Network address translation |
In computer networking, the process of network address translation (NAT, also known as network masquerading or IP-masquerading) involves re-writing the source and/or destination IP addresses of Internet Protocol packets as they pass through a Router or firewall (networking). Most systems using NAT do so in order to enable multiple node (networking)s on a private network to access the Internet using a single public IP address. According to specifications, routers should not act in this way, but many network administrators find NAT a convenient technique and use it widely. Nonetheless, NAT can introduce complications in communication between hosts.
=Overview=
NAT first became popular as a way to deal with the IPv4 address exhaustion and to avoid the difficulty of reserving IP addresses. Use of NAT has proven particularly popular in countries other than the United States, which (for historical reasons) have fewer address-blocks allocated per capita. It has become a standard feature in Routers for home and small-office Internet connections, where the price of extra IP addresses would often outweigh the benefits.
In a typical configuration, a local network uses one of the designated private network subnets (such as 192.168.x.x or 10.x.x.x), and a router on that network has a private address (such as 192.168.0.1) in that address space. The router is also connected to the Internet with a single public address (known as overloaded NAT) or multiple public addresses assigned by an internet service provider. As traffic passes from the local network to the Internet, the source address on the packets are translated on the fly from the private addresses to the public address(es). The router tracks basic data about each active connection (particularly the destination address and port). When a reply returns to the router, it uses the connection tracking data it stored during the outbound phase to determine where on the internal network to forward the reply; the Transmission Control Protocol or User Datagram Protocol client port numbers are used to demultiplex the packets in the case of overloaded NAT, or IP address and port number when multiple public addresses are available, on packet return. To a system on the Internet, the router itself appears to be the source/destination for this traffic.
==Drawbacks==
Hosts behind a NAT-enabled router do not have true end-to-end connectivity and cannot participate in some Internet protocols. Services that require the initiation of Transmission Control Protocol connections from the outside network, or stateless protocols such as those using User Datagram Protocol, can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination. Some protocols can accommodate one instance of NAT between participating hosts ( passive mode file transfer protocol, for example) sometimes with the assistance of an Application Layer Gateway (see below), but fail when both systems are separated from the internet by NAT. It also complicates security protocols such as IPsec.
End-to-end connectivity has been a core principle of the Internet, supported, for example, by the Internet Architecture Board. Some people thus regard NAT as a detriment to the Public Internet. Some internet service providers only provide their customers with local IP addresses, and they must access services external to the ISP s network through NAT, and a discussion has arisen as to whether such companies can properly be said to provide Internet service.
==Benefits==
In addition to the convenience and cost of NAT, the lack of full bidirectional connectivity can be regarded in some situations as a feature , rather than a limitation . To the extent that NAT depends on a machine on the local network to initiate any connection to hosts on the other side of the router, it prevents malicious activity initiated by outside hosts from reaching those local hosts. This can enhance the reliability of local systems by stopping computer worms, and enhance privacy by discouraging scans. Many NAT-enabled firewall (networking)s use this as the core of the protection they provide.
=Basic NAT vs port number translation=
Two kinds of network address translation exist. The type often popularly called simply NAT (also sometimes named Network Address Port Translation or NAPT ) refers to network address translation involving the mapping of port numbers, allowing multiple machines to share a single IP address. The other, technically simpler, form - also called NAT or basic NAT or static NAT - involves only address translation, not port mapping. This requires an external IP address for each simultaneous connection. Broadband routers often use this feature, sometimes labelled DMZ host , to allow a designated computer to accept all external connections even when the router itself uses the only available external IP address.
NAT with port-translation comes in two sub-types: source address translation (source NAT), which re-writes the IP address of the computer which initiated the connection; and its counterpart, destination address translation (destination NAT). In practice, both are usually used together in coordination for two-way communication.
==Applications affected by NAT==
Some higher-layer protocols (such as File Transfer Protocol, Quake, and Session Initiation Protocol) send Network layer information inside IP datagram payloads. FTP in FTP#Active_and_passive_mode, for example, uses separate ports for control traffic (commands) and for data traffic (file transfers). When requesting a file transfer, the host making the request also specifies the port on which it would like to receive the data. However, if the host making the request lies behind a simple NAT firewall, the mapping of the port number makes the information received by the peer invalid.
An Application Layer Gateway (telecommunications) (ALG) can fix this problem. An ALG software module running on a NAT firewall device updates any payload data made invalid by address translation. ALGs obviously need to understand the higher-layer protocol that they need to fix, and so each protocol with this problem requires a separate ALG.
Most traditional client-server protocols (ftp being the main exception), however, do not send layer 3 contact information and therefore do not require an ALG.
Another possible solution to this problem is to use a technique like STUN. However, this requires the high level protocol be UDP-based and designed with these techniques in mind. It also does not work with symmetric NATs. Yet another possibility is UPnP but this requires the cooperation of the NAT device.
=Different types of NAT=
*Full cone NAT *Restricted cone NAT *Port restricted cone NAT *Symmetric NAT (aka Bi-directional NAT)
Refer to external links, for further information.
=Other examples of use=
*load balancing: Destination NAT can redirect connections pointed at some server to randomly selected servers. *failover: Destination NAT can be used to set up a service requiring high availability. If a system involves a critical server accessed through a router, and if the router detects that that server has gone down, it could use destination NAT to transparently re-route a connection to arrive on a backup server. *Transparent proxying: NAT can redirect HTTP connections targeted at the Internet to a special HTTP proxy server which can cache content and filter requests. Some internet service providers use this technique to reduce bandwidth usage without requiring their clients to configure their web browser for proxy support.
=Related topics=
=External links=
*[http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html NAT in Windows 2003: Setup and Configuration] – This article will describe how to set up and configure NAT in Windows 2003 *[http://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html Anatomy – Volume 7, Issue 3, September 2004] *[http://computer.howstuffworks.com/nat.htm/printable HowStuffWorks: How Network Address Translation Works by Jeff Tyson]|
|