NAT_PAT

IP address conservation

• IPv4 contains 4 octets
  • 8 * 4 = 32 bits
  • 2^32 bits = ~ 4.2 billion addresses
• world population currently ~ 7 billion
• We need to conserve the IP addresses
• Defined IPv4 Private addresses in RFC-1918
  • 10.0.0.0/8 : range of 10.#.#.#
  • 172.16.0.0/12 : range of 172.[16-31].#.#
  • 192.168.0.0/16 : range of 192.168.#.#
• Private IP addresses can be reused infinitely, anywhere
• Remaining IP addresses are known as Public IP addresses
• NAT translates Private IP addresses into Unique Public IP Addresses
• Now Any communication on the internet must be from public IP to public IP
  • Any traffic which include private IP will be dropped

Packet

• Data
• L4 header — Port
• L3 header — IP

NAT

• Network Address Translation
• RFC terminology: “Basic NAT”
• only modifies the Layer-3 header
• hence modifies only IP address
• who can do NAT?
  • routers
  • firewalls
  • load balancers
  • servers

PAT

• Port address translation
• RFC Terminology: “NAPT” - Network Address Port Translation
• modifies both Layer-3 and Layer-4 header
• hence modifies IP address + Port
• In home routers this is what is referred as “NAT”

Translation

• Outbound Packet: Source is translated
• Inbound Packet: Destination is translated

Static Translation

• Explicit mapping between PRE-translation and POST-translation defined by admin
• Example: Translate 10.6.6.61 to 72.9.4.11
• Host→Router→Internet
  • 10.6.6.61 to 72.9.4.11
• Internet→Router→Host
  • 72.9.4.11 to 10.6.6.61

Dynamic Translation

• PRE-translation attributes defined by admin
• POST-translation attributes selected by translation device
• We cannot know ahead of time which IP will go to which host
• Example:
  • Translate anything in 10.6.6.0/24 to 72.9.4.22, 72.9.4.23, or 72.9.4.24
  • One of the 3 IPs are selected for translation for any host
• Host→Router→Internet
  • 10.6.6.61 to 72.9.4.23 (chosen dynamically)
• Internet→Router→Host
  • 72.9.4.23 to 10.6.6.61

Static NAT

• Explicit mapping b/w an IP address to another IP address
• It makes internal resources externally accessible
• It is Bidirectional
• It does not conserve any IP addresses
• Example:
  • 10.2.2.33 ⇐⇒ 73.8.2.33

Static PAT

• Explicit mapping b/w an IP:Port to another IP:Port
• It makes internal resource ports externally accessible
• It is Bidirectional
• Facilitates use of Non-Standard ports like non-standard port 8080 IP can be translated to standard port 80 IP
• It can conserve IP addresses
  • Multiple Servers can use one Public IP Address
• Example:
  • 10.4.4.41:8080 ⇐⇒ 73.8.2.44:80
  • 10.4.4.42:443 ⇐⇒ 73.8.2.44:443

Dynamic PAT

• Device determines actual post-translation IP Address and Port
• original source port is randomly chosen as in usual request
  • It is possible to have two hosts having same source port in the request
• translated source port is chosen by the router
  • It is made sure that it is unique, otherwise response flow will have difficulty in choosing the correct host
  • max concurrent connections = ~65000
• Dynamic PAT is Unidirectional - traffic must be initiated from Inside
  • Dynamic PAT can be combined with Static PAT to allow Bidirectional flow
• Allows many hosts with Private IPs to share one Public IP
  • Sometimes referred to as “Many to One” or “One to Many”
• Greatest potential for IP Address conservation
• Example
  • 10.6.6.0/24 —⇒ 32.8.2.66
  • Host —⇒ Internet
    • 10.6.6.61:2222 —⇒ 32.8.2.66:7777
    • 10.6.6.62:3333 —⇒ 32.8.2.66:8888
    • 10.6.6.63:3333 —⇒ 32.8.2.66:9999

Dynamic NAT

• Device determines actual post-translation IP Address
• It is Bidirectional while the connection is active
• Only fixed active connections are possible
• Not used in the industry
  • Non Deterministic IP assignments
  • Inconsistent connectivity
• Example
  • 10.7.7.0/24 will share 54.5.4.1 through 54.5.4.3
  • Host ⇐⇒ Internet
    • 10.7.7.71:1111 ⇐⇒ 54.5.4.1:1111
    • 10.7.7.72:2222 ⇐⇒ 10.7.7.73:3333
    • 54.5.4.2:2222 ⇐⇒ 54.5.4.3:3333
    • 10.7.7.74:4444 ⇐⇒ Not possible no IP is available for translation

Policy NAT

• So far, Translation decision based on matching both Source
• In Policy NAT, Translation decision based on matching both Source and Destination
• Static NAT, Dynamic NAT, Dynamic PAT, Static PAT can then be applied
• Example
  • If source is 10.6.6.0/24 and destination is 45.5.4.9
    • Dynamic PAT source to 32.8.2.77
  • If source is 10.6.6.0/24
    • Dynamic PAT source to 32.8.2.66
  • Host —⇒ Internet
    • 10.6.6.61:2222 —⇒ 32.8.2.77:8888
    • 10.6.6.62:3333 —⇒ 32.8.2.66:9999

Twice NAT

• So far, Translation happened only on the source
• In Twice NAT, both source as well as destination is translated
• Static NAT, Dynamic NAT, Dynamic PAT, Static PAT can then be applied
• Packets are typically matched by Source and Destination
  • Hence it is also Policy NAT
• Example
  • Change Google DNS 8.8.8.8 to Corporate DNS 32.9.1.8
  • If source is 10.6.6.0/24 and destination is 8.8.8.8
    • Dynamic PAT source to 32.8.2.55
    • Static NAT destination to 32.9.1.8

Port Forwarding

• aka Port Mapping, Hole Punching
• In Static NAT all ports are allowed
• In Static PAT only designated ports are allowed
• This is known as Port Forwarding

Home Router configuration?

• Check your own home router to find the config