address
Click on the red underlined text to get to the source
... IP Address translation arises when a network's internal
IP addresses cannot be used outside the network either because they
are invalid for use outside, or because the internal addressing ...
...
Address translation allows (in many cases, except as noted in
sections 8 and 9) hosts in a private network ...
... routing solution to end
hosts trying to communicate from disparate address realms. This is
achieved by modifying end node addresses ...
... address realms. This is
achieved by modifying end node addresses en-route and maintaining
state ...
... routed to the right end-node in either realm. This solution only
works when the applications do not use the IP addresses as part of
the protocol itself. For example, identifying endpoints using DNS
names ...
... the protocol itself. For example, identifying endpoints using DNS
names rather than addresses makes applications less dependent of the
actual addresses that NAT ...
... DNS
names rather than addresses makes applications less dependent of the
actual addresses that NAT chooses and avoids the need to also
translate payload ...
...
IPsec techniques which are intended to preserve the Endpoint
addresses of an IP packet will not work with NAT enroute for most
...
... ESP protect the
contents of the IP headers (including the source and destination
addresses) from modification. Yet, NAT's fundamental role is to alter
...
... Address realm or realm ...
... network domain in which the network addresses
are uniquely assigned to entities such that datagrams can be routed
...
... responsible for finding routes to entities given their network
addresses. Note that this document is limited to describing NAT in
IPv4 ...
... NAT in
IPv4 environment and does not address the use of NAT in other types
of environment. (e.g. IPv6 ...
... routing a datagram between disparate
address realms, by modifying address contents in the IP header to be
...
... datagram between disparate
address realms, by modifying address contents in the IP header to be
valid ...
... IP header to be
valid in the address realm into which the datagram is routed.
Section 3.2 has a detailed description of transparent routing ...
... TCP/UDP sessions are uniquely identified by the tuple of (source IP
address, source TCP/UDP port, target IP address ...
... ICMP query sessions are identified by the tuple of (source IP
address, ICMP query ID, target IP address ...
... source IP
address, ICMP query ID, target IP address). All other sessions are
characterized by the tuple of (source IP address ...
... target IP address). All other sessions are
characterized by the tuple of (source IP address, target IP address,
IP protocol ...
... sessions are
characterized by the tuple of (source IP address, target IP address,
IP protocol).
...
... address realm with unique network
addresses assigned by Internet Assigned Numbers Authority (IANA) or
...
... Internet Assigned Numbers Authority (IANA) or
an equivalent address registry. This network is also referred as
...
... address realm independent of external network
addresses. Private network may also be referred alternately as Local
Network ...
... RFC 1918 [1] has recommendations on address space allocation for
private networks. Internet Assigned Numbers Authority ...
... Internet Assigned Numbers Authority (IANA) has
three blocks of IP address space, namely 10/8, 172.16/12, and
192.168/16 set aside for private internets. In pre-CIDR notation, the
...
...
An organization that decides to use IP addresses in the address space
defined above can do so without coordination with IANA ...
...
An organization that decides to use IP addresses in the address space
defined above can do so without coordination with IANA or any other
...
... Internet registry such as APNIC, RIPE and ARIN. The address space
can thus be used privately by many independent organizations at the
same time. However, if those independent organizations later decide
...
... Not all applications lend themselves easily to translation by NAT
devices; especially those that include IP addresses and TCP/UDP ports
...
... agents that allow an application on a host in
one address realm to connect to its counterpart running on a host in
different realm transparently. An ALG ...
... payload
and perform whatever else is necessary to get the application running
across disparate address realms.
...
... Network Address Translation is a method by which IP addresses are
mapped from one address realm to another, providing transparent
...
... method by which IP addresses are
mapped from one address realm to another, providing transparent
routing to end hosts ...
... routing to end hosts. There are many variations of address
translation that lend themselves to different applications. However,
all flavors of NAT ...
