Network Address Translation (NAT traditional)

  ? 

  Network Address Translation (NAT traditional) 

  Http://91mail.51.net directly from the foreign language translation, the use of only exchange 

  Foreword 

  In this document describes the IP address conversion RFC1631 expanded on the address conversion and includes a network address and TCP / UDP port switch.    In addition, this document RFC1631 corrected the calibration algorithms and applied to detailed discussions NAT operation and constraints. 

  Abstract: 

  Based on the basic NAT basic network address translation is an IP address from the group to another group mapping a way, is transparent to end-users.    Network address port switch or NAPT many network addresses and their TCP / UDP (Transmission Control Protocol / User Datagram Protocol) ports into a unique network address and the TCP / UDP port.    At the same time, reference to these two traditional NAT operations provide a mechanism, such a mechanism with the world's only private addresses registered address connected to the external areas of the field. 

  1. Introduced 

  IP addresses the needs of the proposed conversion because of a network of internal IP addresses can not be used in the network regardless of external reasons or because people because they are not legal in the external network.    In a LAN network extension can be completed in a lot of ways, customers can change their provider, the company may backbone of the reorganization or the provider may merge or split.    Regardless of when the external network change over time, where the LAN nodes were attached to the external network with the address certainly change with the change.    Users may change in this way was hidden in the region, because the focus changed to a single NAT router. 

  NAT will be basic (in many cases, in addition to [NAT-TERM] and section 6 of this document refers to all) allow hosts on the LAN can connect external transparent network can be connected and an optional external network host.    The establishment of the network organization is the first to the internal LAN applications, and WAN connectivity and the need for this plan is a good alternate. 

  Many small companies, Home Office (SOHO) users and telecommunications staff in their office network nodes running over TCP / UDP application, but only to service providers in remote connectivity they provide only the IP routing address. 

  Incremental remote users connect this community to benefit from NAPT, NAPT will allow LAN nodes at the same time a number of routers used to connect the only long-distance network IP address. 

  In this way there are many limitations.    Belong to a conference of all requests and responses mandatory road travel through the same NAT router.    A confirmation in the way that there is only one based on the incomplete network of NAT routing, in that all IP packets, or to or from that start that as a good destination.    There are other ways by many NAT equipment to ensure that this rule.    For example, a single can have two different exported to different network providers and the local host to the meeting between the external through NAT equipment at the best way to mainframe.    When a NAT router is not normal, the other router to connect all the routing.    But there are ways in which there may be a warning, because once again routing the flow may be in the new NAT routing switch time exchange of failure.    A solution to this problem is to share the same NAT router configuration and status information exchange among a guarantee failure backup. 

  NAT is an independent applications, often accompanied by special application gateway (ALOGS) load detection and the implementation of an effective transformation.    FTP is the most commonly used equipment NAT ALG function.    ALG requirements of the application must not interfere with the effective load their own code, because that might affect the ALG Shixiao until ALG is the main payload decryption keys. 

  This method has a defect was the elimination of the meaning of peer-to-peer IP addresses, and the network used to compensate for the increase in the state.    In short, through peer-to-peer guarantee IPSec IP network layer security can not be applied to mainframe terminals, if NAT routing equipment.    However, this method has the advantage that it does not require transformation of the host and router installed. 

  In this article some concepts such as the definition of "domain addresses," "transparent routing," "TV port," "ALG" and other concepts in the NAT-TERM can be found. 

  2. Traditional NAT Overview: 

  Described in this document, the address conversion is based on "traditional NAT."    Other NAT in this document, no description given.    In most cases, the traditional NAT allows mainframe transparent LAN and external host connections.    In the traditional NAT, from LAN to WAN mode is a single direction.    The opposite direction of the two tasks may allow pre-selection of the host state alluding to address anomalies.    NAPT basic NAT is different and the two traditional NAT because the fundamental NAT NAT only limited IP address, but the address conversion NAPT including IP address translation and transmission of authentication (such as TCP / UDP port or ICMP asked ID). 

  2.1 NAT basic overview: 

  NAT basic operations are as follows.    With a series of IP addresses to the residual domain and external network communications, by mapping local address into a global unified address.    If the local node number equal to or less than the number of effective generic address each local address can be mapped to guarantee.    In addition to a number of exports to WAN nodes by the Universal Address of quantitative restrictions.    Local address mapping should be a single into a special address to ensure universal connectivity external or through a public address to the external connections.    Multiple tasks can be at the same time from a local node to initialize with the same address mapping. 

  , In a residual domain addresses only in the local extraterritorial effective and it is in this void.    However, in a residual domain in the address can be any other new use of the residual domain.    For example, a single Class A address many residues can be used by the domain address.    In each domain and a residual network installation of the export NAT.    If there is more than exports, exports should each have the same conversion tables. 

