NAT detailed explanation: basic principles, traversal technology (P2P hole punching), port aging, etc.

Regarding the NAT penetration currently promoted by many filecoin manufacturers, the editor would like to provide some scientific knowledge, hoping that everyone will keep their eyes open and not be blinded by overly mythical marketing methods.

1. The origin of IPv4 protocol and NAT

Today, countless happy Internet users are enjoying the fun brought by the Internet. They browse news, search for information, download software, make new friends, share information, and even get all their daily needs without leaving home. Enterprises use the Internet to publish information, deliver information and orders, provide technical support, and complete daily office work. However, while the Internet brings convenience to hundreds of millions of users, it itself faces a fatal problem: the IPv4 protocol, the foundation for building this omnipotent Internet, can no longer provide new network addresses.

On February 3, 2011, the Chinese New Year, IANA announced that the last five blocks of the IPv4 address space had been allocated to its five regional committees. On April 15, 2011, APNIC, the Asia Pacific Regional Committee, announced that, except for a few reserved addresses, all IPv4 addresses in the region were basically exhausted. Suddenly, the value of IPv4 addresses, as an endangered resource, soared, and major Internet companies spent huge sums of money to acquire the remaining free addresses. In fact, the problem of insufficient IPv4 addresses is not a new problem. As early as 20 years ago, the problem of the exhaustion of IPv4 addresses had already been faced by Internet pioneers. This makes us want to know what technology has delayed this crisis for 20 years.

To find the answer to the question, let us first briefly review the IPv4 protocol.

IPv4 is the abbreviation of Internet Protocol Version 4. IPv4 defines a super network that interconnects heterogeneous networks. It assigns an IP address to each node of the Internet. If we compare the Internet to a postal system, then the role of an IP address is equivalent to a complete address including the city, block, and house number. IPv4 uses a 32-bit integer to express an address, and the address range is 232, which is about 4.3 billion. Judging from the number of devices that can be connected to the Internet at the beginning of IP, such a space is already very large and it is difficult to use up in a short time. However, the facts far exceeded people's expectations. Computer networks have grown rapidly in the following decades, and the number of network terminals has exploded.

What's worse is that for the convenience of routing and management, the 4.3 billion address space is divided into A, B, C, D class address networks and reserved addresses according to different prefix lengths. Among them, the Class A network address has 127 segments, each of which includes about 16.78 million host addresses. The Class B network address has 16,384 segments, each of which includes 65,536 host addresses.

Figure 1 IPv4 network address division

IANA allocates Class A network addresses to very large enterprises/organizations, one segment at a time. It allocates Class B network addresses to medium-sized enterprises or educational institutions, one segment at a time. This allocation strategy leads to a serious waste of IP addresses. Many of the allocated addresses are not actually used, and the addresses are consumed very quickly. In the early 1990s, network experts realized that if they continued to spend lavishly, IPv4 addresses would soon be exhausted. As a result, people began to consider alternatives to IPv4 and took a series of measures to slow down the consumption of IPv4 addresses. It is against this background that the protagonist of this issue makes a shining debut, it is Network Address Translation - NAT.

NAT is a magical technology. Its magical feature is that its emergence almost brought IPv4 back to life. In the nearly 20 years since IPv4 was considered to be about to end its historical mission, people have almost forgotten the fact that the IPv4 address space is about to be exhausted. In an era of rapid development of new technologies, 20 years can be considered a long time. Not to mention, after the emergence of NAT, the number of network terminals has been increasing rapidly, and the demand for IP addresses has increased dramatically. This shows the success of NAT technology and its far-reaching impact.

It is amazing because NAT has brought profound influence to the IP network model, and its presence is everywhere in the network. According to a recent research report, 70% of P2P users are located inside the NAT gateway. Because P2P mainly runs on the personal computers of end users, this number means that most PCs are connected to the Internet through NAT gateways. If mobile terminals such as smartphones connected to the Internet via 2G and 3G are included, the number of users behind the NAT gateway far exceeds this proportion.

