NAT Technology for IPv4 Extension

When our company releases application systems or website systems to the outside world and users go online for work, we don't know how to solve the problem of insufficient public IP addresses, because the number of IPv4 is only 2 to the power of 32, which is roughly 4.2 billion. However, this cannot meet the needs of our users for all public IP addresses. Therefore, the emergence of NAT just makes up for the problem of insufficient public IP addresses, and indirectly hides the enterprise intranet and protects the internal network. What is the specific principle of NAT? We will briefly introduce it below.

1. NAT Technology

1.NAT: The full name is "Network Address Translation", which is an IETF (Internet Engineering Task Force) standard that allows an entire organization to appear on the Internet with a public IP (Internet Protocol) address. As the name suggests, it is a technology that translates internal private network addresses (IP addresses) into legal network IP addresses, as shown in the figure below. Therefore, we can believe that NAT can effectively solve the problem of insufficient public network addresses to a certain extent.

2. Private IP address: also called internal address, which is a non-registered address and is used exclusively within a company or organization. The Internet Assigned Numbers Authority (IANA) has reserved three blocks of IP addresses as private IP addresses:

10.0.0.0——10.255.255.255 (10.0.0.0/8)

172.16.0.0——172.16.255.255 (172.16.0.0/16 segment)

192.168.0.0——192.168.255.255 (192.168.0.0/16 segment)

The above three private addresses can be reasonably planned and used within our company.

3. Public IP address: also called global address, refers to a legal IP address. It is an IP address registered and assigned by the network operator. It represents one or more internal local addresses to the outside world and is a globally uniformly searchable address.

4. Address pool: The address pool is composed of some external addresses (globally unique IP addresses). We call such an address set an address pool. When the data packet from the internal network reaches the external network through address translation, an IP address will be selected from the address pool as the source IP address of the data packet. This can effectively utilize the user's external address and improve the ability to access the external network.

To put it simply, the address pool is a combination of public IP addresses, such as 65.34.23.0/26 and so on.

5. Classification of NAT: There are three types of NAT: Static NAT, Pooled NAT, and Port-Level NAT.

2. Introduction to NAT

1.NAT source translation and source port NAT:

When an internal address accesses the Internet, the Internet cannot send packets back to the private IP, resulting in the inability to complete network communication. NAT is a technical means to convert the internal address into the public IP of a company, organization or family for external communication, as shown in the following figure:

Take a simple home network as an example (please forgive the ugly picture)

The above picture shows:

Intranet: 192.168.1.0/24

Gateway: 192.168.1.1

External network: After the PPPOE login verification is passed, the assigned address is 214.86.234.58, and the address of a certain Internet website server is 219.86.24.45.

Source NAT, when the internal terminal host accesses the 219.86.24.45 server,

The source address is: 192.168.1.100, the source port is random

Destination address: 219.86.234.45, destination port 80

After receiving the access request from 192.168.1.100, the destination address sends a reply packet to the source address, but it cannot find the private network route and therefore cannot send a reply packet.

The practice of source NAT technology is that after reaching the gateway, the source address is replaced with the WAN port address, the router establishes a session table, the data packet becomes 214.86.234.58, the source port is a random port, the destination address is 219.86.24.45, the destination port is 80, and then after the server receives this data packet, when returning the packet, the source is 219.86.24.45, the source port is 80, the destination address is 214.86.234.58, and the port is the previous random port, and it is returned to the Internet. After the WAN receives the data packet, check the session table:

192.168.1.100---->214.86.24.45 <--------> 214.86.234.58----->219.86.24.45. Therefore, according to this correspondence, the data packet returned by the server is returned to 192.168.1.100. Therefore, the intranet machine can communicate with the outside world.

But there is a problem at this time. There are so many machines in the intranet. What will happen if multiple machines access the same Web site?

Therefore, PNAT, port translation technology will distinguish the access session records of the intranet machines from the port, as shown in the following figure.

The NAT session table dynamically records the mapping between the intranet address and the external network IP (the session time will be cleared when it expires), and then replies to the intranet machine based on the port to the return packet from the Internet service.