  NAPT 2.2 Overview: 

  There is an argument that an organization has a local area network and a wide area network connected to the service provider.    LAN seconded residual domain router WAN connectivity in the effective address of the organization and the remaining nodes have only effective in the local IP address.    In such circumstances, a number of local area network allows multiple nodes connected to the WAN, NAPT registration with the help of the only IP address.    NAPT allows two types of mapping (Registration of IP addresses, ports TV) to the two types (? Registered IP addresses, ports TV).    The model with the majority of small family companies (SOHO) groups with service providers registered IP address WAN connectivity requirements.    Take advantage of this model can be expanded through internal link mapping allows registered IP address each service local TV port node. 

  In addition to redirect types of information, TCP / UDP, and ICMP messages tasks can be controlled through NAPT router.    ICMP packet type enquiries and TCP / UDP packet switch types, ICMP Baotou is a sign domain registration and one-on-one IP address for signs counterparts.    ICMP information on the signs from the sender domain and set up for questions and answers from the no-change feedback.    Therefore, one pair of addresses (IP address local, local enquiries signs ICMP) NAPT mapping into a router (Registration IP address, seconded signs for the ICMP), this process guarantees from any local host to any type have only signs.    ICMP error message changes in the future given in the section of the discussion, including ICMP effective load change and IP and ICMP header. 

  NAPT set in, any registered IP addresses and Internet domain residues from the WAN interface with the IP address of the same places, routers must ensure that the distinction occurred on their own TCP, UDP, or ICMP enquiries tasks, and those occurred in LAN Node task.    All internal tasks (including TCP, UDP and ICMP for tasks) was assumed to be as directly to end-node NAT router, unless the target service in the LAN port static mapping of the different nodes. 

  In addition to TCP, UDP and ICMP types of enquiries from local nodes mandate does not allow routers from NAPT transmission. 

  3.0 task transmission 

  NAT traditional transmission process and [NAT-TERM] described in the same.    Below that part of the special and traditional NAT content. 

  3.1 bundled address: 

  Use basic NAT, a rumor that when the first private mission from the mainframe initialization, an internal private addresses Binding an external address.    Later, the rumor that all the other tasks from the same private initialization address will be bundled with the same address to transfer packet data. 

  NAPT the case, and in many private address mapping of a global address only, bundled from the paired address (private IP address, the private TV port) to another one pair of address (assigned addresses, assigned TV port).    And basic NAT, the bonding is the first task there is a rumor that the address (private IP address, the private TV port) decided at the time of launch.    As is not a common practice, may also have more than one pair of initialization tasks the same address (private addresses, private ports) in a private establishment in the host is possible.    In such circumstances, one pair of Address (private address, the private TV ports) may be used in a single bound from the same address all the tasks in mainframe transmission of packets. 

  Address inquiries and 3.2 conversion: 

  In an address to bind bind or address (assuming NAPT to build), a soft state will be used to bind to maintain any connection.    Belong to the same mandate of the package will be subject to the mandate for the purpose of conversion.    The exact conversion properties in the next section will be discussed. 

  3.3 untied Address 

  When paired based on a single address or addresses bundled at the termination of a final, binding itself will terminate. 

  4.0 packet transmission 

  NAT is the package management tasks experienced any direction change.    Packet data in the task of confrontation followed a detailed description. 

  4.1 IP, TCP, UDP and ICMP header operation: 

  NAT in the basic model, the IP header of each package must be changed, including the IP address (rumor that the packet source IP address, plunge inward magnify-purpose IP address) and IP checksum. 

  On the TCP and UDP tasks, changes include TCP and UDP header validation and correction.    This is because TCP / UDP checksum at the same time there is a false first contains the source and purpose of IP addresses.    There is one exception, and check for 0 UDP header does not need to change.    For enquiries ICMP packets, as the ICMP header does not contain an IP address, so no additional changes. 

  In NAPT model, the IP header and fundamental changes in the same NAT.    TCP / UDP tasks, in the first reported changes in the conversion must be extended to encompass TV port (TV rumor that the source data ports and the purpose of the TV-port) conversion.    ICMP package for the ICMP header must be changed to substitute for ID and ICMP header checksum.    Host for private ID must be converted into rumored within the assigned ID and I believe that the mass conversion.    ICMP header checksum must be corrected to illustrate for ID conversion. 

  4.2 calibration and adjustment 

  Each package NAT amendment to prevail, to be accurate, because in addition to simple conversion domain, which includes one or more checking and correction.    Fortunately, we have an algorithm, it is simple and effective to adjust IP, TCP, UDP and ICMP header checksum.    Because all of these with a header in the auxiliary calibration and calculation of conversion and the gap between it and add validation is adequate. 

  4.2? ICMP packets of the wrong amendment: 

  ICMP error messages, including changes in the outer layer of IP and ICMP header change and ICMP error message embedded in the payload was the first change. 

  In order to enable NAT on purpose mainframe is transparent, ICMP error message embedded in the IP, the IP address reported Touli must change, the embedded IP header checksum domain must also change, the final ICMP header checksum must also be as effective load varies. 