However, when we trace the origin, we find a very strange fact: NAT is a technology of great significance, but the author of the first version of NAT RFC only sorted out and summarized the widely adopted technologies.

2. NAT working model and characteristics

2.1 NAT Conceptual Model

NAT is a very accurate name, Network Address Translation, which is to replace the address information in the IP packet header. NAT is usually deployed at the network exit of an organization, and provides public network accessibility and upper layer protocol connection capabilities by replacing the internal network IP address with the exit IP address. So, what is the internal network IP address?

RFC1918 specifies three reserved address segments: 10.0.0.0-10.255.255.255; 172.16.0.0-172.31.255.255; 192.168.0.0-192.168.255.255. These three ranges are in the address segments of Class A, B, and C respectively. They are not allocated to specific users and are reserved by IANA as private addresses. These addresses can be used within any organization or enterprise. The difference from other Internet addresses is that they can only be used internally and cannot be used as global routing addresses. That is to say, these addresses are no longer meaningful outside the management scope of the organization, whether as source addresses or destination addresses. For a closed organization, if its network is not connected to the Internet, it can use these addresses without applying to IANA, and the internal routing management and message delivery methods are no different from other networks.

For networks that require Internet access but use private addresses internally, a NAT gateway must be deployed at the organization's egress location. When the message leaves the private network and enters the Internet, the source IP is replaced with a public network address, usually the interface address of the egress device. After an external access request reaches the target, it appears to be initiated by the organization's egress device, so the requested server can send a response back to the egress gateway from the Internet. The egress gateway then replaces the destination address with the source host address of the private network and sends it back to the internal. In this way, a request and response from a private network host to a public network server is completed without the perception of both ends of the communication. Based on this model, a large number of intranet hosts no longer need public IP addresses.

Figure 2 Schematic diagram of NAT translation process

Although the actual process is much more complicated than this, the above description summarizes several key features of NAT processing messages:

1. The network is divided into two parts, private network and public network. The NAT gateway is set at the route exit from the private network to the public network, and the two-way traffic must pass through the NAT gateway; 2. Network access can only be initiated by the private network side first, and the public network cannot actively access the private network host; 3. The NAT gateway completes two address conversions or translations in both access directions, replacing the source information in the outbound direction and the destination information in the inbound direction; 4. The existence of the NAT gateway is transparent to both communicating parties; 5. In order to realize the function of two-way translation, the NAT gateway needs to maintain an association table to save the session information.

As we will learn more about NAT later, readers will find that these characteristics are distinct, but not absolute. The second characteristic breaks the equal status of all nodes in the IP protocol architecture in communication. This is a major drawback of NAT, which has brought many problems to peer-to-peer communication. Of course, corresponding means of overcoming this problem have also emerged. In fact, the fourth point is what NAT is committed to achieving, but in many cases, NAT does not achieve this because, in addition to the IP header, the upper-layer communication protocol often carries IP address information internally. We will explain this later.

2.2 One-to-one NAT

If an internal host only occupies one public IP, this method is called a one-to-one model. In this case, it is unnecessary to convert the upper layer protocol, because one public IP corresponds to one internal host. Obviously, this method does not make much sense for saving public IPs, and is mainly used to achieve some special networking requirements. For example, users want to hide the real IP of the internal host, or achieve communication between two networks with overlapping IP addresses.

2.3 One-to-many NAT

The most typical application scenario of NAT is as described in Figure 2. An organization network deploys a NAT gateway at the egress location, and all access to the public network is represented by a single host. This is the so-called one-to-many model. In this way, the egress device only occupies one public IP address assigned by the Internet service provider. Faced with a large number of hosts in the private network, if NAT only performs a simple replacement of the IP address, a problem will arise: when multiple internal hosts access the same server, the returned information is not enough to distinguish which internal host the response should be forwarded to. At this time, the NAT device is required to distinguish different sessions based on transport layer information or other upper layer protocols, and may need to convert the identifier of the upper layer protocol, such as TCP or UDP port number. In this way, the NAT gateway can map different internal connection accesses to different transport layer ports of the same public IP, thereby realizing the multiplexing and demultiplexing of the public IP. This method is also called port translation PAT, NAPT or IP masquerade, but more often it is directly called NAT because it is the most typical application mode.