... Address assignment.
b) Transparent routing through address translation.
(routing here refers to forwarding packets ...
... Transparent Address Assignment ...
... NAT binds addresses in private network with addresses in global
network and vice versa to provide transparent routing ...
... routing for the
datagrams traversing between address realms. The binding in some
cases may extend to transport ...
... Static Address assignment ...
... In the case of static address assignment, there is one-to-one address
mapping for hosts between a private network address ...
... address and an external
network address for the lifetime of NAT operation. Static address
assignment ...
... address for the lifetime of NAT operation. Static address
assignment ensures that NAT does not have to administer address
...
... NAT operation. Static address
assignment ensures that NAT does not have to administer address
management with session ...
... Dynamic Address assignment ...
... NAT. When the last session
using an address binding is terminated, NAT would free the binding so
...
... NAT would free the binding so
that the global address could be recycled for later use. The exact
nature of address assignment is specific to individual NAT ...
... that the global address could be recycled for later use. The exact
nature of address assignment is specific to individual NAT
implementations.
...
... A NAT router sits at the border between two address realms and
translates addresses in IP headers ...
... router sits at the border between two address realms and
translates addresses in IP headers so that when the packet leaves one
realm and enters another, it can be routed properly. Because NAT ...
... NAT
devices have connections to multiple address realms, they must be
careful to not improperly propagate information (e.g., via routing
protocols) about networks ...
... careful to not improperly propagate information (e.g., via routing
protocols) about networks from one address realm into another, where
such an advertisement would be deemed unacceptable.
...
...
There are three phases to Address translation, as follows. Together
these phases result in creation, maintenance and termination of state
...
... Address binding ...
... Address binding is the phase in which a local node IP address is
associated with an external address or vice versa, for purposes of
...
... node IP address is
associated with an external address or vice versa, for purposes of
translation. Address binding is fixed with static address ...
... associated with an external address or vice versa, for purposes of
translation. Address binding is fixed with static address assignments
and is dynamic at session ...
... address or vice versa, for purposes of
translation. Address binding is fixed with static address assignments
and is dynamic at session startup time with dynamic address ...
... address assignments
and is dynamic at session startup time with dynamic address
assignments. Once the binding between two addresses ...
... address
assignments. Once the binding between two addresses is in place, all
subsequent sessions originating from or to this host ...
... start of a new session, if such
an address binding didn't already exist. Once a local address is
bound to an external address ...
... session, if such
an address binding didn't already exist. Once a local address is
bound to an external address, all subsequent sessions ...
... address binding didn't already exist. Once a local address is
bound to an external address, all subsequent sessions originating
from the same local address ...
... address, all subsequent sessions originating
from the same local address or directed to the same local address
will use the same binding ...
... sessions originating
from the same local address or directed to the same local address
will use the same binding.
...
... datagram will
result in the datagram forwarding from the origin address realm to
the destination address realm with network ...
... datagram forwarding from the origin address realm to
the destination address realm with network addresses appropriately
...
... Address unbinding ...
...
Address unbinding is the phase in which a private address is no
longer associated with a global address ...
...
Address unbinding is the phase in which a private address is no
longer associated with a global address for purposes of translation.
...
... Address unbinding is the phase in which a private address is no
longer associated with a global address for purposes of translation.
NAT will perform address ...
... address for purposes of translation.
NAT will perform address unbinding when it believes that the last
session using an address binding ...
... address unbinding when it believes that the last
session using an address binding has terminated. Refer section 2.6
for some heuristic ways to handle session ...
... NAT to be completely transparent to end
hosts, the IP address of the IP header embedded in the payload of the
...
...
There are many variations of address translation that lend themselves
to different applications. NAT flavors listed in the following sub-
...
... NAT
flavors. Host-A, with address Addr-A is located in a private realm,
represented by the network N-Pri. N-Pri is isolated from external
...
... NAT router. Host-X, with address Addr-X is located
in an external realm, represented by the network N-Ext. NAT ...