  NAPT set in, if embedded in ICMP, IP information and TCP, UDP, or ICMP packets simultaneously enquiries, you must change in the TCP / UDP Touli reported the corresponding ports or ICMP TV reported Touli enquiries for signs domain. 

  Finally, the transmission ICMP packet IP header must be changed. 

  4.3? FTP support 

  As an application of the most common one, FTP ALG to request a mandate effective load management control to ensure data transmission parameters decision.    FTP ALG NAT is the most integral part of the implementation of a. 

  FTP ALG table the need for a specialized form of a TCP series, and to correct the source confirmed FTP or purpose FTP ports.    This table should be active inside address to address, source port to port, serial number and timestamp.    New content only in the order or FTP port feedback when PASV increase.    FTP port for each order or PASV feedback series might increase or decrease.    Series in the rumor that increased with the number of confirmed and to the reduction in the mass. 

  Any NAT, FTP payload confined to their private addresses and assigned to the external address (8 encoded into ASCII hex code).    But the NAPT settings, this conversion must also include TCP port (ASCII). 

  4.4? DNS support; 

  Consider traditional NAT tasks mainly from the local rumor that data, and DNS ALG Below possible to avoid the traditional use of NAT related.    In the internal DNS server LAN maintenance of internal host address or is likely to external host name and address mapping.    External DNS server is to maintain the external host name and address mapping, rather than a host of internal mapping.    If a LAN no internal DNS server, all DNS requests directly to the external DNS server to find external host mapping. 

  4.6 IP address options 

  Options containing a record of any IP routing, strict or loose source routing IP source routing data, including records and the use of intermediate router's IP address.    NAT intermediate routers may not support these options, or options to deal with these wrong addresses for conversion.    Wrong address conversion results will be in the private address in the Source Routing has been exposed.    This will not endanger the reported text of the transmission path, because each router look at the jump router. 

  5 hybrid issues 

  Limitations of NAT 

  Extensive, [NAT-TERM] NAT including all types of limitations.    Below some of the limitations of traditional NAT. 

  5.1 ??????????? private and safety 

  NAT is considered traditional provide a private mechanism, because the task is from the host of the one-way connectivity and private host address the exact address of the external network is not visible.    Enhance the privacy of the same characteristics make them more difficult debugging problems (including security).    If the private network, a host in one way or another indiscriminate use the Internet (for example, tried to attack other machines, or even refuse to send large data reported), then indeed more difficult to pursue because the reasons for the mainframe server hidden in NAT). 

  5.2 in LAN under NAT address mapping of the ARP General Interface 

  NAT router must only be marginal or residual domain.    In this document provides examples of the basic life NAPT NAT and NAT router can maintain a WAN connection to the external router.    (Eg, service providers router). 

  However, if the WAN link from LAN connectivity and replace if all NAT address mapping of the common LAN of the same IP subnet, NAT router will be provided are in the same subnet address range ARP support.    According to ARP request NAT address mapping GM uses its own MAC address is the basic NAT must settings.    If a NAT router不适应these requirements, there are no other nodes in the network have not reflected these addresses then. 

  These ideas can not be set apart from using NAPT When NAPT mapping is not a single address NAT router interface address.    (For example, in the above 5.4 on the basic NAT from NAPT to the same exchange).    NAT address mapping by directly connecting the subnet address within the scope of a service provider router can be avoided in the static routing settings. 

  The author's views is a LAN connected to the service provider router is not very common.    However, vendors in these circumstances to support Acting ARP more interesting. 

  5.3 NAPT set up in China, TCP / UDP Datagram conversion 

  NAPT set up in the foreign TCP / UDP data on the conversion (such as those issued by the host from the private address) is doomed to failure.    It for the following reasons: a data-only section includes TCP / UDP header, and this data was first reported transmission of the data is also essential.    Followed the fragment does not include TCP / UDP ports information, but contain other first included in the data reported some signs information.    In other words, two private host sent TCP / UDP data report the same purpose mainframe.    And they use the same film marks.    When the purpose of the two host received no relevant data reported that they have the same film signs, and the same assignment of host address, so it is impossible to determine the data which are sent tasks.    Accordingly, the collapse of the two tasks at the same time. 

  Implementation current 6.0 

  Application of commercial applications in many sectors, the commercial application and described in this document closely related to NAT.    LINUX software in the public IP NAT under camouflage.    FreeBSD public NAPT to run software used for the background of mail procedures.    However, it should be noted that the statement containing the GNU LINUX source, and FreeBSD software includes UC Berkeley statement. 

  7.0 security considerations 

  NAT-TERM () for any description of the NAT security considerations also apply to the traditional NAT. 

?

Bookmark it: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Google
  • DotNetKicks
  • DZone
  • Furl
  • Netvouz

Tags:

Releated Articles

On Open source @ 28/12/2006 | By admin

0 Comments to “Network Address Translation (NAT traditional)”

No Comments. Send your comment.

Leave a Reply

You must be logged in to post a comment.