- 1.1 Opinions, Products
- 1.2 Roadmap to the Book
- 1.3 Terminology
- 1.4 Notation
- 1.5 Cryptographically Protected Sessions
- 1.6 Active and Passive Attacks
- 1.7 Legal Issues
- 1.8 Some Network Basics
- 1.9 Names for Humans
- 1.10 Authentication and Authorization
- 1.11 Malware: Viruses, Worms, Trojan Horses
- 1.12 Security Gateway
- 1.13 Denial-of-Service (DoS) Attacks
- 1.14 NAT (Network Address Translation)
This chapter is from the book
This chapter is from the book
This chapter is from the book
1.14 NAT (Network Address Translation)
NAT was designed, out of necessity, because IPv4 addresses were too small (four bytes) to give unique addresses to every node on the Internet. With NAT, a piece of the Internet (say a corporate network) can use IP addresses that are not globally unique, and, in fact, these addresses are reused in many other networks. This means that a node inside such a network cannot be contacted from outside that network. However, if the security gateway provides NAT functionality, it will have a pool of globally unique IP addresses that can be assigned as needed.
The NAT box will almost certainly not have a large enough pool of IP addresses to give a globally reachable IP address to every internal node communicating to outside nodes. So the NAT box also translates the TCP or UDP port as well. So a NAT implementation might have a mapping of 〈internal IP, internal port〉 maps to 〈external IP, external port〉. When internal node Alice sends a packet to external destination Bob, the NAT box will replace the source IP and port to the external IP and port in the NAT box’s table. Likewise, when packets arrive from Bob for Alice’s assigned external 〈IP, port〉, the NAT box replaces these fields in the destination fields in Bob’s packet before forwarding the packet on the internal network.
There is somewhat of a security problem with this approach if the NAT box simply translates tuples of 〈IP address, port〉. Suppose Alice starts a connection to Bob, and the NAT box then creates an entry to translate Alice’s internal address and port to, for instance, globally reachable tuple 〈 IPAlice, PortAlice〉. If the NAT box will forward anything to Alice that is addressed to Alice’s temporarilty assigned global address and port, then any node on the Internet could send a packet to Alice by addressing it to 〈IPAlice, PortAlice〉. Sometimes this is the desired behavior. For example, assume there is a conferencing system. Alice, George, and Carol (all behind NATs) join the conference by contacting the central server, but it is not desirable for all of the conference communication to go through the central server. If the NAT box allows anyone that knows Alice’s temporary global address to contact Alice, then the conference coordinator can tell all of the members the other members’ global addresses, and they can then directly communicate with each other.
To create the behavior that only the node that Alice has initiated a connection to, to be able to reach Alice, then the NAT box will keep a mapping of 4-tuples to 〈external IP, port〉 pairs. For example, if Alice, at internal IP=a, internal port=p initiates a connection to external Bob, at IP address=B, port=PB, the NAT box might assign Alice, for this connection, the external address and port 〈IPA, PortA〉. The NAT table would include Bob’s address in the mapping, and only allow packets from Bob’s address and port to be forwarded to Alice. So the NAT entry would have a six-tuple 〈B, PB, IPA, PortA, a, p〉, meaning that only packets from Bob (at 〈B, PB〉) would be translated and forwarded to Alice.
Another fortuitous use of NATs is for all the devices inside a home to have the same IP address. This is useful because some ISPs (Internet Service Providers) charged for Internet connectivity per device, and the NAT box made it appear to the ISP as if there were only a single device in the house. The ISP’s answer to this threat to their pricing model was to include in the 74-page EULA (end user license agreement) that everyone has to click on (but nobody reads), an agreement by the user not to use a NAT box. Now, if an actual human read the 74-page agreement, they would most likely think “What’s a NAT box?”
1.14.1 Summary
These are the main concepts in the Internet. We will give more details about these as they come up in the book.
The Internet has evolved from the original design, and the design was never the only or best way to design a network, but the industry has made it work. An analogy is the English language. It might be overly complicated, with all the spelling and grammar exceptions, but it does the job. And each year some mysterious panel of people decide which new words should officially be added to English, and how the grammar rules should change.
Similarly, for the Internet. If there is anything it can’t do, at least so far, the world has figured out how to evolve the Internet to do what is needed.