Do you know the NAT you use every day?

Others 2020-10-29 13:04:40 views: null

NAT network address translation

Overview

The full name of NAT in English is "Network Address Translation", which means "Network Address Translation" in Chinese. It is an IETF (Internet Engineering Task Force, Internet Engineering Task Force) standard that allows an entire organization to appear as a public IP (Internet Protocol) address On the Internet. As the name suggests, it is a technology that translates an internal private network address (IP address) into a legal network IP address. NAT allows those internal networks that use private addresses to connect to the Internet or other IP networks. This process is transparent to users . When the NAT router sends the internal network data packet to the public network, it converts the private address into a legal IP address in the IP packet header. Therefore, we can think that NAT can effectively solve the problem of insufficient public network addresses to a certain extent.

Related concepts

  • Four types of network addresses in NAT

Inside Local: The IP address used by the device in the intranet.

Inside Global: For the external network, the IP address of the host inside the LAN.

Outside Local: The real address of the external network host.

Outside Global: For the internal network, the IP address of the external network host. The real address used by external network equipment.
Insert picture description hereLocal and global are relative to the port status. Local is routable for the inside part, and global is routable for the outside part.

  • Public IP address

Public IP address is also called global address. It refers to a legal IP address. It is an address assigned by NIC (Network Information Center) or ISP (Internet Service Provider). It externally represents one or more internal local addresses and is globally unified. Addressable address.

  • Private IP address

Private IP addresses are also called internal addresses, which are non-registered addresses and are used exclusively for internal use by organizations. The Internet Assigned Numbers Committee (IANA) reserves 3 IP addresses as private IP addresses:

Class A: 10.0.0.0—10.255.255.255 10.0.0.0/8
Class B: 172.16.0.0—172.31.255.255 172.16.0.0/12
Class C: 192.168.0.0—192.168.255.255 192.168.0.0/16

The three private addresses themselves are routable, but the router on the public network will not forward the traffic of these three private addresses; when a company has configured these private addresses internally, when the internal computer is communicating with the external network, the company’s Border routing will use NAT or PAT technology to convert the internal private address into an external network IP. The source address seen by the outside is the public network IP address converted by the company's border routing. This also increases the internal network's IP address in a sense. safety.

Basic NAT is a method of mapping a group of IP addresses to another group of IP addresses . The mapping process is completed on the IP relay device and is completely transparent to users. NAPT is more complicated. NAPT maps many (not too many) IP addresses together with TCP/UDP port numbers to a single IP address and port number . Both Basic NAT and NAPT provide a method to convert the internal private address into a globally unique IP address available on the public network.

  • Address pool

The address pool is a combination of some external addresses (the only IP addresses in the world). We call such a set of addresses an address pool. When a data packet from the internal network reaches the external network through address translation, an IP address will be selected in the address pool as the source IP address of the data packet, which can effectively use the user's external address and improve the ability to access the external network.

classification

Insert picture description here

There are three types of NAT: static NAT (Static NAT), dynamic address NAT (Pooled NAT), and NAPT (Network Address Port Translation) (Port-Level NAT).

Static NAT (Static NAT)

Through manual setting, the communication carried out by Internet clients can be mapped to a specific private network address and port. If you want a computer connected to the Internet to be able to use servers and applications on a private network, then static mapping is necessary.

Static NAT (Static NAT) (one to one). Convert the private IP address of the internal network to a public IP address. The IP address pair is one-to-one and remains unchanged. The static mapping will not be deleted from the NAT translation table.

Insert picture description here

Dynamic address NAT (Pooled NAT)

When dynamic address NAT converts the private IP address of the internal network to a public IP address, the IP address is uncertain and random. All private IP addresses authorized to access the Internet can be randomly converted to any designated legal IP address. In other words, as long as you specify which internal addresses can be converted and which legal addresses are used as external addresses, dynamic NAT conversion can be performed. Dynamic NAT is to configure an external IP address pool on the router. When there are internal computers that need to communicate with the external, an external IP is dynamically taken out of the address pool and their corresponding relationship is bound to the NAT table. After the communication is over, the external IP is released and can be used for conversion of other internal IP addresses. This DHCP lease IP has similarities. When the legal IP address provided by the ISP is slightly less than the number of computers inside the network. Can adopt the way of dynamic conversion .

In the dynamic NAT mode, the internal network host IP and the global IP address are in a many-to-one relationship. When the data packet enters and exits the intranet, the NAT-enabled device treats the IP data packet the same as static NAT, except that the records in the NAT table are dynamic. If the intranet host does not communicate with the external network within a certain period of time, The IP address mapping relationship about it will be deleted, and the global IP address will be allocated to the new IP data packet to form a new NAT table mapping record.

