7/25/2019 Netmanais.2013.09.03.NAT Overview (en)

1/8

1

NETMANIAS TECH-BLOG Please visit www.netmanias.comto view more posts

Network Address Translation (NAT) Overview

(RFC 3022/2663)

September 3, 2013 | By Andrew Johnson and Chris Yoo (tech@netmanias.com)

Today, NATs are employed by Korean telecom operators in almost all of their access networks except for

wired access networks (FTTH, Ethernet, DSL, etc.).

3G/LTE network: Large Scale NAT (LSN) installed beyond GGSN/P-GW in the 3G/LTE Core

networks. Also called "Carrier Grade NAT (CGN)".

Wi-Fi Hotspot network: NAT implemented in Wi-Fi Hotspot

Residential network: NAT implemented in subscribers' APs provided by (leased from) telecom

operators, or in APs purchased from open markets (e.g. D-Link's DIR)

All users, including 3G/LTE users, Wi-Fi Hotspot users and home AP users, are assigned a private IP

address. Then later when they access the Internet, this address is converted into a public IP

address through a NAT.

Using a NAT allows telecom operators to:

(1) save public IP addresses because the NAT converts the private IP addresses assigned to multiple

devices into a public address. This allows the devices to use only one public IP address instead of their

private IP addresses when accessing the Internet.

(2) prevent any external attack on mobile devices or mobile networks by introducing LSNs on the 3G/LTE

network. Enterprises can also protect their internal network from external intrusion/attack by making

their addresses private (similar to using firewalls).

Below, NAT-related terms defined inRFC 3022 (Traditional NAT)andRFC 2663 (IP NAT Terminology and

Considerations)will be explained.

Terminology

1. TU Ports

Both TCP and UDP header have Source and Destination Port fields. And these ports are collectively

called "TU Ports", or "Transport Identifiers". When a device (client) communicates with a server using

TCP or UDP, a value from 0 to 1,023 (well-known ports defined by IANA) or from 1,024 to 49,191

(registered ports defined by IANA) is generally used as a value for a TU Destination Port, as set in RFC

1700. For example, HTTP's TCP Destination Port is 80. For a TU Source Port, however, each OS uses a

value randomly selected from different ranges defined for each OS (approximately 30,000 ~ 60,000). This

type of port is called an "ephemeral port" (seehttp://en.wikipedia.org/wiki/Ephemeral_portfor more

information).

http://www.ietf.org/rfc/rfc3022.txthttp://www.ietf.org/rfc/rfc3022.txthttp://www.ietf.org/rfc/rfc3022.txthttp://www.ietf.org/rfc/rfc2663.txthttp://www.ietf.org/rfc/rfc2663.txthttp://www.ietf.org/rfc/rfc2663.txthttp://www.ietf.org/rfc/rfc2663.txthttp://en.wikipedia.org/wiki/Ephemeral_porthttp://en.wikipedia.org/wiki/Ephemeral_porthttp://en.wikipedia.org/wiki/Ephemeral_porthttp://en.wikipedia.org/wiki/Ephemeral_porthttp://www.ietf.org/rfc/rfc2663.txthttp://www.ietf.org/rfc/rfc2663.txthttp://www.ietf.org/rfc/rfc3022.txt

7/25/2019 Netmanais.2013.09.03.NAT Overview (en)

2/8

Netmanias Tech-Blog:

Network Address Translation (NAT) Overview (RFC 3022/2663)

2

2. Public/Global/External Network

Refers to a network which has globally unique IP addresses assigned by the Internet Assigned Numbers

Authority (IANA). Therefore, this type of network can route (communicate) across telecom operators'networks around the world. It is commonly called a "public IP network".

3. Private/Local Network

Refers to a network which has IP addresses that are not assigned by IANA. This type of network cannot

route through the Internet. It is commonly called a "private IP network".

IANA defines the following three IP blocks for this purpose:

10/8, 172.16/12, 192.168/16

4. Session

A session is defined as the set of traffic that is managed as a unit for translation. Each TCP/UDP session is

identified by the values of a source IP address, source TU port, destination IP address and destination TU

port.

