NATInfo - SH/SC Wiki

NAT Information

See also the NetworkingBasics page if you don't understand TCP/IP, ports, and all that jazz.
This is intended as a technically-oriented overview of NAT, its uses and problems.

So what's NAT anyway?

NAT is short for Network Address Translation. The function of NAT is to tage a large number of computers that are connected to each other, and connect them to the Internet (or in more general terms, a larger network) through one computer. This sounds kind of like how routing works, except the thing about NAT is that the data coming out of the NAT box appears to be from the NAT box, and not the computers behind it. That is, all communication with computers on the "outside" of the NAT box will be tagged with the IP address of the box running NAT, and not the IP of the computer it's actually coming from. Likewise, traffic to any internal machine will be addressed to the NAT box, and then distributed. (Not exactly, but that's the general idea.)

Why would one want to do this?

In short: internet connection sharing. ISPs often only assign one IP address for a specific connection (especially in the case of home-class connections like cable or DSL.) If extra IPs are available, they come at a monthly price, and usually you can't even get more than 5 or so without having to get a business class line.

So, for homes with multiple PCs, or small businesses that can't pay for all the IP addresses they'd otherwise need, NAT becomes an attractive alternative.

OK, so how does it work?

First, the NAT box must have (at least) 2 network connections. One of these goes to the Internet (hereafter, "outside") and one to the internal network that is to be NATted (aka "inside"). The NAT box is running some program that tells it to route packets from inside the network that are addressed to other hosts ouside through the appropriate connection. In doing so, it re-writes the packet it's sending to appear to come from the NAT box's IP address, and keeps a record of what computer it came from on the inside. When a response is recieved, the NAT box knows what internal box sent it initially, so it just undoes what it did previously and puts the correct internal IP on the packet, and sends it on.

This works all well and good, but do you see the problem? What happens if a host on the outside wants to directly contact one on the inside... without the latter first contacting the former? In a standard NAT setup, this is impossible. Connections cannot be made from outside if they are not initialized from the inside. This provides a security gain of sorts - the NAT box is the only one directly connected to the Internet, and people can't get into the internal network directly. However, it's often a false sense of security. I'll come back to this later, but this is VERY IMPORTANT: do NOT think that just because you're behind NAT, you can be lax about security on internal machines!

So we've seen the main problem with NAT. (Well, the most glaring one, in any case.) This can be solved through the use of port forwarding. As explained in the NetworkingBasics page, each computer has a number of ports and each "conversation" must be sent to a specific port. Forwarding enables incoming packets sent to a specific port to be forwarded directly to a specified machine on the internal network. This allows external hosts to initiate connections to internal machines without waiting for the internal one to start it. In terms of something like BitTorrent, port forwarding is needed so that other peers can connect to you, instead of waiting for you to connect to them.

I want to get into some additional topics but I feel the need to talk about the security issue first.

Security Implications

Before everyone forgets that I said NOT to ignore internal security, I'll go and say it again. The problem is that if the internal hosts aren't protected, it leads to a "soft underbelly" of the network. An attacker that's already inside the network (say, a disgruntled employee) could easily cause a large amount of damage, since the internal computers aren't themselves protected from intrustion. In addition, if someone introduces a virus into the inside of the network (say, via a laptop from home or something) then it will spread to all the machines it can. Even if it stops at the gateway, it still sucks. (Imagine all the hosts on the inside spewing packets out onto the internet. Death to your network connection, at the very least!) Also, if a malicious user somehow does break the security of the NAT box and gets into the network, they have their pick of machines, and they could get into all of them easily.

So, don't think of NAT as a method of security. (In fact, just because a box is doing NAT doesn't mean it's acting as any sort of "firewall" to keep bad packets out - it does not pass judgement on the content of the connections, it's just a traffic light of sorts.)

Now that we've covered that, we can talk more about some details and other features of NAT.

Additional Topics

Seasoned network techs often balk at NAT. Personally, I hate it - it just makes things difficult in general. I came across this MOTD on an IRC server somewhere, and I think it puts it pretty well:

- Second, we get overwhelmed by requests to add special access for
- LAN parties and small businesses running NAT (for the
- illiterate, if your IP address starts with 192.168. or 10., you are
- probably running NAT -- and your personal freedom is severely
- restricted).
-
- Please understand; our answer will always be NO. It always has
- been, and it always will be. I will try to put this in simple
- terms; NAT (Network Address Translation) and similar "technologies"
- (masquerading, etc) are detrimental to the Public Internet.
-
- NAT destroys the end-to-end transparency of the Internet. If you
- do not understand this or the ramifications of this, please READ
- UP ON IT and make up your mind. It is a short-term, detrimental
- solution to a long-term problem which is most easily solved by
- USING UP ALL AVAILABLE IPV4 ADDRESSES AS SOON AS POSSIBLE to force
- a transition to IPv6.

(See the NetworkingBasics page for more info on this, but I thought it would be appropriate here too.)

One way to look at this problem is that by restricting consumers to one IP address, ISPs prevent the users from becoming content contributors on the 'Net. (Port forwarding and such gets around this, true, but the idea holds.) NAT restricts what an internal host can do on the Internet, and the end users often have little or no control over how the NAT is set up. Thus, they often have trouble connecting to IRC servers, setting up webcams, or connecting to P2P services. Networking applications were designed to function best in the absence of NAT.

Personally, as much as I love conspiracy theories, I think ISPs aren't out to prevent end-users from doing things like this. (Well, they are, but they can block things upstream if they want to do it that badly.) The main problem is that IP addresses are becoming somewhat rarer. With the rapid proliferation of computers connected to the internet within the last 5 years, we're starting to run out of un-allocated IP addresses. A given ISP only has a certain number of IP addresses that it can distribute to clients, and it has to account for always-on users (businesses and the like) as well as home customers (dial-up and PPPoE connections, i.e. some DSL lines, aren't "always on" in that they don't always have an IP address, they get one when needed using a dynamic assignment process called DHCP.) If an ISP has more on-demand clients than it has addresses in it's dynamic pool, there's a problem. Hence, they tend to limit home users to one as a general rule. IPv6 (another form of IP addresses, which allows a whole lot more unique addresses) will hopefully fix this problem, but only time will tell.

Another nifty little topic I should mention is the DMZ (short for de-militarized zone). This allows, in essence, all ports to be forwarded to one host. All incoming connections will be redirected to the proper ports on the DMZ computer. This is useful if you don't know exactly what ports to forward, but going back to the security thing, it also exposes that computer to virus/worm infections and intrusions from the ouside. Be careful!

Also, be careful not to confuse a firewall and a NAT box. In general, a firewall performs different functions on traffic, as it looks at the content and type of connections that are being made, and can block certain traffic from passing through. Also, a firewall can have hosts with external IPs "behind" it, with no problem, where as a NAT setup can't. Likewise, note that a DMZ is a somewhat different thing if you're talking about a NAT setup or a firewall setup. The former can only have one DMZ host, because it just assumes ALL incoming connections go to that one. A firewall, however, can have multiple DMZ hosts, but they all need real external IP addresses in order to differentiate between them.

Well, that about sums it up for the time being.