Through such a session table, different ports of a public IP are used to solve the Internet access problem of hundreds of people in an enterprise. A problem may arise here. What if there are too many people and all 65535 ports are used up, resulting in some people being unable to access the Internet? However, such a problem generally does not occur. If it does occur, use 2 public IPs to convert the source port. If not, use 3 or 4, until it is enough. Generally, 2-3 are definitely enough.

For static NAT, source translation is unnecessary because one-to-one mapping cannot solve the problem of internal terminal access to the Internet. It is mainly used in destination mapping or destination port mapping. Below we will briefly describe destination NAT and destination port NAT.

2. NAT destination translation and destination port NAT:

Destination NAT is more suitable for companies or enterprises to provide external services. Static NAT can map multiple services provided by the company, thereby providing intranet services to Internet users through destination mapping. If there are not many IP addresses, ports can be used to distinguish services.

When Internet users come to access the public IP service we provide, we convert the public IP into the server IP that actually provides the service on the intranet. This is the destination NAT, which is of course divided into destination NAT and destination port NAT.

For example: 124.17.26.252 50005 ------Access-------> Public network ip 36.78.12.3:80 port, we convert the public network ip 36.78.12.3:80 to the intranet ip 192.168.20.100:80, and the actual service ip provided is the ip of the intranet machine.

Why use destination port NAT instead of destination NAT?

Reason 1: Reduce the attack surface, hide and protect the intranet. Because the security of opening 10 ports is different from that of opening 100 ports. If you do destination NAT, then the IP address 36.78.12.3 is the server address 192.168.20.100. I won’t tell you how many vulnerabilities your service operating system has not been patched for, haha!

Reason 2: Improve the utilization rate of external network IP.

For example: if you make a destination NAT mapping, 36.78.12.3 ---------------192.168.10.100, then when an Internet user visits 36.78.12.3, it is equivalent to visiting the intranet server of 192.168.10.100. Moreover, there are so many vulnerabilities in the operating system. Once others scan, many ports are exposed, and then the system version, middleware version, database version, and so on are detected. Of course, some people may say, then you can do access control on the firewall, which will increase the workload and the burden on the firewall. Therefore, destination port NAT is a safe and simple method that saves trouble and worry. Moreover, when the operator allocates fewer IP addresses and your intranet publishes more services to the outside, you can use a public IP's unreachable port to NAT unused services, as shown below:

And so on. However, for the sake of service security, it is recommended to separate services as much as possible, because the failure of a service may affect other services, so more decentralized services are a better approach.

3. Bidirectional NAT

The schematic diagram is as follows:

Client 1 : A 202.1.1.2 --------------------> B server 1.1.1.1

Convert to

C: 172.16.1.100 ---------------> D server 172.16.1.2

This two-way conversion replaces both the source IP and the destination IP.

Source 202.1.1.2-------------Access---------> Destination 1.1.1.1

Convert to

Source 172.16.1.100 -------Access---------> Destination 172.16.1.2

On the surface, A---accesses--->B, but in fact C----accesses----->D

The service provider hides the internal network and only provides 1.1.1.1 to the outside. Some people may ask, why do we need to convert the source address when we can just do destination NAT? I think it may be because the internal network has high confidentiality, or there is no destination NAT but internal application services, which do not allow arbitrary access, but only allow 172.16.1.100 or the converted source address to access. (This feels a bit like VPN, jumping from the outside to the intranet to access the internal server).

4. Summary:

It is undeniable that NAT technology has played a role in relieving the shortage of IPv4 address resources; it has brought many benefits in reducing the cost of users applying for ISP services and providing relatively complete load balancing functions. However, IPv4 addresses will be exhausted in the next few years, and NAT technology cannot change the nature of insufficient IP address space. However, there are also potential threats in security mechanisms, and it is also a challenge in configuration and management. If you want to fundamentally solve the problem of IP address resources, IPv6 is the most fundamental way. In the process of converting from IPv4 to IPv6, NAT technology is indeed a good choice, and its advantages over other solutions are also very obvious.