Network Address Translation (NAT)

Vicente González Ruiz

September 12, 2016

1 Introducci’on
2 Redes privadas
3 NATing
4 Terminology
5 Algoritmos de asignaci’on de entradas en la tabla NAT
6 Mappings
6.1 Dynamic
6.2 Static
7 Ports
8 Algoritmos de forwarding

1 Introducci’on

Un NAT es, en t’erminos generales, un router que modiﬁca el punto extremo de destino de un paquete, el punto extremo de origen de un paquete o ambos.
En cualquiera de estos casos, dicho proceso se realiza cuando el espacio de direcciones al que pertenece la direcci’on IP origen y destino son incompatibles, por ejemplo, como ocurre entre las redes p’ublicas y privadas.

2 Redes privadas

RFCs 1918. RFC 1918 speciﬁes that private addresses are not to be routed over the Internet. This sometimes sees private addresses described as ""non-routable"". However, packets with private addresses can be routed within private internetworks.
Permiten conectar m’as nodos a la red que el proporcionado por el espacio de direcciones IPv4.
Se implementan usando NAT. Unlike public IP addresses, private IP addresses are a reserved block of numbers that can be used by anyone. That means two networks, or two million networks, can each use the same private addresses. To protect the public Internet address structure, ISPs typically conﬁgure the border routers to prevent privately addressed traﬃc from being forwarded over the Internet.
La IANA ha reservado una serie rangos de direcciones IP privadas (v’ease la Figura

Figure 1: Rangos de direcciones IP privadas en IPv4.

1).
Because you cannot route private addresses over the Internet, and there are not enough public addresses to allow organizations to provide one to every one of their hosts, networks need a mechanism to translate private addresses to public addresses at the edge of their network that works in both directions. Without a translation system, private hosts behind a router in the network of one organization cannot connect with private hosts behind a router in other organizations over the Internet. Network Address Translation (NAT) provides this mechanism. Before NAT, a host with a private address could not access the Internet. Using NAT, individual companies can address some or all of their hosts with private addresses and use NAT to provide access to the Internet.

3 NATing

NAT is like the receptionist in a large oﬃce. Assume you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for them to call you back. You tell the receptionist that you are expecting a call from this client, and you ask the receptionist to put them through to your telephone. The client calls the main number to your oﬃce, which is the only number the client knows. When the client tells the receptionist who they are looking for, the receptionist checks a lookup table that matches your name to your extension. The receptionist knows that you requested this call; therefore, the receptionist forwards the caller to your extension.
So while the DHCP server assigns IP dynamic addresses to devices inside the network, NAT-enabled routers retain one or many valid Internet IP addresses outside of the network. When the client sends packets out of the network, NAT translates the internal IP address of the client to an external address. To outside users, all traﬃc coming to and going from the network has the same IP address or is from the same pool of addresses.
A NAT-enabled device typically operates at the border of a stub network.
If it does not ﬁnd a mapping, the packet is dropped.
Se deﬁne en los RFC’s 2663 y 3022.
En su forma m’as simple y m’as frecuente, el NAT-box (dispositivo que hace NATing) tiene asignada s’olo una dir IP p’ublica. Esta pertenece al interface que conecta el NAT-box con Internet.
Todos los interfaces de la red interna (normalmente privada) poseen direcciones IP que no son visibles desde Internet.
Todos los nodos de la red interna acceden a Internet mediante la IP del NAT-box, en otras palabras, todos ellos utilizan la direcci’on IP del interface p’ublico del NAT-box.
El NAT-box utiliza una tabla de traducci’on NAT para asociar conexiones

[Dir IP P’ublica, puerto (router)] $\leftrightarrow$ [Dir IP Privada, puerto (host)].
La tabla NAT tiene 3 columnas:

Puerto p’ublico Dir IP privada Puerto privado
Cuando un host privado env’ia un paquete para un host p’ublico, el router NAT inserta una entrada en la tabla de traducci’on NAT con un puerto libre y utiliza el puerto p’ublico asignado para todos los paquetes salientes con la misma

[Dir IP Privada, Puerto privado].
Cuando llega un paquete para una estaci’on de la red privada, el router busca en su tabla de traducci’on NAT usando como clave

[Puerto p’ublico]

y encamina hacia la red privada el paquete usando la dir IP privada y el puerto (privado).
N’otese que en cualquier caso no son posibles m’as de $2^{16}$ conexiones simult’aneas a trav’es del router NAT.