Insert picture description here

NAPT (Network Address Port Translation) (Port-Level NAT)

Network Address Port Translation (NAPT) is to map an internal address to a different port of an IP address on the external network. It can hide small and medium-sized networks behind a legal IP address. NAPT is different from dynamic address NAT. It maps internal connections to a single IP address in the external network and adds a port number selected by the NAT device to the address.

NAPT is the most commonly used conversion method, and it contains two conversion methods: SNAT and DNAT.

SNAT and DNAT are for the internal network. It can be understood that the source address translation performed when the data packet uses the intranet IP as the source is called SNAT, and the destination address conversion performed when the data packet uses the intranet IP as the destination is called DNAT.

源 NAT (Source NAT , SNAT)

SNAT is to modify the source address of the data packet. Source NAT changes the source address of the first packet. It will always be completed before the packet is sent to the network. Packet masquerading is an example of SNAT.

SNAT example

The number of hosts on the internal network is relatively large, but the organization has only one legal IP address. For example, when the internal network host (10.1.1.3) sends data packets out, you need to modify the IP address and TCP/UDP port number of the data packet. For example,

Insert picture description here

In this way, by modifying the IP address and port method, all the hosts in the internal network can access the external network. This type of NAT is suitable for the situation where there is only one legal IP address in an organization or organization, and it is also a special case of dynamic NAT. . The client 172.18.250.6 communicates with Baidu server 202.108.22.5. When 172.18.250.6 sends data, it is first converted to 219.155.6.240:1723 (any random port >1024), and then uses this identity to send data to Baidu server, and then Baidu The server responds with data and sends it to 219.155.6.240:1723. The NAT gateway checks its own association table and realizes that this is a data packet of 172.18.250.6 in its private network, and then sends this data to the client

In other words, we use the uniqueness of the port number to realize the step of converting public network ip to private network ip. PAT (NAT reload) can use the transport layer port number to identify the host, so theoretically, up to about 65,000 hosts can share a public IP address

Destination NAT (Destination NAT, DNAT)

DNAT is to modify the destination address of the data packet. Destination NAT is just the opposite of SNAT. It changes the destination address of the first packet. For example, load balancing, port forwarding, and transparent proxy belong to DNAT.

DNAT example

Insert picture description here
This method is suitable for situations where some servers on the internal network need to provide certain services for the external network. For example, in the above topology, the intranet server group (ip addresses: 10.1.1.1, 10.1.1.2, 10.1.1.3, etc.) need to provide WEB services for the external network. When the external host HostB accesses the internal network, the data sent The destination IP address of the packet is 10.1.1.127, and the port number is: 80. When the packet reaches the router connected to the internal network, the router looks up the NAT table. The router modifies the destination IP address and port number to average the external network data packets Send to different hosts (10.1.1.1, 10.1.1.2, 10.1.1.3, etc.), so that load balancing is achieved.

How NAT works

The NAT device maintains a state table to map illegal IP addresses to legal IP addresses. Each packet is translated into the correct IP address in the NAT device and sent to the next level, which means that a certain burden is placed on the processor. But for the general network, this burden is insignificant. In a router running NAT, when a data packet is transmitted, NAT can translate the IP address of the data packet and the port number of the TCP/UDP data packet. The router with NAT function must have at least one Inside (internal) port and one Outside (external) port. The internal port is connected to users on the internal network, and the external port is generally connected to the Internet. When the IP data packet leaves the internal network, NAT is responsible for converting the internal network IP source address (usually a private address) into a legal public IP address. When an IP data packet enters the intranet, NAT translates the legal public IP destination address into the source IP address of the intranet.

The basic working principle of NAT is: when the IP packet communicating between the private network host and the public network host passes through the NAT gateway, the source IP or destination IP in the IP packet is converted between the private IP and the NAT public IP.

In fact, the main thing is to modify the source IP address or destination IP address in the IP data packet. The main purpose is to convert the private address proposed by RFC1918 into a public legal address routable on the Internet. For some limited applications (such as DNS, FTP, etc.), it can also modify the address in the IP packet payload. Due to the complexity of applications, the applications currently supported by NAT are limited. Of course, if necessary, new applications can be developed accordingly.

NAT address translation process

When the NAT router receives a data packet (send) from an internal network host , its source IP address (SA) is the "internal local address" and the destination IP address (DA) is the "external local address". When a data packet is forwarded to an external network, the source IP address (SA) of the data packet will be transformed into an "internal global address", and the destination IP address (DA) will be transformed into an "external global address". That is, all source IP addresses (SA) and destination IP addresses (DA) of the data packet are converted from local addresses to global addresses. As shown in Figure 6-9, the upper part of the data packet IP address conversion diagram.

