(Latest Revision:
Sun Apr 1 15:46:29 PDT 2007
)
Notes On Chapter Twenty-Six
-- Network Address Translation
- 26.1 Introduction
- This chapter discusses how multiple computers
can share a single IP address.
- 26.2 The Requirement For Unique Addresses
- Sharing an IP address inside a LAN would not be possible
without making many radical changes to protocols.
- For example ARP won't work on a LAN if hosts
share IP addresses.
- 26.3 Network Address Translation Technology
- The "trick" used by NAT:
- assign a private, non-routable interior network
address to a LAN (e.g. 10.0.0.0/8)
- Use a NAT gateway device between the private LAN and the public
Internet.
- Assign a (shared, public) IP address to the external
interface between the gateway and the Internet.
- The NAT device performs address translation to allow packets to
flow in both directions between the private LAN and public
Internet.
- 26.4 NAT Topology
- All packets entering or leaving the private LAN go through the
NAT device
- Each host on the private LAN recieves a unique IP address having the
private, non-routable interior network prefix.
- Hosts on the Internet are never aware of the addresses in use on the
private LAN.
- 26.5 Possible Implementations Of NAT
- NAT can be implemented in hardware or software.
- Typically high performance networks require a hardware
implementation.
- A multi-homed host may be used as the NAT device
- There may be a separate, dedicated NAT device.
- There are devices that combine the functionality of an IP router
and a NAT device.
- 26.6 Basic Address Translation
- The Internet sees the private LAN as a single host with a
single IP address (say 128.210.24.6).
- To hosts on the private LAN, the Internet seems to be aware of the
private addresses, and the Internet seems able to route traffic to
and from the private addresses.
- If host 10.0.0.1 on the private LAN sends a packet to
host 128.211.134.4 then the NAT changes the source address of the
outgoing packet from 10.0.0.1 to 128.210.24.6 (the IP
address assigned to the NAT device)
- If a packet arrives at the NAT device from the Internet, it is
addressed to 128.210.24.6 and the NAT has to change that to the
private address of one of the hosts on the private LAN before
transferring the packet onto the private LAN.
- When doing address translation, the NAT must also alter the
checksum.
-
- 26.7 Translation Table
- 26.8 NAPT and TCP Splicing
- Typically the translation process includes
port translation.
- As shown in figure 26.4, hosts 10.0.0.1 and
10.0.0.2 on the private LAN, both using source port 30000, might
both send out requests to a web server.
- When the requests go through the NAT device
(with external IP address 128.10.19.20), it might replace the 10.0.0.1:30000 source address and
source port combination with 128.10.19.20:40001, and the
10.0.0.2:30000 combination with 128.10.19.20:40002.
- Even if the two requests were sent to the same web server, after
forwarding, on the Internet they will appear to
have come from different sources -- two different ports on
host 128.10.19.20.
- The web server will send replies to both sources. When the replies
reach the NAT device, it will know to translate the destination
addresss 128.10.19.20:40001 to 10.0.0.1:30000, and the destination address
128.10.19.20:40002 to 10.0.0.2:30000.
- The NAT device maintains tables to aid the translation process.
- 26.9 Other Variants: Twice NAT and CAT
- As described thus far, the scheme does not accommodate servers that
might reside inside the private network. A request from the
Internet would ordinarily just be addressed to port 80 at the host
IP address. How can the NAT device know which host and port to
forward to on the private interior network?
- There are schemes that can "get around" this problem. They require
communication between the NAT device and a server on the exterior
Internet.
-
- 26.10 NAT Software And Systems For Use At Home
- Home networks often use NAT with a DSL or Cable Modem connection
- Software Sharing based on NAT/NAPT:
- Linux Masquerade
- Windows Internet Connection Sharing (ICS)
- Hardware Sharing based on NAT/NAPT:
- Linksys Coporation "Routers"
- 26.11 Summary