Network Address Trans­la­tion (NAT)

Since June 2012 with the sixth version of the internet protocol (IPv6), a solution for the in­creas­ing shortage of IP addresses is available. But the move to the new internet standard is a slow, drawn-out process. According to a Google statistic, in October 2016 more than 85% of internet users worldwide still use the outdated IPv4. But with some 4.3 billion addresses, it’s no longer suf­fi­cient for supplying the large number of internet-enabled devices with unique IPs. Not only computers, tablets, or smart­phones require access to the online world – in the Internet of Things (IoT), even re­frig­er­a­tors, personal scales, or coffee machines become smart network equipment. IPv4 has com­pen­sat­ed for the problem of address avail­abil­i­ty since the early 90s with a clear sep­a­ra­tion between private and public address spaces. In local networks (LANs), internet-capable devices with private IP addresses are addressed locally and connected to the internet with a common public IP. The go-between for public and private address areas is the router. Here is where Network Address Trans­la­tion, or NAT, takes place.

The ab­bre­vi­a­tion NAT stands for Network Address Trans­la­tion, a process that takes place between two networks and generally in the router. There are two different types of network address trans­la­tion: Source-NAT (SNAT) and Des­ti­na­tion-NAT (DNAT).

Private users mostly encounter network address trans­la­tion in the form of Source-NAT. The method is used in home as well as company networks when a network device with a private IPv4 address is used to access the internet via a public IP. In general, the term NAT is used even if its meaning isn’t clear.

Term de­f­i­n­i­tion: NAT vs. PAT

Basically, a dis­tinc­tion must be made as to whether each private IP address in a network is to be allocated its own public IP address (1:1 trans­la­tion) or whether all network devices share the same public IP (n:1 trans­la­tion).

Strictly speaking, network address trans­la­tion only deals with 1:1 trans­la­tion in the literal sense, since in this case only the network addresses are rewritten. The n:1 trans­la­tion, on the other hand, demands an adap­ta­tion of the port number. This method is known as PAT (Port and Address Trans­la­tion) or NAPT (Network Address Port Trans­la­tion).

Since the PAT concept in IPv4-based home and company networks is the standard case, this method is often in­ac­cu­rate­ly referred to as NAT. Common terms like NAT router or NAT table are also used within the framework of PAT concepts. So, when NAT is talked about today, usually PAT or NAPT is meant.

Functions of Port and Address Trans­la­tion (PAT)

Network address trans­la­tion is generally used in the form of PAT in order to connect multiple local devices to the internet over a common IP address.

Since private IPs aren’t routable (and therefore have no meaning on the internet), data packages that a computer (client) in the LAN sends to a server on the internet must be provided with a public IP by the router. For this, the private IP address of the client stored in the header of the data package is switched with its own public IP address. In addition, the in­ter­nal­ly utilized port number is replaced by one of the router’s free ports. This appears to servers on the internet as the sender of all data packages that are sent from the local network.

Complete con­nec­tion in­for­ma­tion (IP addresses, ports, and timeouts) are saved in a so-called NAT table (tech­ni­cal­ly, this should also be called a PAT table). The addressed server answers the query of the local computer with a data package, which is first sent back to the cor­re­spond­ing router port. This now has the task of assigning the incoming data packages to the re­spec­tive network device that started the request. Every­thing the router needs for this is contained in the NAT table con­nec­tion in­for­ma­tion. Here’s an example for clar­i­fi­ca­tion:

Imagine a router has been assigned the public IP address 217.229.111.18 by an internet service provider (ISP) and acts as a default gateway for a local network. This has the private IP address range 192.168.0.0/24 (all addresses from 192.168.0.0 to 192.168.0.24) available for network devices. Now, if a device (for example, a computer with the private IP address 192.168.0.2) wants to establish a con­nec­tion to the internet (for example, to a web server with the public IP 71.123.239.82 at its port number 80), it reserves an internal port (e.g. 22433) and transmits the request to connect to the router listed as the default gateway. This is ad­dress­able in­ter­nal­ly via the private IP 192.168.0.1 and com­mu­ni­cates to the outside with the public IP 217.229.111.18.