When the NAT router receives (receives) a data packet sent from an external network host , its source IP address (SA) is the "external global address", and the destination IP address (DA) is the "internal global address". It is equivalent to the exchange of the source IP address (SA) and destination IP address (DA) in the data packet when the data packet is sent from the internal network to the external network. When the data packet is forwarded to the local network by the router, the source IP address (SA) is transformed into an "external local address", and the destination IP address (DA) is transformed into an "internal local address", which is equivalent to going from the internal network to the outside When the network sends a data packet, the source IP address (SA) and the destination IP address (DA) in the data packet are exchanged.

Insert picture description here

NAT basic IP address translation principle

The above is a general introduction to the principle of NAT's IP address translation. In actual NAT applications, sometimes it is not necessary to fully replace the source IP address and IP address, only the source IP address or only the destination IP address needs to be translated. The desired purpose. Introduced below.

Internal address NAT translates the address of the internal IP part of the data packet, and external address NAT translates the address of the external IP part of the data packet (regardless of whether it is the source or destination address).

Internal address NAT translation example

In most cases, the purpose of using NAT is to enable multiple users in the internal network to use a registered IP address to access the external network, so only the internal address NAT translation needs to be configured.

This is a simple NAT translation example. To achieve the following purpose: when the NAT router's internal network s0 interface receives a data packet whose source address is the internal local address 10.10.10.1 and the destination IP address is the external local address 171.16.68.1, when it is forwarded to the s1 interface, the original The internal local address 10.10.10.1 of the source address of the data packet is converted to the internal global address 171.16.68.5, but the destination address remains unchanged, and then the transmission continues. In this process, all that is done is the conversion of the source IP address in the data packet, from the internal local address to the internal global address, and only the conversion between internal addresses.

On the contrary, when receiving the external server whose source address is 172.16.68.1 external local address and destination address is internal global address 172.16.68.5 on the external network interface s1 of the NAT router, the destination address will be converted to 10.10.10.1. The internal local address, and then continue to send. In this process, what is going on is only the conversion of the destination IP address in the data packet, from the internal global address to the internal local address, and only the conversion between internal addresses.
Insert picture description here

External address NAT translation example

When the company server is located on the internal network and uses the private IP address of the internal network, in order to facilitate external network users to access the internal network server, conversion between "external global address" and "external local address" is required.

The following also introduces the simple NAT translation example above. The purpose of this example is to: when the external network interface s1 of the NAT router receives the external global address 171.16.68.1 from the external network user, the data packet whose destination address is the internal local address 10.10.10.1 is forwarded by the router When it reaches the s0 interface, the source IP address in the data packet changes to the external local address 10.10.10.5 (that is, the external global address is converted to the external local address), and the destination IP address remains unchanged, that is, only the source IP address is converted; The response data packet sent by the internal network user is only the conversion of the destination IP address (that is, the conversion from the external local address to the external global address), and the source IP address remains unchanged.

Insert picture description here

Application of NAT

NAT can mainly achieve the following functions: packet masquerading, load balancing, port forwarding and transparent proxy.

  • Data masquerading: The address information in the internal network data packet can be changed to unified external address information, so that the internal network host is not directly exposed to the Internet, and the security of the internal network host can be guaranteed . At the same time, this function is also commonly used to share Internet access. For example, when an intranet host accesses the external network, in order to hide the internal network topology, a global address is used instead of a private address.

  • Port forwarding: When the host on the internal network provides external services, the external network cannot be accessed directly because it uses the internal private IP address. Therefore, it is necessary to perform port forwarding on the gateway to forward data packets of a specific service to the intranet host.

  • Load balancing: Destination address translation NAT can redirect the connections of some servers to other randomly selected servers.

  • Failure termination: Destination address translation NAT can be used to provide highly reliable services. If a system has a key server accessed through a router, once the router detects that the server is down, it can use destination address translation NAT to transparently transfer the connection to a backup server to improve the reliability of the system.

  • Transparent proxy: NAT can redirect HTTP connections to the Internet to a designated HTTP proxy server to cache data and filter requests. Some Internet service providers use this technique to reduce bandwidth usage without having their customers configure their browsers to support proxy connections.

Advantages and disadvantages of NAT technology

advantage

  • Save legal public IP addresses

  • Provide solutions when addresses overlap

  • When the network changes, avoid re-addressing (this problem is a personal experience, the original internship unit moved, we moved to a new residence, some changes have taken place in the network environment, but due to the characteristics of nat technology, our LAN address is not Has changed, we still use the original addressing scheme)

NAT's greatest contribution to us is to help us save a lot of IP resources.

