What is NAT and why do we need it?
Network Address Translation, or NAT, is a mechanism that translates one type of IP addresses to another. Typically, a router performs NAT between public and private IP networks and translates between IPv4 and IPv6 addresses.
While NAT was originally invented to alleviate certain network management tasks, these days NAT is most commonly used to conserve IP addresses.
In short, when the Internet Protocol was being designed, engineers needed a way to identify different devices. They used 32-bit long IP addresses, or IPv4 addresses, to accomplish this. IP addresses would be denoted with a sequence of four-byte values, such as 1.2.3.4
. This system would allow up to $2^34$, or roughly 4 billion, different addresses.
However, this became a problem once the Internet was adopted into mainstream use. 32-bit long addresses could only support 4 billion devices. These days, there are approximately 5.3 billion internet users and many of them have multiple devices. IPv4 is no longer sufficient, so we use IPv6, which uses 64-bit addresses.
NAT helps to translate between addresses in a private network and addresses on a public network.
Since the translation is usually done between public and private networks, let’s first see what these networks are.
A private internet network is a network that uses private IP addresses. There are three classes, or ranges, of private IP addresses:
10.0.0.0
to 10.255.255.255
(10.0.0.0/8
)172.16.0.0
to 172.31.255.255
(172.16.0.0/12
)192.168.0.0
to 192.168.255.255
(192.168.0.0/16
).These addresses can only be used for local area networks (LAN) in residential, office, and enterprise environments. Since a LAN network won’t have nearly as many devices as a public network, private IP addresses don’t need nearly as many digits.
Public IP addresses are readable by devices outside of a local area network, such as those on the public internet. While IPv4 was originally used for most public addresses, many devices now use IPv6 instead. IPv4, as mentioned earlier, uses 32-bit long IP addresses. IPv6 uses 128-bit long hexadecimal addresses. They’re longer, and use numbers and letters.
No one at bunny.net can see the future, so we can’t say for sure that we’ll never run out of IPv6 addresses, but it expands the pool of available IP addresses significantly and allows more devices to have unique addresses.
A small office or home network has a few devices that talk to each other over the private network. When these devices access the public internet, they go through a router, which acts as a network address translation device.
In the image example, we have four computers on the private network:Router
, Alice
, Bob
and Charlie
whose IPs are 192.168.0.1
, 192.168.0.2
, 192.168.0.3
and 192.168.0.4
respectively. The server, bunny.net
, resides on the public internet and its IP is 195.206.229.106
.
Router
is connected to both networks and has a public IP 1.2.3.4
and a private IP 192.168.0.1
.
If the router is configured to perform network address translation, then Alice
, Bob
and Charlie
can communicate with the computers on the public Internet, such as the server bunny.net
.
In this scenario, we are able to connect four computers, Alice
, Bob
, Charlie
, and Router
to the Internet.
How does it work and how many public IP addresses do we need? It depends on the type of NAT. Next, we’ll take a look at some common examples.
In the example above, we use a single public IP address to provide connectivity to the public Internet for multiple devices on the private network. This is called one-to-many NAT.
Here Router
translates the addresses by manipulating both the IP addresses and port numbers. Another name for this translation is Port Address Network Translation (PNAT).
Consider that Alice
wishes to access the web page on the public Internet at http://bunny.net. She creates an HTTP request, wraps it inside a TCP segment, and sends it as an IP packet to the public IP address of bunny.net
at 195.206.229.106
.
Each IP packet contains two IP addresses and two port numbers: the source and destination IP address, and the source and the destination port number.
The source IP address and the source port number denote the IP address of the sender. In this case, the source IP is set to 192.168.0.2
while the TCP port is set to some random value, let’s say 9000
to be concrete.
The destination IP address denotes the IP of the recipient. In this case, it denotes the IP of the bunny.net
HTTP server at 195.206.229.106
. Since HTTP is used, the destination port number is set to 80
.
When the packet arrives at Router
, the private address needs to be translated into the public one. So Router
changes the source IP address of Alice
from 192.168.0.2
to Router
’s public IP address 1.2.3.4
. Router
also changes the source TCP port number to any value, that is available on its computer. For concreteness, let’s say the new source port is 10000
.
This information is then written to a NAT table, like this:
|-------------|--------------|-----------|-------------| | Private IP | Private port | Public IP | Public Port | |-------------|--------------|-----------|-------------| | ... | ... | ... | ... | | 192.168.0.2 | 10000 | 1.2.3.4 | 9000 | | ... | ... | ... | ... |
The modified IP packet is then sent to bunny.net
HTTP server.
When the server receives the packet, it sends back a reply: an IP packet that carries a TCP segment that wraps an HTTP response.
In this packet, the source IP address is set to the public IP address of bunny.net
that is 195.206.229.106
, and the source TCP port is set to 80
. The destination IP address is Router
s public IP address 1.2.3.4
and the destination TCP port is 9000
. Compared to the initial request, the source and the destination information are now swapped.
When the response arrives to Router
, the translation needs to be reversed: Router
needs to change the destination IP address from 1.2.3.4
to Alice
’s private IP address 192.168.0.2
and change the destination port from 9000
to 10000
.
Once the packet has been modified, it can be delivered to Alice
.
With PNAT, multiple computers on the private network can communicate with computers on the public one.
However, computers on the private network need to initiate the connection. This approach will not work if a computer on a public network tries to initiate communication with the computer on the private network.
Today, NAT is the best way to conserve IP addresses. However, it also breaks a fundamental principle of the internet: the end-to-end connectivity principle, which is the idea that every computer connected to the internet should be directly addressable and reachable.
Some protocols don’t work with PNAT, because the protocol relies on end-to-end connectivity. Some protocols, such as the IPsec Authentication Headers protocol, don’t work if there’s a NAT communicating between peers since they rely on IP addresses staying the same.
Another less common variant is one-to-one network address translation.
The idea behind this approach is for Router
to obtain multiple public IP addresses and assign them to some of computers on the private network for their exclusive use. So, for instance, Router
obtains and assigns addresses 1.2.3.4
, 1.2.3.5
, 1.2.3.6
, and 1.2.3.7
.
Now when Alice
connects to the public Internet, Router
swaps her private IP address to the public address 1.2.3.5
.
One-to-one NAT can connect two IP networks that have incompatible addressing and doesn’t involve port numbers. However, it doesn’t conserve IP addresses and isn’t as commonly used.
However, if the NAT table is set in advance, one-to-one NAT lets devices on the public internet directly address and reach devices on the private network, something which is impossible with PNAT.
A unique location on the internet represented by an alphanumeric address. The two current standards are IPv4 and IPv6.
Network Address Translation. A method of connecting IP networks with incompatible addresses.