Documente Academic
Documente Profesional
Documente Cultură
Tim Kaddoura
Introduction
Human population is growing exponentially, the global digital divide is
slowly but surely narrowing, and the internet is predicted to stay in the high ranks
of future popular technologies. What does this mean to network service
providers? Are they obliged to quickly adopt IPv6, even though it takes years to
migrate to whole new network infrastructure? Network Address Translation is the
ideal interim solution.
In this report, I will discuss the reasons why NAT is a viable solution for the
extension of the IP address format, its security benefits in current networks, and
its advantages/disadvantages to current systems software, such as SNMP.
CS158B
Page 1 of 7
3/25/2005
Project Report
Tim Kaddoura
CS158B
Page 2 of 7
3/25/2005
Project Report
Tim Kaddoura
This will then require the checksum of both, the IP packet and the TCP header, to
be recalculated for integrity. These operations occur on a router or switch
between the local and global network.
NAT is a stuffed term simply because it comes in many different flavors.
These are: Static NAT, Dynamic NAT, Overloading, and Overlapping. Each routes
an IP address differently depending on the scenario.
The first diagram depicts the generic NAT translation from private hosts to
public hosts and vice versa [4]. And the second diagram shows an Overloading
CS158B
Page 3 of 7
3/25/2005
Project Report
Tim Kaddoura
==============================================
I have described, with the help of two diagrams, what a NAT router does to
connect a host machine to the outside world. We now shall see technically how
this done inside the router.
NAT Operation
While NAT in some cases, as mentioned above, translates one private
address to one public address, the challenging and mostly used aspect of NAT is
multiplexing. In other words, making use of the one to many relationship by
sending packets from private hosts on the network to public hosts on the internet
using a single registered IP address.
The IP header, in an incoming/outgoing packet, is used to locate client
computers. The IP header constitutes in a source address, a source port, a
destination address, and a destination port. These fields are crucial to defining an
entire TCP/IP connection between two host machines. The address fields ensure
CS158B
Page 4 of 7
3/25/2005
Project Report
Tim Kaddoura
the connection between hosts, and the port fields ensure a each connection is
separately acknowledged.
Suppose one computer contacts a gateway that connects four different
hosts using the same IP address, how will it know which of the four computers it
should talk to? NAT intelligently changes the fields of the IP header to make this
possible. The changes made are on the source address and port fields on every
outgoing packet. To keep track of the changes that need to be made, the NAT
gateway uses a port mapping table as a reference to relate a public hosts local
IP address, real source port, and translated source port with both destination
address and port.
Incoming packets from remote computers will then be monitored by the
NAT gateway over the lookup table stored. The destination address is the same
for all public machines, but the source port will be matched by the port assigned
by the NAT gateway upon outgoing packets. Using the table, the source port is
matched with the real destination address and source port, and hence sent to the
correct machine.
NAT Security
Internet security has become an integral part of network solutions.
Nowadays, a network product is no longer viewed solely to its networking
capabilities, but to its security strengths as well. NAT gateways automatically
have a built-in firewall protection due to the way in which they map local
computers. In other words because NAT uses a mapping table, which stores
complete connection information, no incoming message is passed to a local host
unless the packet header has been screened, and the values contained are
matched with those in the table.
This is effective when a small business wants to avoid being a target of
malicious content. The only way of receiving packets containing malicious
content, is for the local machine to actually send a packet of any sort to Trudy,
CS158B
Page 5 of 7
3/25/2005
Project Report
Tim Kaddoura
reveling its source port address assigned by the NAT gateway. And the chances
for this to happen are very minimal compared to having unknown/random
attacks.
Conclusion
While we have just observed a disadvantage in using NAT, it is important
to note that CNAT is not needed with other NAT gateways using one to one
mappings (i.e. Static, or Overlapping). The advantages of using NAT switches
outnumber the disadvantages.
Without having to wait for a major IP addressing infrastructure, Network
address translation offers a secure and shared access to the internet at an
excellent cost. NAT is clearly going to become the de facto standard for shared
internet access.
CS158B
Page 6 of 7
3/25/2005
Project Report
Tim Kaddoura
Reference
[1] http://www.faqs.org/rfcs/rfc1918.html (Address Allocation for Private Internets)
[2] http://www.faqs.org/rfcs/rfc1631.html (The IP Network Address Translator)
[3] http://www.faqs.org/rfcs/rfc1287.html (Towards the Future Internet
Architecture)
[4] http://www.cisco.com/en/US...94831.shtml (How NAT Works)
[5] http://www.networkcomputing.com...ws1.html (Learning to Live with NAT)
CS158B
Page 7 of 7
3/25/2005