5. Application Level Gateway (ALG)

Some applications have IP address and/or TU port information in their payload (application-specific data

that follows TCP/UDP headers). For this reason, some NAT devices have Application Level Gateways

(ALGs), which feature an agent that can translate the IP address and/or TU port information stored in

payloads (Application awareness inside the NAT). In general, these NATs come with a list of applications

supported (e.g. FTP, SIP, RTSP, etc.). Since it is practically impossible for a NAT to support ALGs for all

the applications that are being released every day in the market, not many NATs seem to support ALGs.

What is NAT?

Network Address Translation (NAT) is the process of converting a private IP address into a public IP

address, and vice versa, to allow a device on a private network to communicate with a public network

(Internet).

Traditional NATwould allow hosts within a private network to transparently access hosts in theexternal

network, in most cases. In a traditional NAT, sessions are uni-directional, outbound from the private

network. Sessions in the opposite direction may be allowed on an exceptional basis using static address

maps for pre-selected hosts. (RFC 3022)

Traditionally, NAT devicesare used to connect an isolated address realm with private unregistered

addresses to an external realm with globally unique registered addresses. (RFC 2663)

7/25/2019 Netmanais.2013.09.03.NAT Overview (en)

3/8

Netmanias Tech-Blog:

Network Address Translation (NAT) Overview (RFC 3022/2663)

3

Types of NAT

There are two types of NAT defined in RFC 3022/2663: Basic NAT and Network Address Port Translation

(NAPT). They both are collectively called "Traditional NAT" although NAPT, aimed at "saving IPv4addresses", is the most common type of NAT these days. So, when we say NAT, we refer to NAPT in most

cases. The NAPT-type operation is now supported by all APs.

Basic Network Address Translation or Basic NATis a method by which IP addresses are mapped from one

group to another, transparent to end users. Network Address Port Translation, or NAPTis a method by

which many network addresses and their TCP/UDP (Transmission Control Protocol/User Datagram

Protocol) ports are translated into a single network address and its TCP/UDP ports.

Together, these two operations, referred to as traditional NAT, provide a mechanism to connect a realm

with private addresses to an external realm with globally unique registered addresses. (RFC 3022)

Basic NAT

Definition and Purpose

Basic NAT is employed in enterprise networks for security purposes (like firewall). It provides a one-

to-one translation of IP addresses. This means the same number of public IP addresses as the devices

with a private IP address are needed to access the Internet.

Nodes on private network could be enabled to communicate with external network by

dynamically mapping the set of private addresses to a set of globally valid network addresses. (RFC

3022)

Translation Rule

1:1 translation (1 = Public IP, 1 = Private IP)

Mapping

- Outbound Traffic: Translating a Private Source IP Address to a Public Source IP Address

- Inbound Traffic: Translating a Public Destination IP Address to a Private Destination IP Address

Packet Modification

Following packet information is replaced during translation:

- Outbound Traffic: Source IP Address, IP Header Checksum

- Inbound Traffic: Destination IP Address, IP Header Checksum

7/25/2019 Netmanais.2013.09.03.NAT Overview (en)

4/8

Netmanias Tech-Blog:

Network Address Translation (NAT) Overview (RFC 3022/2663)

4

Three Translation Phases in a Session

1. Address Binding

A basic NAT binds a Public IP Address to each outbound traffic sent by a device with a Private IP

Address (1:1 mapping), and generates a session entry in the NAT binding table.

2. Address Lookup and Translation

- Later when the NAT receives an outbound traffic packet (from a user device to NAT), it translates

the Private Source IP Address of the packet to a Public Source IP Address by referring to the bindingtable, and delivers it on to the Internet.

Destination IP

1.1.1.18010.1.1.15000

Destination TU PortSource IPSource TU Port

NAT

Basic NAT

10.1.1.1 1.1.1.1 2.2.2.2

Server 1 Server 2Client 1

10.1.1.2

Client 2

10.1.1.99

Client 99

Private/Local Network

...

