Introduction

As we already know, every IP/capable device needs an IP address. With the proliferation of a small office, home office (SOHO) subnets, this would seem to imply that whenever a SOHO wants to install a LAN to connect multiple machins, a range of addresses would need to be allocated by the ISP to cover all the SOHO's IP devices (including phones, tablets, gaming devices, IP TVs, printers and more). If the subnet grew bigger, a larger block of addresses would have to be alocated. But what if the ISP had already allocated the contiguous portions of the SOHO network's current address range? And what typical homeowner wants to know how to manage IP addresses in the first place? Fortunately, there is a simpler approach to address allocation that has found increasingly widespread use in such scenarios: Network Address Translation (NAT) [RFC 2663; RFC 3022].

How NAT works?

The figure above shows the operation of a NAT -enabled router. The NAT -enabled router, residing in the home has an interface that is part of the home network on the right of that figure. Addressing within the home network is exactly as we have seen above. - all four interfaces in the home network have the same subnet address of 10.0.0.0/24. The address space 10.0.0.0/8 is one of the three portions of the IP address space that is reserved in [RFC 1918] for a private network or a realm with private addresses, such as the home network. A realm with private address refers to a network whose addresses only have meaning to devices within that network. To see why this is important, consider the fact that there are hundreds of thousands of home networks, many using the same space, 10.0.0.0/24. Devices within a given home network can send packets to each other using 10.0.0.0/24 addressing. However, packtes forwarded beyond the home network into the larger global internet clearly cannot use these addresses because there are hundreds of thousands of networks using this block of addresses. That is, the 10.0.0.0/24 addresses can only have meaning within the given home network.

Here is when NAT enters.

The NAT -enabled router does not look like a router to the outside world. Instead the NAT router behaves to the ouside world as a single device with a single IP address. In the figure above, all traffic leaving the home router for the larger Internet has a source IP address of 138.76.29.7, and all the traffic entering the home router must have a destination address of 138.76.29.7. In essence, the NAT -enabled router is hiding the details of the home network from the outside world.

If all the datagrams arring at the NAT router from the WAN have the same destination IP address, then how does the router know the internal host to which it should forward a given datagram? The trick is to use a NAT translation table at the NAT router, and to include port numbers as well as IP addresses in the table entries.

Look to the figure above again. Suppose a user sitting in a home network behing host 10.0.0.1 requests a Web page on some Web server (port 80) with IP address 128.119.40.186. The host 10.0.0.1 assigns the (arbitrary) source port number 3345 and sends the datagram into the LAN. The NAT router receives the datagram, generates a new source port number 5001 gor the datagram, replaces the source IP address with its WAN-side IP address 138.76.29.7, and replaces the original source port number 3345 with the new source port number 5001. When generating a new source port number, the NAT router can select any source port number that is not currently in the NAT translation table. The Web server, blissfully unaware that the arriving datagram containing the HTTP request has benn manipulated by the NAT router, responds with a datagram whose destination address is the IP address of the NAT router, and whose destination port number is 5001. When this datagram arrives at the NAT router, the router indexes the NAT translation table using the destination IP address and the destination port number to obtain the appropriate IP address (10.0.0.1) and the destination port number (3345) for the browser in the home network. The router then rewrites the datagram's destination address and the destination port number, and forwards the datagram into the home network.

Let's now see and understand the difference between different types of IP addresses based on the figure below.

NAT inside and outisde addresses - Inside refers to the addresses which must be transalted. Outside refers to the addresses which are not incontrol of an organization.

Inside local address - An IP address that is assigned to a host on the inside (local) network. The address is probably not an IP address assigned by the service provider i.e, these are private IP addresses. This is the inside host seen from the inside network.

Inside global address - IP address that represents one or more inside local IP addresses to the outside world. This is the inside host as seen from the outside network.

Outside local address - This is the actual IP address of the destination host in the local network after translation.

Outside global address - This is the outside host as seen from the outside network. It is the IP address of the outside destination host before translation.

NAT Types

Static NAT

In this, a single unregistered (Private) IP address is mapped with a legally registered (public) IP address i.e, one-to-one mapping between local and global addresses. This is generally used for Web hosting. These are not used in organizations as there are many devices that will need Internet access and to provide Internet access, a public IP address is needed.

Dynamic NAT

In this type of NAT, an unregistered IP address is translated into a registered (public) IP address from a pool of public addresses. If the IP address of the pool is not free, then the packet will be dropped as only a fixed number of private IP addresses can be translated to public addresses.

Port Address Translation (PAT)

This is also known as NAT overload. In this, many local (private) IP addresses can be translated to a single registered IP address. Port numbers are used to distinguish the traffic i.e., which traffic belongs to which IP address.

