT is forced to assign some other port number.
1/8/2002 NAT Presentation15 NAT:Constraints II n Specifying port or range of ports: –The server side should not be programmed to expect traffic from a specific port because the client may not be able to get the specific port. n Assuming that IP address will remain same during conversation: –Mobile clients behind NAT
1/8/2002 NAT Presentation16 NAT: Constraint III n Assuming that Application can receive unsolicited Inbound connections: –Offering of any services behind NAT will fail. –Primary control session to a port is followed one or more secondary connection to different ports, which will fail.
1/8/2002 NAT Presentation17 NAT: Design Principles I n IP address and port information shouldn’t be embedded in the payload. n Use fully qualified domain names and/or user names where possible. Let DNS do the work. n Traffic shouldn’t be required to originate from a specific port number.
1/8/2002 NAT Presentation18 NAT: Design Principles II n Unsolicited inbound connections should be avoided. n Encrypted protocols should avoid the checksum cover the IP header, because NAT cannot decrypt and change the IP header information by default.
1/8/2002 NAT Presentation19 NAT: Application Level Gateway (ALG) n When a protocol is unable to pass cleanly through a NAT, the use of an Application Level Gateway (ALG) may still permit operation of the protocol.