NAT/PAT Overview and Functionality Textbook

Understanding NAT/PAT

Objectives

• Understand the need for NAT/PAT.
• Understand how NAT/PAT works.
• Learn about NAT/PAT operations and interactions with Layer 2 (L2), Layer 3 (L3), and Layer 4 (L4) addresses.
• Recognize the limitations of NAT/PAT.

Network Address Translation (NAT)

• Definition: NAT is a process that enables hosts in a private network to communicate with external networks using different IP addresses and comes from RFC 1631 (1994) and RFC 2663 (1999).
• Key Drivers:
  • IP Address Depletion: A shortage of available public IP addresses.
  • Scaling of Routing Tables: Challenges due to the growth of routing tables as networks expand.
• Functionality:
  • Allows multiple internal clients to share one or more public IP addresses.
  • Reduces the need for globally unique IP addresses, facilitating the use of private IP addresses within organizations.

NAT Functionality

• Public and Private IP Addressing:
  • NAT uses public IP addresses assigned to routing devices while allowing multiple internal devices to utilize private IP addresses.
• Major Approaches (also termed masquerading):
  • NAT: Basic form of address translation.
  • PAT (Port Address Translation) or NAPT (Network Address Port Translation) / NAT Overloading: Allows multiple internal devices to share a single public IP by altering port numbers.
• Types of address translation:
  • DNAT: Destination Network Address Translation (changing the destination IP address).
  • SNAT: Source Network Address Translation (changing the source IP address, often used in port forwarding).
  • Dynamic & Static NAT: Refers to the variability in the assignment of NAT addresses.

NAT Terminology

• Inside Local Address: An RFC 1918 private address assigned to a host on the inside network.
• Inside Global Address: A public address assigned to a host on an internal network as it exits the router.
• Outside Global Address: A reachable IP address assigned to a host on the Internet.
• Outside Local Address: A local address allocated to a host on an external network. (Not covered extensively in this course.)

How Does NAT Work?

• Example Packet:
  • A router (R2) receives packets intended for an external network. For example:
    Source IP: 192.168.10.10 (local) becomes 209.165.200.226 (global) when exiting, and vice versa for incoming packets.

NAT Operations

• One-to-One Mapping: An internal host can use one external address, limiting the number of users in scenarios where only one external NAT address is available.
• Considerations of Limitations: If you only have one external IP configured, it poses constraints on network accessibility.

Port Address Translation (PAT)

• Functionality: Similar to NAT but allows one internal host to utilize one external address by differentiating on port numbers, enhancing it to a one-to-many mapping.
• Example: Internal IP addresses like 192.168.10.10:1555 can connect through a single external address, distributed among multiple users using distinct ports (e.g., 1555, 1331).

Port Forwarding

• Description: Typically performed at the destination network’s gateway, translating one destination port to another, sometimes altering the destination IP.
• Considerations: Can introduce processing overhead on the router handling the translation.

Drawbacks of NAT

• Increased Complexity: Makes the network architecture more complex.
• Overhead in Management: Managing NAT devices can incur additional overhead in monitoring and configuration.
• Breaks End-to-End Connectivity: Alters the essential communication model of IP, potentially complicating the functionality of some applications.
• Issues with Tunneling Protocols: Can lead to checksum violations when multiple addresses are changed.
• Internal Services Requirement: Any service running internally may require a forwarder to communicate properly.

Important Considerations

• Security Protocol Misconceptions: NAT should not be considered a security measure; firewalls should be used alongside NAT for securing networks.
• Mitigation: Techniques like STUN (Simple Traversal of UDP through NAT), ICE (Interactive Connectivity Establishment), and TURN (Traversal Using Relay NAT) can help alleviate some challenges associated with NAT.