Saturday, April 5, 2014

NAT overload

INTRODUCTION

NAT Overload is the most common NAT method used throughout all networks that connect to the Internet. This is because of the way it functions and the limitations it can overcome, and we'll explore all of these in the next two pages.
Whether you use a router, firewall appliance, Microsoft's Internet sharing ability or any 3rd party program that enables all your home computers to connect to the Internet via one connection, you're using NAT Overload.
This NAT mode is also know by other names, like NAPT (Network Address Port Translation), IP Masquerading and NAT with PAT (Port Address Translation). The different names logically come from the way NAT Overload works, and you'll understand this by the time we're finished with the topic.
NOTE: You should be familiar with TCP/IP & UDP communications, as well as how they use various Ports in order to identify the resources/applications they are trying to use. It's very important you understand them because NAT Overload is based on these Ports in order to identify sessions between hosts.

WHAT EXACTLY DOES NAT OVERLOAD DO ?

NAT Overload is a mix of Static & Dynamic NAT with a few enhancements thrown in (PAT- Port Address Translation) to make it work the way we need. By now you understand how both Static & Dynamic NAT work so we won't get into the details again. NAT Overload takes a Static or Dynamic IP Address that is bound to the public interface of the gateway (this could be a PC, router or firewall appliance) and allows all PCs within the private network to access the Internet.
If you find yourself wondering how this is possible with one only IP Address, you will be happy to find that the answer lies within PAT.
The diagram below shows you how a single session is handled by a NAT Overload enabled device:
nat-overload-part1-1

So we have a host on a private network, its IP Address is 192.168.0.1 and it's sending a packet to the Internet, more specifically to IP Address 200.0.0.1, which we're assuming is a server. The Port, which is 23, tells us that it's trying to telnet to 200.0.0.1, since this is the default port telnet uses.
As the original packet passes through the router, the Source IP Address field is changed by the router from 192.168.0.1 to 203.31.218.100. However, notice that the ports are not changed.
The reason the Source IP Address is changed is obvious: The router's public IP Address must be placed in the Source IP Address field of the packet so the server we're trying to telnet to knows where the request is coming from so it can then send the reply.
That takes care of making sure the packet from the server we're telneting to finds its way back to the router's public interface. From there, the router needs to know which host on the private network it must send the reply to. For this, it uses the ports and we will be looking at that closer very soon.
Some might think that this example is pretty much the way a Static NAT router would behave, and if you're thinking just that you're totally right! In order to understand how a NAT Overload enabled router is different from Static NAT, we must add at least one more host in the private network, which we'll do right now.
With two or more hosts on the private network, in Static NAT mode we would require the equivalent number of public IP Addresses, right ? One for each private host, because Static NAT maps one public IP Address to each private host.
NAT Overload overcomes this limitation by using one public IP Address for all private hosts, but utilising the thousands of ports available in order to identify each private host's session.

UNLEASHING THE TRUE POWER OF NAT OVERLOAD

To help cover all possibilities and questions that might come up from these examples, we're going to add another two private hosts in our internal network. We'll assume that:
1) The 2nd host in our private network is trying to telnet to the same server as the 1st host
2) The 3rd host in our private network is trying to telnet to a different server on the Internet
So let's see how our example network looks:
nat-overload-part1-2

Host 1 and 2 are telneting to the same server (203.31.218.100), the only difference between the two packets is their Source Port Numbers, the router uses these to keep track of which packet belongs to each host.
Let's examine what happens when Host 1's reply arrives:
nat-overload-part1-3

A packet arrives on our router's public interface and is accepted. The packet's details are examined and show that it came from IP Address 200.0.0.1 Port 23 with a destination of 203.31.218.100 Port 3000. The router remembers that Host 1 and 2 just sent a packet to this IP Address and now, in order to determine to whom this response belongs, it carefully examines its Destination Port.
It focuses on the Destination Port because in any reply, the Destination Port takes the value of the initial packet's Source Port. This means that this packet is a reply to one sent previously to IP Address 200.0.0.1 with Source Port 3000. The router refers to its NAT table and finds a matching entry for the described initial packet. It recognises that the reply is intended for Host 1 and will forward it to the host.
The server to which Host 1 and 2 of our example private network are telneting uses the same logic to distinguish between the two separate sessions.
Because this can also be a bit difficult to imagine, I've included a diagram which shows the server receiving Host 1's initial packet and then sending a reply:
nat-overload-part1-4

The example on this page is intended to show you the idea behind NAT Overload and how it works. We saw our little NAT Overload enabled router doing wonders with one single public IP Address. If we wanted to use Static or Dynamic NAT in this same example, we would definitely require 3 public IP Addresses for our 3 private hosts but thanks to NAT Overload, we only need one IP Address.