2.4 Classification by NAT port mapping method

In the one-to-many model, port translation can be further divided according to different working modes. For the convenience of description, the IP and port are marked as (nAddr:nPort) below, where n represents the different roles of the host or NAT gateway.

Figure 3 Classification by port conversion mapping method

Full Cone NAT

Its characteristics are: once the internal host port pair (iAddr:iPort) is mapped to (eAddr:ePort) by the NAT gateway, all subsequent (iAddr:iPort) messages will be converted to (eAddr:ePort); any message sent by an external host to (eAddr:ePort) will be converted and sent to (iAddr:iPort).

Restricted Cone NAT

Its characteristics are: once the internal host port pair (iAddr:iPort) is mapped to (eAddr:ePort), all subsequent (iAddr:iPort) messages will be converted to (eAddr:ePort); only if (iAddr:iPort) has sent data to a specific external host hAddr, messages sent by host hAddr from any port to (eAddr:ePort) will be forwarded to (iAddr:iPort).

Port Restricted Cone NAT

Its characteristics are: once the internal host port pair (iAddr:iPort) is mapped to (eAddr:ePort), all subsequent (iAddr:iPort) messages will be converted to (eAddr:ePort); only if (iAddr:iPort) has sent data to a specific external host port pair (hAddr:hPort), the message sent from (hAddr:hPort) to (eAddr:ePort) will be forwarded to (iAddr:iPort).

Symmetric NAT

Its characteristics are: the NAT gateway will treat the message with the same "address-port pair" of the internal host and the "address-port pair" of the external host as a connection, and create a public network "address-port pair" mapping on the gateway for conversion. Only when the external host that receives the message sends a response message from the corresponding port pair can it be converted. Even if the internal host uses the previously used address-port pair to connect to a different external host (or port), the NAT gateway will establish a new mapping relationship.

In fact, the introduction of these terms is the source of a lot of confusion. In reality, many NAT devices work by mixing these conversion methods together, rather than just using one, so these terms are only suitable for describing one working method, not a device. For example, many NAT devices use symmetric NAT for internal connections, while supporting static port mapping, the latter of which can be regarded as full-cone NAT. In some cases, a public network address and port of a NAT device can be mapped to several internal servers at the same time to achieve load sharing. For example, a site that provides WEB servers to the outside world may have hundreds or thousands of servers providing HTTP services, but it appears to the outside world as one or a few IP addresses.

3. NAT limitations and solutions

3.1 IP end-to-end service model

An important contribution of the IP protocol is to make the world equal. In theory, each site with an IP address has a considerable ability to obtain and provide services at the protocol level, and there is no difference between different IP addresses. The server and client that people are familiar with are actually role distinctions at the application protocol layer, and there is no difference at the network layer and transport layer. A host with an IP address can be both a client and a server. In most cases, it is both a client and a server. End-to-end peering seems to be a very common thing, but its meaning is not ordinary. However, in previous technologies, many networks under the protocol system limit the capabilities of the terminal. It is this openness of IP that enables the TCP/IP protocol family to provide rich functions and a broad platform for application implementation. Because all IP hosts can appear in the form of servers, communication design can be more flexible. Systems using UNIX/LINUX make full use of this feature, allowing any host to establish its own HTTP, SMTP, POP3, DNS, DHCP and other services. At the same time, many applications also combine the roles of client and server to complete their functions. For example, in VoIP applications, when the user end logs in its IP address and port information to the registration server, the host is the client; when the call arrives, the call processing server sends a call request to the user end, and the user end actually works in server mode. After the voice media stream channel is established, the communication sends voice data in both directions, the sending end is in client mode, and the receiving end is in server mode. In P2P applications, a user's host is both a downloading client and provides data to other clients. It is a C/S hybrid model. The upper-layer application can be designed in this way because the IP protocol stack defines such capabilities. Imagine that if the capabilities provided by IP are not equal, then each communication session can only be initiated in one direction, which will greatly limit the communication capabilities. Careful readers will find that one of the features of NAT introduced earlier is just such a limitation. Yes, this is the disadvantage of NAT - it destroys the ability of IP end-to-end communication.