IPv6

In the early 1990s, the Internet Engineering Task Force began an effort to develop a successor to the IPv4 protocol. A prime motivation for this effort was the realization that the 32-bit IPv4 address space was beginning to be used up, with new subnets and IP nodes being attached to the Internet (and being allocated unique IP addresses) at a breathtaking rate. To respond to this need for a large IP address space, a new IP protocol, IPv6, was developed.

IPv6 Datagram Format

The most important changes introduced in IPv6 are evident in the datagram format:

• Expanded addressing capacbilities. IPv6 increases the size of the IP address from 32 to 128 bits. In addition to unicast and multicast addresses, IPv6 has introduced a new type of address, called an anycast address, that allows a datagram to be delivered to any on of a group of hosts.
• A streamlined 40-byte header. The resulting 40-byte fixed-length header allows for faster processing of the IP datagram by the router.
• Flow labeling. IPv6 has an elusive definition of a flow. RFC 2460 states that this allows "labeling of packets belonging to particular flows for which the sender requests special handling, such as a non-default quality of service or real-time service".

From the figure above:

• Version. IPv6 carries a value of 6 in this field.
• Traffic class. The 8-bit traffic class field, like TOS field in IPv4, can be used to give priority to certain datagrams within a flow, or it can be used to give priority to datagrams from certain applications over datagrams from other applications.
• Flow label. 20-bit field is used to identitfy a flow of datagrams.
• Payload length. This 16-bit value is treated as an unsigned integer giving the number of bytes in the IPv6 datagram following the fixed-lenghth, 40-byte datagram header.
• Next header. This field identifies the protocol to which the contents (data field) of this datagram will be delivered (for example, to TCP or UDP). The field uses the same values as the protocol field in the IPv4 header.
• Hop limit. The contents of this field is decremented by one by each router that forwards the datagram.
• Source and destination address. The various formats of the IPv6 128-bit address are described in RFC 4291.
• Data. This is the payload portion of the IPv6 datagram. When the datagram reaches its destination, the payload will be removed from the IP datagram and passed on to the protocol specified in the next header field.

Besides that, we notice that several fields appearing in the IPv4 datagram are no longer present in the IPv6 datagram:

• Fragmentation/reassembly. IPv6 does not allow for fragmentation and reassembly at intermediate routers. If an IPv6 datagram received by a router is too large to be forwarded over the outgoing link, the router simply drops the datagram and sends a "Packet Too Big" ICMP error message back to the sender. Fragmentation and reassembly is a time-consuming operating; removing this functionality from the routers and placing it squarely in the end systems considerably speeds up IP forwarding within the network.
• Header checksum. Because the transport-layer (for example, TCP and UDP) and link-layer (for example, Ethernet) protocols in the Internet layers perform checksumming, the designers of IP probably felt that this functionality was sufficiently redundant in the network layer that it could be removed.
• Options. An options field is no longer a part of the standard IP header. However, it has not gone away. Instead, the options field is one of the possible next headers pointed to from within the IPv6 header. That is, just as TCP or UDP protocol headers can be the next header within an IP packet, so too can an options field. The removal of the options field results in a fixed-length, 40-byte IP header.

Questions

• What is the main purpose for implementing NAT on a network?

Network Address Translation (NAT) is implemented on a network primarily to conserve IP addresses and enable devices on a private network to communicate with devices on the public internet.

NAT allows multiple devices on a private network to share a single public IP address, which is assigned to the router or gateway that connects the private network to the internet. This enables organizations to use private IP address ranges (such as 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) for their internal networks, which helps conserve public IP addresses.

When a device on the private network sends a request to a device on the internet, NAT translates the private IP address of the sending device to the public IP address of the router or gateway, and vice versa for incoming traffic. This allows the device on the private network to communicate with devices on the internet without exposing its private IP address to the public network.

In addition to address conservation, NAT also provides some level of security by hiding the internal IP addresses of devices on the private network from the public internet, making it harder for attackers to target specific devices.

• At what layer of the OSI model does NAT happen?

Network Address Translation (NAT) operates at the Network layer (Layer 3) of the OSI model.

Specifically, NAT is a function that occurs on a router or gateway that connects a private network to the public internet. As data packets leave the private network and traverse the router, the router modifies the source IP address of the packets to its own public IP address.

• What happens to packets when NAT runs out of addresses in the pool of available IPs?

When Network Address Translation (NAT) runs out of addresses in the pool of available IP addresses, it can no longer assign unique IP addresses to devices on the private network that need to communicate with the public internet.

In this scenario, the NAT device may either drop the packets or use one of several techniques to deal with the shortage of IP addresses.

• What disadvantage does using NAT pose for routers?

Increased processing load: NAT requires the router to modify the IP addresses and port numbers in the headers of data packets as they pass through the router, which can increase the processing load on the router. This can result in slower performance and increased latency, particularly on busy networks with a large number of devices.

REFERENCES

1 - Computer Networking, "A Top-Down Approach", KUROSE ROSS, SEVENTH EDITION

2 - https://www.geeksforgeeks.org/network-address-translation-nat/