Network Address Translation (NAT)

If you have a router or share an internet connection across multiple computers in your home or at work then chances are you’re using NAT (also known as IP Masquerading). But what is it, why is it needed and how does it work?

This article begins with a very basic introduction of IP addresses and ports, moves on to the basics of NAT and finally concludes with some additional food for though. It is by no means an in-depth guide on the subject (entire textbooks have been written about it) and should be used as a starting point only. A little bit of knowledge on network internals can help you understand the configuration changes you need to make to your router/firewall for certain peer-to-peer applications and where to start looking when things don’t work.

IP Addresses: An IP (Internet Protocol) address is a 32 bit (or 4 bytes) integer value often written in dot form notation, e.g 211.13.57.189. As the word ‘address’ implies, this number uniquely identifies a device (PC, server, PDA, console, router…) on a network. Routers know where to send data by looking at an IP address and forwarding a packet (data chunk) in the right direction until it eventually finds its way home, much like how the post office delivers an envelope to your house address.

Much like your home address is always the same until you move, an IP address is usually leased to devices for a particular amount of time (from hours to years). Most of the time these lease agreements are done using something called DHCP (Dynamic Host Configuration Protocol). DHCP is used by most ISPs (Internet Service Providers) to assign you an IP address every time you connect to the internet from their pool of free addresses. You receive this IP on an initial time lease (usually 24 hours) which may then be extended or revoked as needed. Every time you connect you get assigned an IP address from their pool which may or may not be the same as before, depending on what’s available at the time.

Note: as long as you have an active connection to the DHCP server, whenever your IP address reaches the expiry deadline the lease is re-negotiated and extended. This means that you may get to keep the same IP for months. If however, the lease on your IP is about to expire but your connection to the DHCP server is lost, then an extension cannot be re-negotiated, meaning your IP is released in the free pool. You may have noticed this when you turn your modem off for a few days and return.

Public IPs: IP addresses may be classified into two main categories: public and private. Public IPs are the ones used to interconnect devices across different networks (such as over the internet as described above). This works because in theory a public IP is only assigned to one device in the whole world at any one time, so when a router sees a packet intended for a particular IP there’s no confusion as to its intended destination (as opposed to what would happen if multiple devices where using the same IP).

As such, major companies, universities, government facilities and ISPs usually buy or lease a large range of these public addresses and are then free to assign them as they see fit. This means that the individual companies or ISPs are responsible for making sure no two devices use the same public IP from their address pool within their network. If duplication does happen, then the ISP is likely to have major problems with establishing and maintaining reliable connections (note that some cheap ISPs may try and assign shared IP addresses by performing NAT on their customers themselves).

Private IPs: Given the amount of computers in the world that need internet access, and due to poorly allocated address pools (companies that got in early bought very large chunks while others are stuck with relatively few addresses) assigning unique IPs to every device is not always feasible. The solution to this problem was to designate certain IP ranges as private. These are 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, 192.168.0.0 to 192.168.255.255 and 169.254.0.0 to 169.254.255.255) Addresses falling within these ranges are not governed by anyone and maybe be used freely by anyone, anywhere at any time.

Home networks and companies which don’t have a public IP range (this would be the majority) may use private IP addresses from one of those ranges to interconnect their computers and establish a LAN (Local Area Network). All computers in the LAN that have a private IP may communicate freely with each other. However, these computers cannot directly connect to the internet (or any other network outside the private IP range) since private IPs are not unique and routers would not be able to distinguish traffic between all the devices using the same IP.

Update: Another solution to the public IP shortage as more and more internet enabled devices emerge is the invent of IPv6. An IPv6 address is6 bytes long, as opposed to 4 thus greatly increasing the total address space (private IPs will still remain though as they facilitate private networks and intranets).

Port Numbers: The final critical element that makes NAT possible is ports. IP addresses uniquely identify the device a particular data packet is destined for but that’s not enough. One device usually runs multiple programs that need to access the internet (web browser, chat client, streaming media, games…). In order for all these applications to coexist harmoniously, a mechanism to separate all these data streams is required (otherwise a program would receive data intended for other applications and would not know what to do with it). Each program or process is thus assigned a different number between 1 and 65535 (16bit) called a port number. Think of this as a name addressing a particular person within a household such that your mail can be distinguished from your dad’s mail simply by looking at the envelope (likewise the OS TCP/IP stack would look at the TCP/UDP header to extract the port number and identify the intended recipient application).