... routing between the two realms. The interface to the
external realm is assigned an address of Addr-Nx and the interface to
private realm is assigned an address ...
... address of Addr-Nx and the interface to
private realm is assigned an address of Addr-Np. Further, it may be
understood that addresses Addr-A and Addr-Np correspond to N-Pri
...
... private realm is assigned an address of Addr-Np. Further, it may be
understood that addresses Addr-A and Addr-Np correspond to N-Pri
network and the addresses ...
... addresses Addr-A and Addr-Np correspond to N-Pri
network and the addresses Addr-X and Addr-Nx correspond to N-Ext
network.
...
... The following is a description of the properties of realms supported
by traditional NAT. IP addresses of hosts in external network are
...
... valid in external as well as private networks. However,
the addresses of hosts in private network are unique only within the
...
... networks from the external realm may be advertised within
the private network. The addresses used within private network must
not overlap with the external addresses ...
... addresses used within private network must
not overlap with the external addresses. Any given address must
either be a private address ...
... private network must
not overlap with the external addresses. Any given address must
either be a private address or an external address ...
... addresses. Any given address must
either be a private address or an external address; not both.
...
...
Traditional NAT is primarily used by sites using private addresses
that wish to allow outbound sessions from their site.
...
... NAT and
NAPT (Network Address Port Translation). These are discussed in the
following sub-sections.
...
...
With Basic NAT, a block of external addresses are set aside for
translating addresses of hosts ...
... NAT, a block of external addresses are set aside for
translating addresses of hosts in a private domain as they originate
...
... domain. For packets outbound from the
private network, the source IP address and related fields such as IP,
TCP ...
... header checksums are translated. For inbound
packets, the destination IP address and the checksums as listed above
are translated.
...
... NAT router in figure 2 may be configured to translate N-Pri
into a block of external addresses, say Addr-i through Addr-n,
selected from the external network N-Ext.
...
... Network Address Port Translation (NAPT) ...
... NAPT allows a set of hosts
to share a single external address. Note that NAPT can be combined
with Basic NAT ...
... NAPT can be combined
with Basic NAT so that a pool of external addresses are used in
conjunction with port translation ...
... private network, NAPT would translate
the source IP address, source transport identifier and related fields
...
... ICMP query ID. For inbound packets, the
destination IP address, destination transport identifier and the IP ...
... router in figure 2 may be configured to translate sessions
originated from N-Pri into a single external address, say Addr-i.
...
... private network. Private network
addresses are bound to globally unique addresses, statically or
dynamically as connections ...
... Private network
addresses are bound to globally unique addresses, statically or
dynamically as connections are established in either direction. The
...
... Bi-Directional NAT to facilitate name to address mapping.
Specifically, the DNS-ALG must be capable of translating private
...
... Specifically, the DNS-ALG must be capable of translating private
realm addresses in DNS Queries and responses into their external
realm address bindings ...
... addresses in DNS Queries and responses into their external
realm address bindings, and vice versa, as DNS packets traverse
between private and external realms.
...
... NAT is a variation of NAT in that both the source and
destination addresses are modified by NAT as a datagram crosses
...
... NAT as a datagram crosses
address realms. This is in contrast to Traditional-NAT and Bi-
Directional NAT ...
... NAT and Bi-
Directional NAT, where only one of the addresses (either source or
destination) is translated. Note, there is no such term as 'Once-
...
...
Twice NAT is necessary when private and external realms have address
collisions. The most common case where this would happen is when a
site had (improperly) numbered its internal nodes using public
...
... site had (improperly) numbered its internal nodes using public
addresses that have been assigned to another organization.
Alternatively, a site may have changed from one provider to another,
...
... Alternatively, a site may have changed from one provider to another,
but chosen to keep (internally) the addresses it had been assigned by
the first provider. That provider ...