3.2 Disadvantages of NAT

NAT is not without side effects in solving the problem of IPv4 address shortage. In fact, there are many problems.

First, NAT shortens the duration of IP session. Because a correlation table will be established on the NAT device after a session is established, the NAT gateway will perform aging operations during the period of session silence. This is what any NAT gateway must do, because IP and port resources are limited and the demand for communication is huge, so resources must be recycled after the session ends. Usually, TCP sessions actively close connections through negotiation, and NAT gateways can track these messages, but there are always exceptions, and they must rely on their own timers to recycle resources. However, it is difficult for UDP-based communication protocols to determine when communication ends, so NAT gateways mainly rely on timeout mechanisms to recycle external ports. Recycling through timer aging will bring a problem. If the application needs to maintain a connection for a longer time than the NAT gateway setting, the communication will be interrupted unexpectedly. Because after the gateway recycles the relevant conversion table resources, when new data arrives, it cannot find the relevant conversion information, and a new connection must be established. When this new data is sent from the public network side to the private network side, it will be impossible to trigger the establishment of a new connection, and it will not be possible to notify the host on the private network side to reestablish the connection. At this time, the communication will be interrupted and cannot be automatically restored. Even if new data is sent from the private network to the public network, the public network host cannot correspond to the previous communication because the rebuilt session table often uses different public IP and port addresses, resulting in a user-perceivable connection interruption. It is difficult for the NAT gateway to set the time to recycle idle connections so that there is no continuous loss of resources and to keep most connections from being accidentally interrupted. In the era when NAT has become popular, many application protocol designers have considered this situation, so generally a connection keep-alive mechanism is set, that is, when there is no data to be sent for a period of time, a keep-alive message that NAT can perceive but does not have actual data is actively sent. The main purpose of this is to reset the NAT session timer.

Secondly, NAT multiplexes connections sent by multiple internal hosts to one IP in its implementation, which makes all mechanisms that rely on IP for host tracking invalid. For example, applications based on network traffic analysis required in network management cannot track the relationship between terminal users and specific traffic behaviors. Log analysis based on user behavior also becomes difficult, because one IP is shared by many users. If there is malicious user behavior, it is difficult to locate the host that initiated the connection. Even if some mechanisms provide methods for connection tracking on NAT gateways, it is difficult to connect this transformation relationship. IP-based user authorization is no longer reliable, because having an IP does not mean having one user or host. A server cannot simply regard access from the same IP as being initiated by the same host and cannot associate them. Some servers have connection restrictions and only accept limited access from one IP at the same time (sometimes only one access), which will cause service preemption and queuing between different users. Sometimes the server does this for DOS protection considerations, because a user should not normally establish a large number of connection requests, and excessive use of service resources is understood as high-risk behavior. However, this cannot be simply judged by the number of connections when NAT exists. In short, because NAT hides one end of the communication, it complicates simple things.