IP end-to-end communication

An important contribution of the IP protocol is to make the world equal. In theory, each site with an IP address has a considerable ability to obtain and provide services at the protocol level, and there is no difference between different IP addresses. The well-known server and client actually distinguish their roles at the application protocol layer, but there is no difference between the network layer and the transport layer. A host with an IP address can be either a client or a server . In most cases, it is both a client and a server. End-to-end peering seems to be a very common thing, but the significance is unusual. However, in the past technology, many networks under the protocol system limited the capabilities of the terminal. It is this openness of IP that enables the TCP/IP protocol suite to provide rich functions and provide a broad platform for application implementation. Because all IP hosts can appear in the form of servers, communication design can be more flexible. Systems using UNIX/LINUX make full use of this feature, so that any host can establish its own HTTP, SMTP, POP3, DNS, DHCP and other services. At the same time, many applications combine the roles of client and server to complete their functions. For example, in a VoIP application, when the client logs in its own IP address and port information to the registration server, the host is the client; and when a call arrives, when the call processing server sends a call request to the client, the client actually works on the server Mode. After the establishment of the voice media stream channel, the communication sends voice data in both directions, the sending end is in client mode, and the receiving end is in server mode. In P2P applications, a user's host is not only the downloading client, but also provides data to other clients, which is a C/S hybrid model. The reason why upper-layer applications can be designed in this way is because the IP protocol stack defines such capabilities. Imagine that if the capabilities provided by IP are not equal, then each communication session can only be initiated in one direction, which will greatly limit the communication capabilities. Careful readers will find that a feature of NAT introduced earlier is just such a restriction. That's right, the biggest drawback of NAT is here-it destroys the ability of IP end-to-end communication .

Disadvantages of NAT

  • First, NAT shortens the retention time of IP sessions. Because an association table will be established on the NAT device after a session is established, the NAT gateway will perform an aging operation during the quiet period of the session. This is something that any NAT gateway must do. Because IP and port resources are limited, and the demand for communication is unlimited, resources must be recycled after the session ends. Usually TCP sessions actively close the connection through negotiation, and the NAT gateway can track these packets, but there are always exceptions, and it must rely on its own timer to reclaim resources. The UDP-based communication protocol is difficult to determine when the communication ends, so the NAT gateway mainly relies on the timeout mechanism to reclaim external ports. Recycling through timer aging will cause a problem. If the application needs to maintain the connection for longer than the setting of the NAT gateway, the communication will be interrupted unexpectedly. Because after the gateway recycles the relevant conversion table resources, the relevant conversion information cannot be found when new data arrives, and a new connection must be established. When this new data is sent from the public network side to the private network side, it will happen that the establishment of a new connection cannot be triggered, and the host on the private network side cannot be notified to reestablish the connection. At this time, the communication will be interrupted and cannot be automatically restored. Even if the new data is sent from the private network side to the public network side, because the reconstructed session table often uses different public network IP and port addresses, the host on the public network side cannot correspond to the previous communication, resulting in user perception The connection was interrupted. It is more difficult for the NAT gateway to set the time for recycling idle connections to prevent continuous resource loss and maintain most of the connections from being accidentally interrupted. In the era when NAT has become popular, designers of many application protocols have considered this situation, so they generally set up a connection keep-alive mechanism, that is, when there is no data to send for a period of time, actively sending a NAT can perceive it. There is no keep-alive message of actual data. The main purpose of this is to reset the NAT session timer.

  • Secondly, NAT multiplexes the connections sent by multiple internal hosts to one IP in its implementation, which makes the mechanism of relying on IP for host tracking invalid. For example, applications based on network traffic analysis required in network management cannot track the relationship between end users and the specific behavior of traffic. Log analysis based on user behavior also becomes difficult, because an IP is shared by many users. If there is malicious user behavior, it is difficult to locate the host that initiated the connection. Even if there are some mechanisms that provide a method for connection tracking on the NAT gateway, it is difficult to connect this transformation relationship. IP-based user authorization is no longer reliable, because having an IP is not equal to a user or host. A server cannot simply regard the access of the same IP as initiated by the same host and cannot be associated. Some servers are set with connection restrictions, and only accept limited access from one IP at a time (sometimes only one access), which will cause service preemption and queuing between different users. Sometimes the server side does this for DOS attack protection considerations, because a user should not establish a large number of connection requests under normal circumstances, and excessive use of service resources is understood as an attack. But this cannot be simply judged based on the number of connections when NAT exists.

In short, the disadvantages are as follows:

  • Undermine the equality of end-to-end communication
  • The application needs to maintain the connection for longer than the NAT gateway setting, and the communication will be interrupted unexpectedly
  • No end-to-end ip tracking

Guess you like

Origin blog.csdn.net/qq_40741808/article/details/106131504
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com