“Network Address Translation” The following reading report is on the article “Network Address Translation” written by Steve Steinke on April 4, 2003 and published in the April issue of Network Magazine. The article discusses how Network Address Translation operates and the advantages and disadvantages of its use. NAT was developed as a short-term solution to the limited address space of IPv4. In order to reduce the number of IPv4 addresses being used, certain blocks of addresses were designated as reusable. The reusable blocks of addresses are 10.0.0.0 through 10.255.255.255, 172.16.00 through 172.31.255.255, and 192.168.0.0 through 192.168.255.255. These address blocks are referred to as RFC 1918 addresses. These blocks of addresses are private addresses and cannot be registered to users. NAT enables individuals to create several separate private address realms rather than having a single address realm for the entire Internet. NAT devices filter packets with private addresses in the source and destination fields from the Internet. A NAT router maps internal private addresses to a unique public IP address for outbound communications. Using NAPT (Network Address Port Translation), each public IP address can be mapped to thousands of private IP addresses. There are 216 or 65, 536 ports for TCP and UDP and the NAT router can map the private addresses to particular ports on the public facing IP address. NAT succeeds at reducing the number of IPv4 addresses that are used and it also simplifies the architecture of internal networks. However, there are some disadvantages to using NATs. One of the disadvantages of NATs is that some applications store the destination IP address in the packet payload (i.e. ftp). Some NAPT devices can compensate for some of these types of applications, but there is not a generic solution for all applications that operate in this manner. The biggest disadvantage of NATs is that they cannot operate effectively with IPSec. IPSec encrypts traffic between two endpoints and validates that the two endpoints are valid. In Authentication Header mode, IPSec verifies the IP header fields including the destination IP addresses. If a NAT device has changed the destination IP address, the packet will be dropped by IPSec in Authentication Header mode. A group at the IETF is working on defining NAT Transversal (NAT-T). If two endpoints support NAT-T, the protocol will allow the endpoints to determine if the IP address has changed along the path. NAT-T will solve some of the problems of IPSec, but it will not solve the problem for applications that include the IP address in their payload. Based on this article, I feel that the biggest issue with NATs is their inability to operate with IPSec, however, since it appears that this problem will be resolved in the near future, I feel that NATs are a good interim solution until IPv6 is widely accepted.