Let's take a deeper look at the destructive power of NAT on the IP end-to-end model. NAT changes the communication address by modifying the information in the IP header. However, this conversion process can only be based on a session unit. When an application needs to maintain multiple bidirectional connections, it is very troublesome. NAT cannot understand the association between multiple sessions and cannot ensure that the conversion meets the rules required by the application. When the NAT gateway has multiple public IP addresses, a group of associated sessions may be assigned to different public network addresses, which is usually unacceptable to the server. More seriously, when the host on the public network side wants to actively send data to the private network side, the NAT gateway does not have the association table required to convert this connection, and this data packet cannot reach the host on the private network side. These connections that send data in the opposite direction always have application protocol agreements or have been negotiated in the initial session. However, because NAT works at the network layer and transport layer, it cannot understand the behavior of the application layer protocol and is ignorant of this information. NAT hopes to be transparent to both parties of the communication, but this is a luxury in these cases.

Figure 4 NAT’s destruction of the end-to-end communication model

In addition, the NAT working mechanism relies on modifying the information in the IP packet header, which will hinder the work of some security protocols. Because NAT tampers with the IP address, transport layer port number and checksum, this will cause the authentication protocol to completely fail to work, because the purpose of authentication is to ensure that this information does not change during the transmission process. For some tunnel protocols, the existence of NAT also causes additional problems, because tunnel protocols usually use the outer address to identify the tunnel entity, and the tunnel passing through NAT will have an IP multiplexing relationship, which needs to be handled carefully at the other end. ICMP is a network control protocol. Its working principle is also to transmit error and control messages between two hosts. Because the corresponding relationship of IP is remapped, ICMP also needs to be multiplexed and demultiplexed. In many cases, demultiplexing will fail because the ICMP message payload cannot provide enough information. The IP fragmentation mechanism is that when the size of the IP message to be sent on the information source end or network path is larger than the upper limit of the size that the path can actually carry, the IP protocol layer will divide a message into multiple fragments and send them, and then reassemble these fragments at the receiving end to restore the original message. The fragmentation mechanism of IP will cause the information of the transport layer to be included only in the previous fragment. It is difficult for NAT to identify the correspondence between subsequent fragments and the association table, so special processing is required.

3.3 NAT Traversal Technology

The disadvantages of NAT have been explained above. In order to solve the problems encountered by IP end-to-end applications in NAT environments, network protocol designers have created various weapons to deal with them. Unfortunately, each method here has flaws and requires additional processing on the internal host, application, or NAT gateway.

Application Layer Gateway

Application Layer Gateway (ALG) is the most common method to solve the problem that NAT is not aware of application layer protocols. It has been widely adopted by NAT equipment manufacturers and has become a necessary function of NAT equipment. Because NAT is not aware of application protocols, it is necessary to customize the protocol analysis function for each application protocol so that the NAT gateway can understand and support specific protocols. ALG forms an interactive relationship with NAT. When a NAT gateway detects a new connection request, it needs to determine whether it is a known application type, which is usually identified based on the transport layer port information of the connection. When it is identified as a known application, the corresponding function is called to check the deep content of the message. When any form of IP address and port is found, this information will be converted synchronously and an additional conversion table entry will be created for this new connection. In this way, when the message reaches the destination host on the public network side, the information carried in the application layer protocol is the address and port provided by the NAT gateway. Once the host on the public network side starts to send data or establish a connection to this port, the NAT gateway can convert according to the association table information and then forward the data to the host on the private network side. Many application layer protocol implementations are not limited to one initial connection (usually a signaling or control channel) plus one data connection. One initial connection may correspond to many subsequent new connections. For a more special protocol, a group of related connections will be generated in one negotiation. For example, the RTP/RTCP protocol stipulates that after an RTP channel is established, it occupies two consecutive ports, one for data and the other for control messages. At this time, ALG is required to allocate consecutive ports for application services. ALG can successfully solve the NAT traversal requirements of most protocols, but this method also has great limitations. Because the number of application protocols is very large and is constantly evolving, the ALG functions added to the device are developed for specific specification versions of specific protocols. The innovation and evolution of the protocol requires NAT equipment manufacturers to track the latest standards of these protocols while being compatible with old standards. Although open platforms such as Linux allow dynamic loading of new ALG features, the management cost is still very high, and network maintenance personnel cannot always understand what applications users need. Therefore, it is not feasible to develop ALG code for each application protocol and track new standards. ALG can only solve the most commonly used needs of users. In addition, for security reasons, some application type messages are encrypted when they are sent from the source. Such messages cannot be analyzed in the middle of the network, so ALG is powerless.