IP/Port Pairs: Data that needs to be sent over a network is divided up into small chunks called packets. Each one of these packets is stamped with source and destination information and launched across the internet. Routers along the way check the destination information and keep forwarding packets in the right direction until they reach their target or get lost along the way and eventually die (TTL, or Time-To-Live, setting dictates the maximum number of hops a packet can do before it is dropped).

The source address of a packet consists of the source IP address identifying the device (network interface card really) and the source port number identifying the program which generated this packet. The destination information consists of the destination IP identifying the intended recipient and the destination port identifying the target program (eg: port 80 for web-servers). These IP/Port pairs are the key to understanding NAT.

Network Address Translation: To quickly restate the problem, computers with private IPs cannot access the internet directly because the addresses are not unique and there would be routing conflicts as to where data should be delivered. Giving every device public IPs on the other hand is not feasible as there’s a limited number available and they cost money (private networks also have other advantages). So then how can you network a large number of computers together and give them all internet access without buying a public IP for each?

Let’s take a small home network for example. You have 3 computers which you want to network together to share files and access the internet but you only have one internet account and hence only one public IP. First you get a router and connect it to your internet modem. The router (just like a computer) is assigned a public IP by your ISP using DHCP (also called the WAN (Wide Area Network) IP). You then connect your three computers to your router and set up your router to assign them private IPs (again using DHCP) in the range 192.168.1.1 range. Say the three computers get IP addresses 192.168.1.1, 192.168.1.2 and 192.168.1.3 respectively. You then test this out and notice that the three computers can all access each other and, more importantly, they can all access the internet (if everything else is set up correctly) even though they have private IPs. That’s because the router is doing NAT, i.e. translating private IPs to public IPs and vice-versa.

How it works: So when a computer with a private IP sends a packet destined to a public IP outside the local network the router intercepts this packet, copies down the source IP and source port of the sender, substitutes these with it’s own public IP and some random port number that is not yet in use, takes a note of this substitution by creating a NAT entry in its NAT table, and then finally forwards this packet on to the internet. This packet is now valid since it has a public IP as the source address and any replies will come back to the NAT router. When the destination receives this packet it sends a reply to the source IP (i.e. the WAN IP of the router) and the source port (random port chosen by router). When the router receives this packet it checks its NAT table by using the port number it assigned as an ID to identify the correct NAT entry, performs a reverse substitution with the original private IP and source port and finally sends this packet directly to the waiting recipient.

Using this approach the router can set up a theoretical maximum of 65535 different NAT entries (that’s how many ports it has which it can use as IDs). So if you have 100 computers on your private network each computer can have up to 655 programs using the internet at the same time (remember, one NAT entry is needed for each source IP/ Port pair, hence one for each program).

NAT Firewall Effect: Some people claim NAT is a type of firewall. This is because it blocks unwarranted incoming traffic. Since your computers behind the NAT router have private IPs they are not directly addressable over the internet. i.e. nobody can initiate a connection to them because it’s as if they don’t exist. From the outside, only the router is visible. Anything on the inside it not. An attacker could send data to random router ports but unless there’s a NAT mapping in place the router won’t know what to do with those packets and will either drop them or forward them to a default gateway.

Port-Forwarding: This firewall side effect is all well and good but sometimes you want people to be able to connect to your computer for certain applications such as games, peer to peer, instant messaging, voice/video chat and so on. In order to do this you must set up your own NAT entry manually, often called a port-forwarding rule. To do this you usually go into your router’s interface and say something like “all packets that arrive on router port xxx should be sent to IP a.b.c.d: port yyy”. With this rule in place, when the router receives any data on port xxx it will forward it along to your computer instead of dropping it. You may also set up a general rule that says “any packet arriving on an unmapped port should be sent to IP a.b.c.d and same port”. This is often called a default gateway or a DMZ (Demilitarized Zone) and negates the firewall effect of NAT.

Other Interesting Facts: Some specific port numbers (especially in the range of 1 to 1024) are reserved for typically well known applications. For example, most web servers listen for HTTP requests on port 80, telnet servers listen for incoming requests on port 23, FTP servers use ports 20 and 21, and so on (see http://www.governmentsecurity.org/articles/CommonPorts.php for a list of commonly used port numbers).

I have not mentioned anything about TCP and UDP in this article but each protocol has its own separate port space. This means you can have a TCP program running on port 100 while having a UDP program running on the same port at the same time without any interference (65535 ports per protocol).

Most modern routers support something called UPNP, a dynamic configuration mechanism that allows applications running on your computer to automatically request the router to create a NAT entry for them without manually having to set up your own forwarding rule.

Comments

Popular posts from this blog

Wkhtmltopdf font and sizing issues

Import Google Contacts to Nokia PC Suite

Can't delete last blank page from Word