Networks Lecture 14

NAT

IPv4 uses 32 bit addresses: 2^32 possible addresses (actually less because .0 and .255 addresses in each subnet are reserved). There are 6+ billion people on earth, so we don't even have enough IPv4 addresses to have 1 IP address per person. We are also approaching a point where any device with a CPU is network-capable. So, we need more addresses.

NAT = Network Address Translation is a way to allow a single "public" IP address to be used by multiple hosts in a "private" network. TCP/IP reserves several address prefixes for private networks: examples include 10/8, 172.16/16, and 192.168.1/24. It is not legal to attach a network using a private prefix directly to the global internet: the private address prefixes may not appear in the forwarding table of any router in the global internet. However, it is perfectly fine to use a private address block for a network that is unconnected to the global internet. NAT takes this idea further by allowing a NAT router to forward packets between a private network and the public internet.

Example: a private LAN has hosts 10.0.0.6 and 10.0.0.7. It is connected to the global internet using a NAT router. The NAT router has address 10.0.0.1 assigned to its interface to the private network, and 128.8.128.25 assigned to its interface to the public internet. Each of the hosts in the private network has a TCP connection open to a public web server whose IP address is 64.233.187.99.

All datagrams bound for hosts inside the private network are addressed to the NAT router's IP address. The NAT router uses a translation table to decide which host inside the private network to forward received datagrams to. For example, the translation table for TCP connections might look like this:

Host        local   NAT      Remote          Remote
            port    port     address         port
---------------------------------------------------
10.0.0.6    44444   10111    64.233.187.99   80
10.0.0.7    55555   10112    64.233.187.99   80

From the perspective of the public web server, both TCP connections belong to the NAT router, with ports 10111 and 10112 respectively. When datagrams containing TCP segments bound for hosts A and B arrive at the NAT router, it consults the TCP translation table and rewrites the destination address and destination port to the values used by the hosts inside the private network. Datagrams originating from A and B as part of TCP connections result in source address and port being rewritten to the NAT router's address and the NAT port associated with the connection.

A similar translation table can be used to forward/rewrite other protocols, such as UDP.

NAT allows many hosts to share a single public IP address. However, it has some limitations.

  1. Only 2^16 local port numbers (TCP and UDP) are available for all hosts in the private network.
  2. Initiating a connection (or sending UDP datagrams) to a host in the private network requires special configuration: port forwarding: e.g.,
    "all TCP packets bound for port 80 go to host 10.0.0.6"
  3. Connections may go away without seeing the final FIN/ACK messages of TCP teardown.
  4. Difficult to know if a host inside the private network is listening on a UDP port

IPv6

+---------+---------------+--------------------------+
| Version | Traffic class |          Flow label      |
+---------+---------------+--------------------------+
|      payload len        | next hdr |  hop limit    |
+-------------------------+--------------------------+
|             source address (16 bytes)              |
+----------------------------------------------------+
|              dest address (16 bytes)               |
+----------------------------------------------------+
|                      data ....                     |
version
6 for IPv6.
traffic class
Like TOS in IPv4.
flow label
Can define a "flow" that should receive special treatment.
payload len
Header size is now fixed.
next header
The protocol of the message contained in the payload: e.g., TCP, UDP.
hop limit
Like TTL in IPv4.

Primary motivation for IPv6: more address space. IPv6 allows 2^128 addresses. As a comparison, 2^69 is an estimate of the number of atoms in the universe. So, IPv6 should provide a sufficiently large address space, even if it is used relatively sparsely (as would be the case using hierarchical addressing).

Differences vs. IPv4:

  1. No fragmentation at routers. Routers send back a "packet too large" message to senders via ICMP v6.
  2. No IP options.
  3. No header checksum.

These changes reduce the processing burden on routers.

Transition from IPv4 to IPv6

Issue in transition: an IPv4-only host cannot communicate with an IPv6-only host. So, during the transition IPv6 hosts will also need an IPv4 address. Hosts which both support IPv6 communicate using IPv6: otherwise they fall back to using IPv4.

Issue: when IPv6 hosts communicate their datagrams may need to travel through an IPv4-only part of the network. Approaches:

Dual-stack approach
Routers forwarding an IPv6 packet through an IPv4-only network can convert the IPv6 header to IPv4. IPv6 features (such as flow labels) will be lost.
Tunneling
The IPv6 datagrams can be encapsulated in an IPv4 datagram. The IPv4 datagram is sent to a router immediately beyond the IPv4-only network, where the original IPv6 packet is decapsulated.