... provider. That provider might then later reassign those
addresses to someone else. The key issue in such cases is that the
address of the host ...
... addresses to someone else. The key issue in such cases is that the
address of the host in the external realm may have been assigned the
same address ...
... address of the host in the external realm may have been assigned the
same address as a host within the local site. If that address were to
...
... same address as a host within the local site. If that address were to
appear in a packet, it would be forwarded to the internal node rather
...
... NAT attempts
to bridge these realms by translating both source and destination
address of an IP packet, as the packet transitions realms.
...
... Host-A the DNS-ALG
replaces the address for Host-X with one that is properly routable in
the local site (say Host ...
... Host-XPRIME. When the packets traverse the NAT device, the
source IP address is translated (as in the case of traditional NAT)
and the destination address ...
... source IP address is translated (as in the case of traditional NAT)
and the destination address is translated to Host-X. A similar
translation is performed on return packets coming from Host ...
... private network. Likewise, the
network address of hosts in private network are unique only within
...
... private network are unique only within
the private network. In other words, the address space used in
private network to locate hosts ...
... hosts in private and public networks is
unrelated to the address space used in public network to locate hosts
...
...
Twice NAT is typically used when address space used in a Private
network overlaps with addresses used in the Public space. For
...
... NAT is typically used when address space used in a Private
network overlaps with addresses used in the Public space. For
example, say a private site uses the 200.200.200.0/24 address space
...
... Private
network overlaps with addresses used in the Public space. For
example, say a private site uses the 200.200.200.0/24 address space
which is officially assigned to another site in the public internet.
...
... work, Host_X's address is mapped to a different address for Host_A
and vice versa. The twice NAT ...
... of a realm-aware host in a private realm, which assumes realm-
specific IP address to communicate with hosts in private or external
realm.
...
... client) is a host in a private
network that adopts an address in an external realm when connecting
to hosts in that realm to pursue end-to-end communication ...
... generated by hosts on either end in such a setup would be based on
addresses that are end-to-end unique in the external realm and do not
require translation by an intermediary process.
...
... RSIP-Server may also be the same node that assigns external realm
addresses to RSIP-Clients.
...
... RSA-IP) client adopts an IP address from
the external address space when connecting to a host ...
... client adopts an IP address from
the external address space when connecting to a host in external
realm. Once an RSA ...
... host in private or external domain can assume the same address, until
that address is released by the RSA ...
... header can be translated by NAT as normal without affecting the
addresses used in the internal header. Another approach would be to
set up a bi-directional ...
... Client and the
border router straddling the two address realms. Packets to and from
the client would be tunneled, but packets would be forwarded as
...
... network isn't filtering packets based
on source addresses (which in this case would be external addresses).
...
... filtering packets based
on source addresses (which in this case would be external addresses).
...
...
As an example, Host-A in figure 2 above, could assume an address
Addr-k from the external realm and act as RSA-IP ...
... peer nodes belong.
2. Assumes an address from external realm when communicating with
hosts in that realm. Such an address ...
... address from external realm when communicating with
hosts in that realm. Such an address may be assigned statically
or obtained dynamically (through a yet-to-be-defined protocol)
from a node ...
... or obtained dynamically (through a yet-to-be-defined protocol)
from a node capable of assigning addresses from external realm.
RSA-IP ...
... 2. Must be a router resident on both the private and external
address realms.
3. Must be able to provide a mechanism to route ...
... Client tunnel, based on the
destination address of the end-to-end packet and encapsulate the
...
... RSIP
in that multiple private hosts use a single external address,
multiplexing on transport ...
... layer of the outgoing packet from Host-A uses
(private address Addr-A, source port T-Na) as source tuple to
communicate with Host ...
... traffic may or may not contain translated packets depending upon the
characteristics of address realms a tunnel is bridging.
...
...
All variations of address translations discussed in the previous
section can be applicable to direct connected links as well as
...
