A brief analysis of the application of NAT technology in cloud gateway

Labs Guide

With the increase of network applications and home devices, the problem of IPv4 address exhaustion is becoming more and more serious. Although IPv6 can fundamentally solve the problem of insufficient IPv4 address space, many network devices and network applications are currently based on IPv4. Therefore, before IPv6 is widely used, using some transition technologies (such as CIDR, private network addresses, etc.) is the main way to solve this problem.

Part 01,    Introduction to NAT Technology  

NAT (Network Address Translation) is the process of converting the IP address in the IP datagram header to another IP address. In practical applications, NAT is mainly used to implement the function of private network access to the public network. This method of using a small number of public IP addresses to represent a large number of private IP addresses will help slow down the exhaustion of available IP address space.

1. Types of NAT

Depending on whether NAT conversion is to convert the source address in the message or the destination address, NAT can be divided into source NAT, destination NAT and bidirectional NAT. The following introduces these three NAT types respectively.

1. Source NAT

Source NAT only translates the source address in the message during NAT translation, and is mainly used in scenarios where private network users access the public network. When a private network user host accesses the Internet, after the message sent by the private network user host reaches the NAT device, the device converts the private network IPv4 address in the message into a public network IPv4 address through source NAT technology, so that the private network user can access the Internet normally.

2. Destination NAT

Destination NAT only converts the destination address and destination port number in the message during NAT conversion, and is mainly used in scenarios where public network users access private network services. When the message sent by the public network user host reaches the NAT device, the device converts the public network IPv4 address in the message into a private network IPv4 address through the destination NAT technology, so that the public network user can use the public network address to access the private network service.

3. Bidirectional NAT

Bidirectional NAT refers to the conversion of both the source and destination information of a message during the conversion process. Bidirectional NAT is not a separate function, but a combination of source NAT and destination NAT. Bidirectional NAT converts both the source and destination addresses of a message for the same flow as it passes through the device. Bidirectional NAT is mainly used in scenarios where both external network users and private network users access internal servers at the same time.

2. Special protocols supported by NAT

NAT not only implements the general address translation function, but also provides a perfect address translation ALG (Application Layer Gateway) mechanism, which can support some special application protocols without any modification to the NAT platform, and has good scalability. The message payload of these special protocols carries address or port information, which may also need address translation. The supported special protocols include: FTP (File Transfer Protocol), PPTP (Point-to-Point Tunneling Protocol), ICMP (Internet Control Message Protocol), DNS (Domain Name System), ILS (Internet Locator Service), RTSP (Real Time Streaming Protocol), H.323, SIP (Session Initiation Protocol), NetMeeting 3.01, NBT (NetBIOS over TCP/IP, a network basic input and output system based on TCP/IP), etc.

(III) NAT log

NAT log is a kind of system information generated by NAT device when performing NAT conversion. This information includes the source IP address, source port, destination IP address, destination port, converted source IP address, converted source port and the operation performed by the user. It is only used to record the access of intranet users to external network, and does not record the access of external users to intranet servers. When intranet users access external network through NAT device, multiple users share one external network address, so it is impossible to locate the users accessing the network. The log function can be used to track and record the access of intranet users to external network in real time, thus enhancing the security of the network.

Part 02: Application of NAT Technology in Cloud Gateway

Currently, China Mobile is vigorously promoting the research and development and implementation of cloud gateways. One of the solutions is to deploy the cloud gateway as a network element after BRAS on the mobile cloud.

As shown in Figure 1, the network architecture uses VXLAN tunnels to access and terminate user messages. That is, each white box gateway (ONU) will create a VXLAN tunnel with the cloud gateway and assign a unique VNI identifier. The terminal message is encapsulated in the VXLAN tunnel at the white box gateway (ONU) and forwarded to the cloud gateway. The cloud gateway decapsulates the message to obtain the inner original message and performs different processing according to the type of message. The cloud gateway architecture moves most of the control plane functions and value-added services of the traditional home gateway to the cloud gateway system behind the BRAS for unified processing.

In simple terms, the user Internet access process in the cloud gateway scenario is:

1. The white box gateway initiates PPPOE dial-up and obtains an IP address that can access the Internet from the BRAS;

2. Use the IP obtained through PPPOE dial-up as the local IP and the pre-assigned VNI value to create a VXLAN tunnel with the cloud gateway;

3. The user terminal (such as a mobile phone, PC, etc.) initiates a DHCP request, which is encapsulated in the white box gateway and forwarded to the cloud gateway via the VXLAN tunnel. The VXLAN message is decapsulated in the cloud gateway and the original message is transparently transmitted to the cloud gateway control plane. The DHCP server assigns an intranet address to the terminal.

4. The terminal user accesses the Internet normally (including DNS), and the message reaches the cloud gateway, which determines whether the value-added service has been subscribed based on the policy:

(4.1) For non-value-added service users, use public network IP for NAT and perform public network offloading and forwarding;

(4.2) For users of value-added services, the messages are sent to the service server for subsequent processing based on the specific services ordered, such as discarding, accelerating or re-injecting the messages.

The cloud gateway uses NAT in two main scenarios:

• The cloud gateway directs traffic to the business server. The cloud gateway performs source NAT based on the user's VXLAN ID (VNI), converting the source IP and source port to source IP and source port identifiable by the business server.
• The cloud gateway offloads to the public network. The cloud gateway performs source NAT based on the public IP of the offload network port, converting the source IP and source port to the public IP and port.

Part 03: Summary

The NAT function can be deployed on network hardware devices such as routers, firewalls, and core layer 3 switches, as well as on various software proxy servers, such as Proxy. Relatively speaking, when NAT is deployed on network hardware devices, it has the characteristics of fast processing speed and high security, and is suitable for large and medium-sized enterprises; when deployed on software proxy servers, it has low costs and slow conversion speeds, and is suitable for small enterprises. At present, China Mobile Smart Home Operation Center has completed the self-development of cloud gateways based on NAT technology, and has completed pilot deployments in many provinces, forming a complete end-to-end solution.