The router receives the following in­for­ma­tion: Device 192.168.0.2 wants to establish a con­nec­tion on port 22433 to 71.123.239.82 on port 80. To comply with this request, the router has to replace the source address of the LAN device (IP address and port number) with the sender’s own address. For this, it reserves any free port (e.g. 61001) and forwards the network address trans­la­tion: 192.168.0.2:22433 becomes 217.229.111.18:61001. All relevant in­for­ma­tion is stored in the NAT table on the router.

Once it’s received by the web server, the request is processed and, if possible, answered with the requested data package (i.e. a website’s data). This answer first reaches the router and then is forwarded using the stored con­nec­tion in­for­ma­tion. According to the NAT table, the external port 61001 is reserved for response packages sent to port 22433 of the network device 192.168.0.2.

In addition to IP addresses and port numbers, the router notes a time marker for each con­nec­tion in the NAT table. This serves as a timeout and indicates when the relevant entry can be deleted. This guar­an­tees that ports don’t remain per­ma­nent­ly open during in­ac­tiv­i­ty and become the gateway for internet attacks.

While Source-NAT allows con­nec­tions from the LAN to the internet, Des­ti­na­tion-NAT is used to make a local device per­ma­nent­ly ac­ces­si­ble for incoming con­nec­tions from the internet. For this, a public port is per­ma­nent­ly linked to the IP address of a local network device via the router con­fig­u­ra­tion. All data packages going to the re­spec­tive port are au­to­mat­i­cal­ly forwarded to the local target address. This is called port for­ward­ing. This method is used, for example, if a server is to provide services from the LAN on the internet. But open ports present a security risk. It’s rec­om­mend­ed, then, to shield the local network from internet data traffic by isolating devices which are ad­dress­able by port for­ward­ing in de­mil­i­ta­rized zones (DMZ).

The network address trans­la­tion in the router is sometimes discussed as a security feature due to the strict sep­a­ra­tion of LAN and internet. The supposed pro­tec­tion function is just a side effect, though. NAT and PAT were developed to coun­ter­act the shortage of IPv4 addresses. This method can’t provide the functions of a firewall or a package filter.

But NAT and PAT do offer users in private networks a certain degree of privacy. Since all local IPv4 LAN devices go online via the same public IP address, users can more or less surf anony­mous­ly. The in­di­vid­ual host behind the network router is not directly ad­dress­able over the internet – unless port for­ward­ing has been es­tab­lished for this purpose. To outside observers, all requests seem to go from the LAN to the router.

The method also includes a pro­tec­tion function that ensures that all ex­ter­nal­ly initiated con­nec­tion attempts are au­to­mat­i­cal­ly discarded, as long as you don’t undo it with port releases. Answer packages are only accepted from the internet if server responses are expected at a par­tic­u­lar router port. Which web server answers isn’t checked under NAT or PAT. If a router port is opened as part of an in­ter­nal­ly initiated con­nec­tion setup, it presents a security liability. It’s rec­om­mend­ed to implement ad­di­tion­al security mech­a­nisms such as firewalls and package filters.

The weak­ness­es of network address trans­la­tion via NAT or PAT, which primarily result from the strict sep­a­ra­tion of private and public address spaces, can’t be ignored. This is a breach of the end-to-end principle of internet design, so NAT is a problem for internet ap­pli­ca­tions designed on the basis of the principle.

Protocols like FTP operate under the as­sump­tion that hosts on the internet com­mu­ni­cate directly with one another without an in­ter­ven­ing node changing IP addresses or port numbers. In NAT-based IPv4 networks, they can only be used with the help of bypass tech­nolo­gies. Each ad­di­tion­al­ly required mechanism raises the com­plex­i­ty and like­li­hood of error of an IT system. So, the con­sis­tent im­ple­men­ta­tion of the end-to-end principle is a central design goal of the new web standard IPv6.

With the sixth version of the internet protocol, the number of IP addresses available worldwide has mul­ti­plied. Instead of 4.3 billion IPv4 addresses, there are now the­o­ret­i­cal­ly 340 sex­til­lion IPv6 addresses available to connect network devices to the internet. In other words: Every coffee machine gets its own unique, globally routable IP address. The network address trans­la­tion via NAT is basically made su­per­flu­ous, but can still be used in IPv6 networks to shield private address areas from the public network.