Let's talk about NAT protocol???

Hey everyone, this is cxuan. Today we are going to talk about what is NAT protocol.

What is NAT protocol?

If our computer wants to access information on the Internet, it needs an address, and this address is recognized by everyone (other hosts) and is public. This address is also called a public IP address.

In contrast, in addition to public IP addresses, there are also private IP addresses. Private IP addresses are the addresses we use in private networks, such as local area networks or internal company networks. I don't know if you have ever observed the IP addresses assigned by your router. When you log in to the router's gateway 192.168.1.1, you will generally see some IP addresses under the assigned network, all of which are 192.168.1.x. This type of address is a private IP address.

So now there is a problem. For example, if cxuan's private IP address is 192.168.1.3, and the IP address of cuanxi next door is also 192.168.1.3, then when they are surfing the Internet at the same time, will there be no IP conflict? Or will the content browsed by cxuan be told to cxuanxi?

There is no need to worry about this problem, because we have a very reliable brother - NAT (Network Address Translator). When our computer is connected to the Internet, NAT will directly convert our private address into a public IP address on the Internet. Let's learn about this protocol and its working mechanism.

We can now give a definition of NAT protocol, that is, NAT protocol is a technology that converts private addresses used in local networks into public IP addresses while connecting to the Internet. In fact, it is not only the IP address that is converted, but also the TCP and UDP port numbers, but this protocol is called NAPT protocol. Usually, what we call NAT actually refers to NAPT.

How NAT works

Next, let's talk about the specific working mechanism of NAT, as shown in the following figure.

Client A (IP 192.168.1.6) in the private network wants to send a data packet to the server (IP 122.122.122.122) in the public network. When the data packet passes through the NAT router, its private IP 192.168.1.6 is converted to the public IP 12.34.56.78. Then the source address of the data packet becomes 12.34.56.78, and it is sent to the target server with IP 122.122.122.122 via the Internet.

A NAT router is actually equivalent to NAT software installed on a router. A router equipped with NAT software is called a NAT router.

NAT routers can not only convert private IPs to public IPs, but also convert public IPs to private IPs. This conversion is bidirectional.

Taking the above picture as an example, it means that the server 122.122.122.122 sends a data packet, which is sent to the NAT router via the Internet. The NAT router converts it into a data packet with a destination address of 192.168.1.6, and then sends it to client A.

Here is a question. The server is the one sending the data packet. How does it convert the public IP address of the target address into a private IP address?

As we mentioned in the quote above, a NAT router is actually NAT software installed on a router, so a NAT router itself is a router device, and a router has a routing table that records some source and destination address items, and data packets are routed and forwarded based on these items.

(We can use netstat -nr to display routing table information)

Therefore, there is a table inside the NAT router to record the converted addresses, which is something that can be explained. Therefore, when the NAT router performs address conversion, it will process it according to its internal mapping relationship.

The above is just a case where one client performs NAT conversion. However, in real life, it is impossible for only one client to communicate in our private network. So when all clients in the private network need to access the Internet and perform NAT conversion, will the NAT router generate an IP address for each client? If private networks around the world are converted in this way, the number of public IP addresses will inevitably be under great pressure.

To address this situation, a method of using both IP address and port number translation (NAPT) is proposed, as shown in the following figure.

This general process is the same as the NAT conversion mode above. The difference is that using NAPT will convert the source addresses of client A and client B's data packets 192.168.1.6:80 and 192.168.1.7:80 to 12.34.56.78:80 and 12.34.56.78:90, and then send them to the target server. During the conversion process, the NAT router will generate a conversion table, which can correctly convert the combination of address and port, so that client A and client B can communicate with the server.

The translation table is automatically generated on the NAT router. When TCP starts to establish a connection, the corresponding mapping will be generated. When the connection is disconnected, the corresponding mapping will be deleted.

What is NAT-PT

The current situation on the Internet is that some IPv4 hosts and IPv6 hosts coexist. As a substitute for IPv4, more and more hosts have chosen to upgrade to the IPv6 protocol. However, Rome was not built in a day, and it is impossible for computers around the world to shut down for upgrades on certain days. This is unrealistic. In addition, many services are based on the IPv4 protocol. If the upgrade to IPv6 is incompatible, there is no advantage in using IPv6. Therefore, in order to solve this problem, the NAT-PT specification was created.

NAT-PT is a technology that converts IPv6 headers into IPv4 headers. Through NAT-PT, IPv6 hosts can communicate with IPv4 hosts, and some IPv4 services can also be used by IPv6 hosts.

Note that IPv6 can only be converted to IPv4, not vice versa. So how do we achieve two-way communication?

Routers that support NAT-PT need the support of DNS-ALG to implement the conversion from IPv4 to IPv6.

The NAT-PT mechanism defines the following three different types of operations:

Static NAT - PT

Static NAT-PT mode is mainly one-to-one mapping. The IPv4 network that the node in the IPv6 network wants to access must be set in the NAT-PT device. Each destination IPv4 address is mapped to an IPv6 address with a predefined NAT-PT prefix in the NAT-PT device.

Dynamic NAT - PT

Dynamic mode also provides one-to-one mapping, but this dynamic mode has an IPv4 address pool. The number of IPv4 addresses in the pool determines the maximum number of concurrent IPv6 to IPv4 conversions.

NAPT-PT

Network Address Port Translation--Protocol Translation mode provides many-to-one dynamic mapping between multiple IPv6 addresses with NAT-PT prefixes and a source IPv4 address.

Potential Problems with NAT

So far, we can infer that the most critical part of NAT (NAPT) is the translation table in the router. Over-reliance on the translation table will cause the following problems:

• NAT cannot establish a connection from the outside to the internal server.
• There is some overhead in generating the translation table.
• Once the NAT router encounters an abnormal situation and needs to be restarted, all TCP connections will be lost.
• Even with disaster recovery, the TCP connection will still be disconnected.

So how to solve these problems?

The first is to upgrade directly to IPv6, because in the IPv6 environment the number of available IP addresses has been greatly expanded, and now it seems that it doesn't matter how you build it. Another solution is a technology called NAT traversal.

Application of NAT

NAT can mainly realize the following functions: packet masquerading, load balancing, port forwarding and transparent proxy.

• Data camouflage: The address information in the intranet data packet can be changed into a unified external address information, so that the intranet host is not directly exposed to the Internet, ensuring the security of the intranet host. At the same time, this function is also often used to achieve shared Internet access. For example, when the intranet host accesses the external network, in order to hide the intranet topology, the private address is replaced by the global address.
• Load balancing: Destination address translation NAT can redirect some server connections to other randomly selected servers.
• Port forwarding: When an intranet host provides services to the outside world, it uses an internal private IP address and cannot be directly accessed from the outside world. Therefore, port forwarding is required on the gateway to forward data packets of specific services to the intranet host.
• Transparent proxy: For example, if the server you set up does not have enough space, you need to point some links to the space on another server; or if IIS service is not installed on a computer, but you want netizens to access the content on that computer, then using IIS's Web site redirection can easily help us solve the problem.

The significance of using NAT

NAT (NAPT) is actually a technology developed to solve the problem of IPv4 exhaustion. However, with the development of IPv6, NAT is also used in IPv6 to improve network security. NAT-PT is often used in IPv4 and IPv6 communications. However, IPv4 also poses potential threats in terms of security mechanisms and is also a challenge in configuration and management. If you want to fundamentally solve the problem of IP address resources, IPv6 is the most fundamental way.