Network Address Translation

advertisement
“Network Address Translation”
The following reading report is on the article “Network Address Translation”
written by Steve Steinke on April 4, 2003 and published in the April issue of Network
Magazine.
The article discusses how Network Address Translation operates and the
advantages and disadvantages of its use. NAT was developed as a short-term solution to
the limited address space of IPv4. In order to reduce the number of IPv4 addresses being
used, certain blocks of addresses were designated as reusable. The reusable blocks of
addresses are 10.0.0.0 through 10.255.255.255, 172.16.00 through 172.31.255.255, and
192.168.0.0 through 192.168.255.255. These address blocks are referred to as RFC 1918
addresses. These blocks of addresses are private addresses and cannot be registered to
users. NAT enables individuals to create several separate private address realms rather
than having a single address realm for the entire Internet. NAT devices filter packets
with private addresses in the source and destination fields from the Internet. A NAT
router maps internal private addresses to a unique public IP address for outbound
communications. Using NAPT (Network Address Port Translation), each public IP
address can be mapped to thousands of private IP addresses. There are 216 or 65, 536
ports for TCP and UDP and the NAT router can map the private addresses to particular
ports on the public facing IP address.
NAT succeeds at reducing the number of IPv4 addresses that are used and it also
simplifies the architecture of internal networks. However, there are some disadvantages
to using NATs. One of the disadvantages of NATs is that some applications store the
destination IP address in the packet payload (i.e. ftp). Some NAPT devices can
compensate for some of these types of applications, but there is not a generic solution for
all applications that operate in this manner. The biggest disadvantage of NATs is that
they cannot operate effectively with IPSec. IPSec encrypts traffic between two endpoints
and validates that the two endpoints are valid. In Authentication Header mode, IPSec
verifies the IP header fields including the destination IP addresses. If a NAT device has
changed the destination IP address, the packet will be dropped by IPSec in Authentication
Header mode.
A group at the IETF is working on defining NAT Transversal (NAT-T). If two
endpoints support NAT-T, the protocol will allow the endpoints to determine if the IP
address has changed along the path. NAT-T will solve some of the problems of IPSec,
but it will not solve the problem for applications that include the IP address in their
payload.
Based on this article, I feel that the biggest issue with NATs is their inability to
operate with IPSec, however, since it appears that this problem will be resolved in the
near future, I feel that NATs are a good interim solution until IPv6 is widely accepted.
Download