... partner. Likewise, it is possible to employ twice NAT, if the
partner's address space overlapped with the private network. There
could be a NAT device ...
... backbone
for communications between those locations. In such cases, it is not
desirable to do address translation, both because large numbers of
hosts may want to communicate across the backbone ...
... hosts may want to communicate across the backbone, thus requiring
large address tables, and because there will be more applications
that depend on configured addresses, as opposed to going to a name
server ...
... large address tables, and because there will be more applications
that depend on configured addresses, as opposed to going to a name
server. We call such a private network a backbone ...
... routers in all partitions should
maintain routes to the local address spaces of all partitions. Of
course, the (public) backbones ...
... partitions. Of
course, the (public) backbones do not maintain routes to any local
addresses. Therefore, the border routers must tunnel (using VPNs ...
... encapsulate the packet in an IP header with
destination address set to the global address of NAT box y that has
...
... IP header with
destination address set to the global address of NAT box y that has
been reserved for encapsulation ...
... encapsulation. When NAT box y receives a packet
with that destination address, it decapsulates the IP header and
...
... decapsulates the IP header and
routes the packet internally. Note, there is no address translation
in the process; merely transfer of private network packets over an
...
... devices often cause difficulties: 1) when an application payload
includes an IP address, and 2) when end-to-end security is needed.
Note, this is not a comprehensive list.
...
... Application layer security techniques that do not make use of or
depend on IP addresses will work correctly in the presence of NAT
(e.g., TLS ...
... integrity check. When a NAT device
modifies an address the checksum is no longer valid with respect to
...
... checksum is no longer valid with respect to
the new address. Normally, NAT also updates the checksum, but this is
...
... IKE payload does not contain
addresses and/or transport IDs specific to one realm and not the
other. Given that IKE ...
... session it supports. The arguments to the PORT command and PASV
response are an IP address and a TCP port in ASCII. An FTP ...
... Applications with IP-address Content ...
...
Not All applications lend themselves easily to address translation by
NAT devices. Especially, the applications that carry IP address ...
... address translation by
NAT devices. Especially, the applications that carry IP address (and
TU port, in case of NAPT ...
... ALGs must be used to perform translations on packets
pertaining to such applications. ALGs may optionally utilize address
(and TU port) assignments made by NAT ...
... Session characteristics like session orientation,
source and destination IP addresses, session protocol, and source and
destination transport ...
... NAT increases the probability of mis-addressing. For example, same
local address may be bound to different global address at different
times and vice versa. As a result, any traffic flow ...
... addressing. For example, same
local address may be bound to different global address at different
times and vice versa. As a result, any traffic flow study based
...
... times and vice versa. As a result, any traffic flow study based
purely on global addresses and TU ports could be confused and might
misinterpret the results.
...
... attack another machine or even sending large amounts of junk mail or
something) it is more difficult to pinpoint the source of the trouble
because the IP address of the host is hidden in a NAT router ...
... session employed PASV command to establish
data sessions. The reason being that the address and port number
specified by FTP server in the PASV response (sent as multiple
...
... sessions from external hosts into their
machines. In addition, when address assignment in NAT router is done
...
... encrypted end to end, so long as the
payload does not contain IP addresses and/or transport identifiers
...
... sessions are inherently unsafe. Responses to a datagram
could come from an address different from the target address
used by sender ...
... NAT router
only in part (the destination address and UDP port number of
the packet match, but the source address ...
... destination address and UDP port number of
the packet match, but the source address and port number may
not). In such a case, there is a potential security ...
... UDP sessions
using the same address binding into a single unified session
could compromise the security ...
... security even further. This is because,
the granularity of packet matching would be further limited to
just the destination address of the inbound UDP packets.
...
... Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot,G. and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996. ...
... Carpenter, B., Crowcroft, J. and Y. Rekhter, "IPv4 Address Behavior Today", RFC 2101, February 1997. ...
... Authors' Addresses ...