HOW NAT TRANSLATIONS TAKE PLACE

When covering Dynamic and Static NAT, we saw that it was either the Source or Destination IP Address that had to be modified by the NAT device. No matter which mode was used, the Source and Destination ports were never altered in any way.
NAT Overload on the other hand will use a single public IP Address for the routing process and change, in most cases, the Source or Destination port depending on whether it's an incoming or outgoing packet.
In the next diagram we have two computers that have each sent a packet out to the Internet and are expecting a reply. We take a look at how the router deals with these packets individually and where the information required to identify the expected replies is stored:
nat-overload-part2-1
You've got to agree that that's a very simple setup. To make life easy, I haven't included any additional information about the generated packets because we'll deal with them individually.
nat-overload-part2-2
So it's time to take a look at how the router deals with this first packet which belongs to Workstation 1:
nat-overload-part2-3
The packet Workstation 1 generated arrives at the router's private interface which has IP Address 192.168.0.1. The router accepts the packet and processes it. Once inside the router, the packet's Source IP Address, Destination IP Address, Source Port and Destination Port are examined and the router decides that this is a valid packet so it should be forwarded to the Internet.
NAT is now about to take place (check NAT Table in the above diagram). The router will replace the Source IP Address (192.168.0.5) with its Public IP Address (200.0.0.1) and keep the rest of the information intact.
Note that in most cases, the Source Port is not changed unless it has already been used by a previous packet from the private network but, since this is the first outgoing packet, this cannot be the case.
Here's how the packet looked once it exited the router's public interface:
nat-overload-part2-4
Time to check our second packet that will traverse the router, which is generated by Workstation 2 (the router has not yet received the reply to Workstation 1's packet).
We're going to assume that Workstation 2 uses the same Source Port (2400) as Workstation 1's packet, so you can see how the router will react:
nat-overload-part2-5
This packet is a very good example to show you how great NAT Overload is because the router will need to 'do' something to make sure it's able to successfully receive the reply.
Let's look at what happens within the router as the packet arrives at its private interface:
nat-overload-part2-6
As you can see, our second packet arrives at the router's private interface. It enters the router and since the packet is valid (it's not corrupt and contains a valid Destination IP Address in its IP Header) it's routed to the public interface and NAT is performed while a new entry is added into the router's NAT Table.
Looking at the NAT entries, you will notice that both first and second packets have the same Source Port, which is 2400. Since the router already used port 2400 as a Source Port for the first packet's NAT Translation and hasn't yet received a reply, it cannot use it again for the second packet. If it did use it, when a reply for any of the two packets came back the router wouldn't be able to distinguish whose it was.
For this reason, the router assigns a new Source Port for the second packet (14500), ensuring that the reply will get to the internal host for which it is intended:
nat-overload-part2-7

Usually most NAT Overload enabled devices will assign Source Ports in the range of 1025 to 65500.
Keep in mind that when one host sends a packet to another, the Source Port it used in the packet will be substituted for the Destination Port in the reply packet.
For example, Host A sends a packet to Host B and this packet has a Source Port of 200, then when Host B replies to Host A its packet will have a Destination Port of 200. This way, Host A knows this is a reply to the initial packet it sent.
This is why it's important for the router to keep close track of Source Ports on outgoing packets and Destination Ports in all incoming packets.
FINAL NOTES
NAT Overload will work perfectly no matter which type of IP Address assignment you have. Whether it's Dynamic IP or Static, via dial up or a permanent connection, it makes no difference to the NAT device. You can now see how this particular NAT mode has helped preserve real (public) IP Addresses, because no matter how many internal hosts any private network has, it only requires one real IP Address in order to allow all internal hosts to access the Internet.
Now you have a good idea why NAT is such a popular topic, simply cause it's made such a big difference ion how networks connect to the Internet.


No comments:

Post a Comment