Public/Global/External Network

1.1.1.18010.1.1.1 1.1.1.180

Internet

5.5.5.1

10.1.1.1 1.1.1.1 80

2.2.2.2808010.1.1.1 2.2.2.28080

2.2.2.2 8080

5.5.5.1

5.5.5.110.1.1.1 2.2.2.2 8080

5000 5000

5000

5001 5001

5001 5001

1.1.1.1 805.5.5.1 5000

1.1.1.18010.1.1.2 1.1.1.1805.5.5.2

10.1.1.2 1.1.1.1 80

5003 5003

5003 1.1.1.1 805.5.5.2 5003

2.2.2.2808010.1.1.99 2.2.2.280805.5.5.99

10.1.1.99 2.2.2.2 8080

6000 6000

6000 2.2.2.2 80805.5.5.99 6000

Outbound Traffic

Inbound Traffic

a

b

c

Source TU Port

1.1.1.1 8010.1.1.1 5000

Source IPDestination TU PortDestination IP

10.1.1.1 5.5.5.1

10.1.1.2 5.5.5.2

10.1.1.99 5.5.5.99

120s

120s

120s

Binding Entry Creation at aBinding Entry Creation at bBinding Entry Creation at c

IP IP

NAT Inside NAT Outside Binding

Lifetime

External Address Range: 5.5.5.1 ~ 5.5.5.99

Basic NAT: NAT Binding Table

10.1.1.1 5.5.5.1 120s

IP IP

NAT Inside NAT Outside Binding

Lifetime

Translation {5.5.5.1} to {10.1.1.1}

10.1.1.1 5.5.5.1 120s

IP IP

NAT Inside NAT Outside Binding

Lifetime

Address Binding & Translation {10.1.1.1} to {5.5.5.1}

Outbound Traffic

Inbound Traffic

NAT Inside NAT Outside

7/25/2019 Netmanais.2013.09.03.NAT Overview (en)

5/8

Netmanias Tech-Blog:

Network Address Translation (NAT) Overview (RFC 3022/2663)

5

- When it receives an inbound traffic packet (from the Internet to NAT), it translates the Public

Destination IP Address of the packet to the IP address of the user device, i.e. a Private Destination IP

Address, by referring to the binding table, and delivers it on to the user device.

3. Address UnbindingIf there is no incoming packet that corresponds to a session entry generated, the NAT deletes the

entry from the NAT binding table.

Deployment Example

Enterprise Network

Network Address Port Translation (NAPT)

Definition and PurposeNAPT is employed for saving public IP addresses. It provides a many-to-one translation of IP

addresses. That means one public IP address is used when multiple user devices with a private IP

address access the Internet.

Nodes on the private network could be allowed simultaneous access to the external network,

using the single registered IP address with the aid of NAPT. (RFC 3022)

Translation Rule

1:N translation (1 = Public IP, N = Private IP)

Mapping

- Outbound Traffic: Translating {Private Source IP Address, Local TU Source Port} tuple to {Public

Source IP Address, Registered TU Source Port} tuple

- Inbound Traffic: Translating {Public Destination IP Address, Registered TU Destination Port} tuple to

{Private Destination IP Address, Local TU Destination Port}

Packet Modification

Following packet information is replaced during translation:

- Outbound Traffic: Source IP Address, IP Header Checksum, TU Source Port, TCP/UDP Header

Checksum

- Inbound Traffic: Destination IP Address, IP Header Checksum, TU Destination Port, TCP/UDP Header

Checksum

7/25/2019 Netmanais.2013.09.03.NAT Overview (en)

6/8

Netmanias Tech-Blog:

Network Address Translation (NAT) Overview (RFC 3022/2663)

6

Three Translation Phases in a Session

1. Address Binding

When a device with a Private IP Address sends an outbound traffic, a NAPT binds a Public IP Address

and TU Source Port to the Private IP Address and TU Source Port of the device (1:N mapping). Then

the NAPT generates a session entry for the traffic in the NAT binding table.

2. Address Lookup and Translation

- Later when the NAPT receives an outbound traffic packet (from a user device to NAT), it translates

the Private Source IP Address and Local TU Source Port of the packet into a Public Source IP

Address and Registered TU Source Port by referring to the binding table, and delivers it on to the

b

NAT

NAPT

10.1.1.1 1.1.1.1 2.2.2.2

Server 1 Server 2Client 1

10.1.1.2

Client 2

10.1.1.99

Client 99

Private/Local Network

...

