What is NAT and how does it works?

NAT is a pretty common term in the network area. What does this acronym (Network address Translation) means and what is it for?

Introduction 1: How works a tcp/ip connexion?

On the Internet hosts are identified by an IP address. This address is unique, it match normally only one computer in the network. Every hosts can host services. To reach a service, a protocol and optionally a port have to be specified. For establishing connections there is mainly to protocols, TCP and UDP. On a given IP, only one service can listen on a port. There is a list of standard ports for classical applications. Those ports are called the well known ports. They are attributed by IANA and can be found in the /etc/services file on unix. For example port 80 in tcp is for http, port 25 in tcp for mail or port 53 en udp and tcp for DNS.

In the internet world when we want to reach a service, the client host (the one asking) open a connection from is IP address IPc to the port of the service (Ps) on the IP address of the server (IPs). To do so the client determines an available port on his IP address (Pc) and establish a connection between (IPc,Pc) and (IPs,Ps). The server will answer sending data to (IPc,Pc). As always a drawing explain better:




Introduction 2: IPv4 shortage

The connexion explained is one in a world where we have enough IP addresses for every computer connected to the Internet. Unfortunately when the IP protocol was designed man did not expect the Internet to rocket like it did. It was decided than an IPv4 address will be stored in 32 bits. It means that there is only 232 (=4 294 967 296) addresses in theory. 4 billions is huge, almost sufficient regarding earth population, but in the real life an Internet application with a bit of success needs more than just one server. For example, almost all websites are hosted on two different servers for resiliency purpose. Big platform are made of dozens or dozen of thousands servers. For example Facebook represents something like 30 000 servers. Moreover, to route packets (drive them to the right place) we subdivided this set in sub networks delegated to several entities. The subdivision provoke extra usage of IP addresses, since at least each host making interconnection between two networks need an IP on both. Last, a generous attribution was made for the first Internet connected companies particularly north American and European companies and DoD. As a consequence there is not enough IPv4 addresses for every one. An evolution of IP protocol was defined, called IPv6, but it's not widely deployed.

NAT, what for?

A solution to deal with IPv4 shortage was to group several hosts behind one IP address. It's what European customers know with the box from their ISP. The idea is to have a host called router which has two network interfaces, one with a public routable IPv4 address and the other on the local network side unique on the local network, called private address. A pool of IPv4 addresses defined in the RC 1918 is reserved for that usage. These addresses need to be unique only on the local network. Hosts which are only on the private network are configured to send all packets to the Internet to the router. The router will get the requests and then transfer them to the destination server on the Internet, translating the source address to its public address. This mechanism is called SNAT (Source NAT).

To publish a service on a local host to the Internet the router can translate destination host from his ip address to the internal server address. It's called DNAT (Destination NAT).


How does it work?


We saw in the introductions that a connection is made between (IPc,Pc) and (IPs,Ps). In the NAT case, the issue is that IPc is not an IP reachable by the server. During the opening of the connection, the router will create a connection from (IPr,Pr) to (IPs,Ps) and keep the association (IPc,Pc)↔(IPr,Pr)↔(IPs,Ps) in a table. As a result he can transfer further packet using established connection (IPr,Pr)→(IPs,Ps) and send packet received on (IPr,Pr) to (IPc,Pc). Situation is similar for DNAT.

Note that for the server there is only a connection from (IPr,Pr).


Leave a Reply

(Your email will not be publicly displayed.)