What is the NAT protocol

In order for our computers to access information on the Internet, they need an address that everyone (other hosts) agree on and that is public. This address is also called a public IP address.

In contrast, in addition to public IP addresses, there are private IP addresses, which are the addresses we use on private networks, such as lans or corporate networks. If you don’t check the IP address assigned by your router, when you log on to the router’s gateway 192.168.1.1, you will usually see some IP addresses at 192.168.1.x under the assigned network. These are private IP addresses.

For example, CXuan’s private IP address is 192.168.1.3, and brother Cuanxi’s next-door IP address is also 192.168.1.3. Will there be IP conflicts when they surf the Internet at the same time? Or did he tell Brother Cxuanxi what CXuan was browsing?

We don’t have to worry about this because we have a Network Address Translator (NAT) who translates our private addresses into public IP addresses on the Internet when our computers connect to the Internet. So let’s take a look at this protocol and how it works.

NAT is a technology that translates private addresses used on local networks into public IP addresses while connecting to the Internet. In fact, not only IP addresses but also TCP and UDP port numbers are translated, but this protocol is called NAPT. In most cases, what we call NAT really means NAPT.

Working mechanism of NAT

Let’s talk about how NAT works, as shown in the figure below.

Client A (IP 192.168.1.6) on the private network wants to send A packet to the server (IP 122.122.122.122) on the public network. When the packet passes through the NAT router, It converts its private IP 192.168.1.6 to public IP 12.34.56.78, and the packet’s source address becomes 12.34.56.78. It sends the packet over the Internet to the destination server at IP 122.122.122.122.

A NAT router is equivalent to NAT software installed on a router. A router equipped with NAT software is called a NAT router.

NAT routers can translate not only private IP addresses to public IP addresses, but also public IP addresses to private IP addresses. The translation is bidirectional.

For example, server 122.122.122.122 sends A packet over the Internet to the NAT router, which translates it into A packet whose destination address is 192.168.1.6 and then sends it to client A.

Here is a question, the server is sending packets, how does the destination address of the public IP address into a private IP address?

As we mentioned in the quote above, a NAT router is actually NAT software installed on a router. Therefore, a NAT router itself is a router device, and a router has a routing table. The routing table records some source and destination addresses, according to which packets are routed and forwarded.

(We can use netstat-nr to display routing table information)

Therefore, the NAT router has an internal table to record the translated address, which is an understandable thing. Therefore, the NAT router performs address translation according to its internal mapping.

However, in real life, it is impossible for only one client to communicate on a private network. Therefore, when all clients on a private network need to access the Internet for NAT, does the NAT router generate an IP address for each client? If private networks around the world do this, the number of public IP addresses will come under pressure.

To solve this problem, a translation method (NAPT) using both IP address and port number is proposed, as shown in the following figure.

The general process is the same as the above NAT translation mode, except that Using NAPT, the source IP addresses of data packets on clients A and B, 192.168.1.6:80 and 192.168.1.7:80, are converted to 12.34.56.78:80 and 12.34.56.78:90 and then sent to the target server. During the translation, the NAT router generates A translation table to correctly translate the IP address and port combination, enabling client A and client B to communicate with the server.

The translation table is automatically generated on the NAT router. When TCP establishes a connection, the mapping is generated. When TCP disconnects, the mapping is deleted.

What is NAT-PT

Now the Internet situation is part of the coexistence of IPv4 hosts and IPv6 hosts, IPv6 as the replacement of IPv4, more and more hosts have chosen to upgrade to IPv6 protocol, but Rome is not built in a day, nor can the world’s computers down in a few days to upgrade. This is unrealistic, and many services are built on IPv4, so the benefits of using IPv6 are lost if the upgrade is not compatible with IPv6, so the NAT-PT specification was developed to address this problem.

Nat-pt is a technology that converts aN IPv6 header into an IPv4 header. Through nat-PT, IPv6 hosts can communicate with IPv4 hosts and use certain IPv4 services.

Note that IPv6 can only be converted to IPv4, not the other way around.

Routers that support NAT-PT require DNS-ALG support to convert IPv4 to IPv6.

The NAT-PT mechanism defines three different types of operations:

Static NAT-pt

Static NAT-PT mode is mainly one-to-one mapping. Nodes on an IPv6 network must be configured on the NAT-PT device to access IPv4 networks. Each destination IPv4 address is mapped to an IPv6 address with a predefined NAT-PT prefix on a NAT-PT device.

Dynamic NAT-pt

Dynamic mode also provides one-to-one mapping, but this dynamic mode has an IPv4 address pool, and the number of IPv4 addresses in the pool determines the maximum number of concurrent ipv6-to-ipv4 conversions.

NAPT – PT

Network Address port translation – Protocol translation mode provides many-to-one dynamic mapping between multiple IPv6 addresses with nat-PT prefixes and a source IPv4 address.

Potential problems with NAT

So far, we can conclude that NAT (NAPT) is also the most critical translation table in the router. Over-reliance on translation table can cause the following problems

  • The NAT cannot establish a connection from the external server to the internal server.
  • There is some overhead in generating transformation tables.
  • If the NAT route needs to be restarted in case of an exception, all TCP connections are lost.
  • Even after disaster recovery is performed, TCP connections are still disconnected.

So how to solve these problems?

The first is to upgrade directly to IPv6, because the number of IP addresses available in an IPv6 environment has greatly expanded, and now it seems that it doesn’t matter how you build it. Another solution is a technique called NAT traversal.

The application of NAT

NAT provides the following functions: packet camouflage, load balancing, port forwarding, and transparent proxy.

  • Data disguise: The address information in packets on the Intranet can be changed to the unified external address information, preventing Intranet hosts from being exposed to the Internet and ensuring the security of Intranet hosts. At the same time, this function is also commonly used to achieve shared Internet access. For example, when an Intranet host accesses the Internet, the global address is used to replace the private address to hide the Intranet topology.
  • Load balancing: Destination address translation NAT can redirect connections from some servers to other randomly selected servers.
  • Port forwarding: When an Intranet host provides services externally, the Intranet host uses an internal private IP address, and the external network cannot access the host. Therefore, port forwarding is required on the gateway to forward packets of specific services to Intranet hosts.
  • Transparent proxy: For example, if the server space is insufficient, you need to direct some links to the space of another server. Or a computer is not installed IIS services, but want to let users access the content on the computer, this time using IIS Web site redirection can easily help us fix.

The meaning of using NAT

NAT (NAPT) is actually a technology developed to solve IPv4 exhaustion. However, with the development of IPv6, NAT is also used in IPv6 to improve network security, and NAT-PT is often used in IPv4 and IPv6 communication. However, IPv4 is also a potential threat in terms of security mechanism and a challenge in configuration and management. If we want to solve the problem of IP address resource fundamentally, IPv6 is the most fundamental way.

NAT protocol??

If it is helpful to you, I hope readers can connect three keys!

In addition, I have compiled a PDF of the network by myself and now share it with you. You can get it by replying to “Network” on the background of my public account “Programmer Cxuan”!