Public/Global/External Network

1.1.1.18010.1.1.1 1.1.1.180

Internet

5.5.5.1

10.1.1.1 1.1.1.1 80

2.2.2.2808010.1.1.1 2.2.2.28080

2.2.2.2 8080

5.5.5.1

5.5.5.110.1.1.1 2.2.2.2 8080

1.1.1.1 805.5.5.1

1.1.1.18010.1.1.2 1.1.1.1805.5.5.1

10.1.1.2 1.1.1.1 80 1.1.1.1 805.5.5.1

2.2.2.2808010.1.1.99 2.2.2.280805.5.5.1

10.1.1.99 2.2.2.2 8080 2.2.2.2 80805.5.5.1

Outbound Traffic

Inbound Traffic

a

c

d

External Address : 5.5.5.1

1000

1000

1001

1001

1002

1002

1003

1003

5000

5000

5001

5001

5003

5003

6000

6000

10.1.1.1

10.1.1.1

10.1.1.2

120s

120s

120s

Binding Entry Creation at aBinding Entry Creation at bBinding Entry Creation at c

IP

NAT Inside Binding

Lifetime

5000

5001

5003

Port

10.1.1.99 6000

5.5.5.1

5.5.5.1

5.5.5.1

IP

NAT Outside

1000

1001

1002

Port

5.5.5.1 1003 120s Binding Entry Creation at d

NAPT: NAT Binding Table

Destination IP

1.1.1.18010.1.1.15000

Destination TU PortSource IPSource TU Port

Source TU Port

1.1.1.1 8010.1.1.1 5000

Source IPDestination TU PortDestination IP

10.1.1.1 120s

IP

NAT Inside Binding

Lifetime

5000

Port

5.5.5.1

IP

NAT Outside

1000

Port

Translation {5.5.5.1, 1000} to {10.1.1.1, 5000}

10.1.1.1 120s

IP

NAT Inside Binding

Lifetime

5000

Port

5.5.5.1

IP

NAT Outside

1000

PortAddress Binding &Translation {10.1.1.1, 5000} to {5.5.5.1, 1000}

Outbound Traffic

Inbound Traffic

NAT Inside NAT Outside

7/25/2019 Netmanais.2013.09.03.NAT Overview (en)

7/8

Netmanias Tech-Blog:

Network Address Translation (NAT) Overview (RFC 3022/2663)

7

Internet (Registered ports refer to the ones assigned by a NAT. A Local TU Source Port is also called

an "Internal Port", and a Registered TU Source Port is called an "External Port.).

- When it receives an inbound traffic packet (from the Internet to NAT), it translates the Public

Destination IP Address and Registered TU Destination Port of the packet to the IP address and Portvalues of the user device, i.e. a Private Destination IP Address and Local TU Destination Port, by

referring to the binding table, and delivers it on to the user device.

3. Address Unbinding

If there is no incoming packet that corresponds to a session entry generated, the NAPT deletes the

entry from the NAT binding table.

Deployment Example

Wi-Fi Hotspot, SOHO, Home and 3G/LTE LSN

7/25/2019 Netmanais.2013.09.03.NAT Overview (en)

8/8

About NMC Consulting Group (www.netmanias.com)NMC Consulting Group is an advanced and professional network consulting company, specializing in IP network areas (e.g., FTTH, Metro Ethernet and IP/MPLS), service

areas (e.g., IPTV, IMS and CDN), and wireless network areas (e.g., Mobile WiMAX, LTE and Wi-Fi) since 2002.

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

8

Carrier WiFi

Data Center Migration

Wireline

Network

LTE

Mobile

Network

Mobile WiMAX

Carrier Ethernet

FTTH

Data Center

Policy Control/PCRF

IPTV/TPS

Metro Ethernet

MPLS

IP Routing

99 00 01 02 03 04 05 06 07 08 09 10 11 12 13

eMBMS/Mobile IPTV

Services

CDN/Mobile CDN

Transparent Caching

BSS/OSS

Cable TPS

Voice/Video Quality

IMS

LTE Backaul

Netmanias Research and Consulting Scope

Visit http://www.netmanias.comto view and download more technical documents.

Future

T

IP

M

P

C

e

E

h

n

Networks

Consult

ing

POC

Training

W

i-Fi

Infrastructure ServicesCDN

Transparent

Caching

IMS

Concept DesignDRM

e

M

B

M

S

protocols

Analyze trends, technologies and market

Analysis

ReportTechnical documents

BlogOne-Shot gallery

We design the future

We design the future

We design the future