Probe technologies STUN and TURN

The so-called probe technology is a technology that detects whether there is a NAT gateway in the network by installing a detection plug-in on all entities participating in the communication, and implements different traversal methods for different NAT models. The STUN server is deployed on the public network to receive the detection request from the communication entity. The server will record the message address and port of the request and fill it in the returned response message. The client can identify whether there is a NAT gateway by comparing the address and port recorded in the received response message with the address and port selected locally. If there is a NAT gateway, the client will use the previous address and port to initiate a request to another IP of the server and repeat the previous detection. Then compare the results returned by the two responses to determine the working mode of NAT. From the aforementioned one-to-many conversion model, it is known that in models other than symmetric NAT, the mapping of NAT gateway to internal host address and port is relatively fixed, so it is relatively easy to achieve NAT traversal. Symmetric NAT provides a mapping for each connection, making the converted public network address and port pair unpredictable. At this time, TURN can be bound to STUN to provide NAT traversal services, that is, an "address port pair" is provided on the public network server, and all data received by this "address port pair" will be forwarded to the intranet host via the connection established by the detection. The mapping "address-port pair" assigned by TURN will be sent to the internal host through the STUN response, and the latter will put this information into the signaling of establishing the connection to notify the other end of the communication. This probe technology is a universal method. It does not need to develop functions for each application protocol on the NAT device. Compared with the ALG method, it has a certain universality. However, the TURN relay service will become a communication bottleneck. Moreover, adding the probe function in the client requires each application to add code to support it.

Middleware Technology

This is also an effort to solve the NAT traversal problem by developing a universal method. The difference from the former is that the NAT gateway is a participant in this solution. The difference from ALG is that the client will participate in the maintenance of the gateway's public network mapping information. At this time, the NAT gateway only needs to understand the client's request and allocate the conversion table according to the requirements, and does not need to analyze the client's application layer data by itself. Among them, UPnP is such a method. UPnP is called Universal Plug and Play in Chinese. It is a universal communication protocol between network terminals and gateways, with the ability to publish information and manage and control. Among them, the gateway mapping request can dynamically add mapping table entries for customers. At this time, NAT no longer needs to understand the information carried by the application layer, but only converts the IP address and port information. The client directly carries the IP address and port mapped by the public network in the information sent to the public network side through control messages or signaling, and the receiving end can establish a data connection according to this information. When the NAT gateway receives data or connection requests, it only converts the address and port information according to the table entries established by UPnP, regardless of the content, and then forwards the data to the intranet. This solution requires that the gateway, internal host and application all support UPnP technology, and the networking allows direct exchange of UPnP signaling between the internal host and the NAT gateway to be implemented.

Relay Agent Technology

To be precise, it is not NAT traversal technology, but NAT bypass technology. Simply put, it is to place an application server next to the location of the NAT gateway. This server has its own network connection in the internal network and the external public network. When a specific application of the client generates a network request, it will be sent to the application proxy server. The application proxy server parses the client's request according to the proxy protocol, and then initiates a new request from the public network side of the server, relays the content of the client's request to the external network, and returns the corresponding reverse relay. This technology is very similar to ALG. It requires the deployment of relay proxy services for each application type, and the intermediate server must understand these requests.

Protocol-specific self-traversal technology

The most complex and reliable method among all methods is to solve your own problems. For example, IKE and IPsec technologies were designed with the problem of how to traverse NAT in mind. Because this protocol is a self-encrypting protocol and has the ability to identify messages against modification, other general methods cannot help. Because the NAT gateways in actual applications are basically NAPT, all messages carried by the transport layer protocol can pass through NAT smoothly. The solution adopted by IKE and IPsec is to use UDP to add another layer of encapsulation outside the message, and the internal message is no longer affected. IKE also specifically adds the ability to check whether the NAT gateway exists and the method of bypassing the NAT gateway to detect the IKE protocol.