Ejercicio 1: ¿Tiene alg’un sentido deﬁnir una red privada de clase C? Expl’iquese.

Aunque se pueden construir, las redes de clase C privadas no tienen ninguna ventaja y sí una desventaja: son 256 veces m’as pequeñas que una red de clase B.

Ejemplo

En la siguiente ﬁgura el host de la red privada con IP 10.0.0.1 accede a un servidor Web p’ublico con IP 128.119.40.186.

4 Terminology

Inside local address - Usually not an IP address assigned by a RIR or service provider and is most likely an RFC 1918 private address. In the ﬁgure, the IP address 192.168.10.10 is assigned to the host PC1 on the inside network.¹
Inside global address - Valid public address that the inside host is given when it exits the NAT router. When traﬃc from PC1 is destined for the web server at 209.165.201.1, router R2 must translate the address. In this case, IP address 209.165.200.226 is used as the inside global address for PC1.
Outside global address - Valid public IP address assigned to a host on the Internet. For example, the web server is reachable at IP address 209.165.201.1.
Outside local address - The local IP address assigned to a host on the outside network. In most situations, this address will be identical to the outside global address of that outside device.

PC1 ------------- NAT ------...------- Web server
192.168.10.10 209.165l200.226 209.165.201.1

5 Algoritmos de asignaci’on de entradas en la tabla NAT

Existen dos maneras de crear entradas en la tabla NAT:

Cone NATing: Se crea una entrada diferente para punto extremo privado diferente.
Symmetric NATing: Se crea una entrada diferente para cada combinaci’on (punto extremo privado, punto extremo p’ublico).

6 Mappings

There are two types of NAT translation: dynamic and static.

Both static and dynamic NAT require that enough public addresses are available to satisfy the total number of simultaneous user sessions.

6.1 Dynamic

Dynamic NAT uses a pool of public addresses and assigns them on a ﬁrst-come, ﬁrst-served basis. When a host with a private IP address requests access to the Internet, dynamic NAT chooses an IP address from the pool that is not already in use by another host. This is the mapping described so far.

6.2 Static

Static NAT uses a one-to-one mapping of local and global addresses, and these mappings remain constant. Static NAT is particularly useful for web servers or hosts that must have a consistent address that is accessible from the Internet. These internal hosts may be enterprise servers or networking devices.

7 Ports

NATs assign the ﬁrst available port number starting from the beginning of the appropriate port group 0-511, 512-1023, or 1024-65535. When there are no more ports available and there is more than one external IP address conﬁgured, NAT overload moves to the next IP address to try to allocate the original source port again. This process continues until it runs out of available ports and external IP addresses.

8 Algoritmos de forwarding

Full Cone NATing: Una vez que una entrada ha sido creada en la tabla NAT, cualquier paquete que llegue desde la red p’ublica al puerto p’ublico asociado a dicha entrada, ser’a reenviado al punto extremo privado. Este tipo de encaminamiento es equivalente al que se obtedr’ia si redirigi’eramos (a mano o usando UPnP) el puerto p’ublico al punto extremo privado.
(Address) Restricted Cone NATing: Los paquetes ser’an reenviados al punto extremo privado si la direcci’on IP origen de dicho paquete coincide con la direcci’on IP destino del paquete que cre’o la entrada en la tabla NAT. En otras palabras, ser’an encaminados los paquetes que provengan del host p’ublico al que se hizo referencia cuando se cre’o la entrada, independientemente del puerto usado en dicho host.
Port Restricted Cone NATing: Igual que el anterior pero s’olo ser’an encaminados los paquetes que vengan además del puerto p’ublico con el que el proceso privado se conect’o originalmente.


Puerto p’ublico	Dir IP privada	Puerto privado