4. Application and implementation of NAT

4.1 Application of NAT

NAT is widely used in the contemporary Internet, from home gateways to enterprise WAN outlets and even operator service network outlets. In fact, NAT can be seen everywhere around users. ADSL Modems and SOHO routers for general home broadband access have built-in NAT functions. Windows XP supports network connection sharing. A user may go through multiple layers of NAT when connecting to the public network without knowing it. Many enterprises also use NAT to access the Internet to save IP costs, but they have more complex needs than home users.

NAT multi-instance application

In a virtual private network, multi-instance routing means that multiple logical topologies are carried on one physical topology, and network terminals are assigned to mutually isolated logical topologies, with no routing paths between them. However, when accessing the Internet or some key server resources, there is a need to share resources between isolated networks. The multi-instance implementation of NAT is a method to cross this logical topology and map the network address of one space to another space.

High-reliability NAT networking

Improving network reliability is a widespread demand. As a key path from private network to public network, NAT naturally also needs high reliability. When a device provides multiple public network interfaces, deploying NAT on multiple interfaces can provide higher bandwidth and the ability of multiple ISPs to access nearby. However, when multiple exits are deployed, the access traffic may be returned from unmatched interfaces, which requires the NAT solution to have good routing planning and deploy appropriate strategies to ensure that such traffic can be handled correctly. When multiple physical devices assume NAT functions, information backup and traffic sharing between different devices is also a networking problem.

Applications that convert both source and destination addresses

In all the NAT applications we introduced above, when accessing from the intranet to the extranet, the source address is converted while the destination address remains unchanged. When the message enters in the opposite direction, the destination address is processed. However, there are some special applications that require the destination IP address to be replaced on the IP path from the inside to the outside. Usually, such applications will replace both the source address and the destination address at the same time, and complete two address translations after passing through the NAT gateway. When two networks that are both planned to use private IP address ranges are merged, the end users do not want to adjust their own IP address plans, but hope to open some network resources for each other to access. At this time, the two address translations of NAT can be used to solve the problem that routing and address planning cannot solve.

Figure 5 Application that converts both source and destination addresses

4.2 NAT device implementation

As an IP layer service feature, NAT is closely related to features such as firewalls and session management in product implementation. This is because NAT determines whether a message entering the device needs NAT processing and whether the message is a new connection. It needs to match the access control list rules and query the session association table to make judgments. In order to meet the NAT requirements of different application scenarios, the NAT management interface can provide users with a variety of configuration strategies. According to the specific working mode of NAT, it can be classified as follows.

Static one-to-one address mapping

In this working mode, NAT statically associates a private network address with a public network address. From the inside to the outside, the private network IP matching the source IP is replaced with the public network IP. In the opposite direction, the destination IP matching the public network IP is replaced with the private network IP. The part above the network layer is not replaced, only the checksum is corrected.

Static many-to-many address mapping

This method is similar to the previous one, except that it maps a private network address to a public network address. The working mechanism is the same as the previous method, but it simplifies the configuration workload.

Dynamic port mapping

This is the most basic working method, which is to dynamically translate a segment of intranet address into one or more public IP addresses as mentioned many times before, and convert the transport layer port or other upper layer protocol information to achieve IP multiplexing. For messages from inside to outside, the source address and port are replaced, and the destination address and port are replaced for reverse messages. When only the interface IP connected to the public network is used as the public address for NAT conversion, this configuration is the simplest and is also called EasyIP. When a segment of public IP address is used as the NAT conversion address, an address pool needs to be configured, and NAT will automatically select and use the public IP in the address pool.

Dynamic address mapping (no-pat)

This is a working mechanism between static many-to-many address mapping and dynamic port mapping. When a private network reaches the NAT gateway to access the public network, the NAT gateway will check whether the private IP already has an associated public IP mapping. If it already exists, the IP is directly replaced according to the conversion table without modifying the upper layer protocol. If there is no association table entry, an IP is occupied in the idle public IP pool and written into the association table. In the future, address conversion is performed according to this association relationship. When all external access initiated by this private network host is closed or timed out, the public IP is recycled. This method can be understood as a group of intranet hosts preemptively sharing a public IP address pool. When the public IP address pool is used up, new connections cannot be established.

Static port mapping

Through static configuration, a fixed private IP address and port are associated with a public network address and port. This method is equivalent to the full cone mode introduced above, but it does not require the internal host to send a message first. This method is suitable for mapping a well-known service (such as HTTP) to an internal host on the NAT gateway, also known as port forwarding.

Application Layer Gateway (ALG)

In all NAT product implementations, ALG is a necessary functional component. However, in different implementations, some products can dynamically load different ALG modules, some products can provide ALG switch control, and some do not provide any user interface. ALG parses the content of the upper-layer application protocol, modifies IP and port related information as needed, and creates and maintains additional association table entries.

NAT Translation Association Table

No matter which NAT work method, the address translation association table must be used. In the implementation of different products, the storage structure of this association table is very different from the method of calling in IP forwarding. The association table will record the source IP, destination IP, connection protocol type, transport layer source port, destination port, as well as the converted source IP, source port, destination port information. The source and purpose here correspond to the access direction from the intranet to the external network. According to the specific NAT working method, these information may be filled in all or partially filled. For example, if only static mapping is performed according to IP, no port-related information is needed; for static port mapping, only source-related content is filled in, while the information on the destination is empty.

5. NAT in the post-IPv4 era

NAT is a technology launched to delay the exhaustion of IPv4 addresses. There is no doubt that it has achieved its historical mission well, and IPv4 goes further than expected. As the successor, IPv6 learned the lessons of IPv4 and was given sufficient address space while optimizing in all aspects - safe, efficient and concise. However, IPv6 cannot replace IPv4 smoothly, resulting in a slow pace of IP upgrade. Although the hierarchical design of network protocols is very clear, a large number of application layer protocols and Internet software are still embedded in processing IPv4 addresses. To upgrade the entire Internet to IPv6, the application transformation must be completed first. Because the combination of NAT and its time-travel technology can meet the needs of most users, the IPv6 era has been continuously delayed.

As IPv4 addresses are on the verge of exhaustion, no matter how economical the model is, IPv4 must exit the stage of history. People naturally think that NAT as the super patch technical mission of IPv4 has been completed. The actual situation is that during the transition period of IPv4 to IPv6, NAT is still an indispensable technical means. Because the Internet cannot complete the entire network upgrade within one day, it must be a local upgrade and gradual replacement. In the period when the two sets of protocols coexist, users and service resources are distributed between different networks, and the needs of cross-network access must be met. This is exactly the area where NAT is good at, address replacement, so NAT-PT came into being. Due to the differences between IPv4 and IPv6, what NAT needs to do is more complex than before, with more restrictions and details.

In addition, the IETF is also formulating NAT specifications for pure IPv6 networks. Although people do not see the strong demand for such applications, NAT still has its unique functions, such as hiding the addresses of internal networks and implementing the merger of overlapping address networks.

It is no exaggeration to say that it is because of NAT that the Internet based on IPv4 can accommodate billions of user terminals and achieve today's glory. IPv4 is up to the end, and the dawn of IPv6 is still coming. The Internet relies on NAT, the transition technology of NAT more than any time. NAT's history once again proves that earth-shaking progress does not necessarily have a market, and repairs that stick to the shortcomings may not be successful. As generations change, let us approach NAT and appreciate more subtle but not profound knowledge in the IP field. Understanding NAT is to understand the world of application that has changed thousands of applications.