?
Network address conversion (traditional NAT)
Http://91mail.51.net directly translated by foreign language, only for communication
http://91mail.51.net/wz/nat.pdf
Foreword
The IP address conversion operation described in this document extends the address transformation of RFC1631, and includes a class of network addresses and TCP / UDP port conversions. In addition, this document corrections the RFC1631's verification algorithm and attempts to discuss NAT operations and restrictions in detail.
Summary:
Basic NAT-based basic network address translation is a way IP address from a group to another group map, which is transparent to end users. Network address port conversion or NAPT is a lot of network addresses and their TCP / UDP (Transfer Control Protocol / User Dataset Protocol) ports into a unique network address and its TCP / UDP port. At the same time, refer to the two operations of traditional NAT to provide a mechanism, which connects the world's unique registration address to the external area.
1 Introduction
The need for IP address conversion is because the IP internal address of a network cannot be used in the external network whether it is because of the reason or because they are not legal in the external network. Network topology in a local area network can be changed in many ways, and customers can change their providers, the company's backbone may be reorganized or the provider may merge or split. Regardless of when the external network changes over time, the address of the local area network is attached to the address of the external network to change. The user may be hidden in the area because it is centrally changed to a single address conversion router.
Basic address conversion will (in many cases, in addition to [NAT-TERM] and this document, all fingenerations all referred to as) allows the host to be transparent in the local area network and can connect an optional host in the external network. The establishment of online organizations is first for the application within the LAN, and the connection between the WAN is a good candle to make this plan.
Many small companies, home office (SOHO) users and telecom employees run TCP / UDP applications in their office, but the service provider only provides unique IP addresses to them at remote communication.
This remote connection user gradually gets benefits from Napt, and NAPT will allow multiple nodes to connect to a remote network with a single node simultaneously with a router at the local area network.
There are many limitations in this way. All requests that belong to a meeting and response to enforce roads through the same NAT router. A confirmation will be a NAT based on a unique residual network segment, where the IP packet or from that start or in the destination. There are other methods to use multiple NAT devices to ensure this rule. For example, a single one can have two different exports to different providers and hosts between hosts that can pass through the NAT device to the best way to reach the external host. When a NAT router is not normal, the other routers can route all connections. But in this method, there may be a warning because the flow rate of the route may be exchanged in the new NAT routing time. A method of solving this problem is that the router share the same NAT configuration and exchange status information. It is guaranteed to fail to fail.
Address conversion is an independent application that is often accompanied by special application gateways (Alogs) to perform payload detection and transformations. FTP is the most commonly used ALG function in the NAT device. The application that requires ALG interference must not have their own payload code, because it may affect the laughter of the ALG until ALG has the primary key to decrypt payload.
This method has a defect to cancel the meaning of the IP address point-to-point, and compensated in an increase in the network. In summary, the point-to-point IP network layer security guaranteed by IPSec cannot be applied to the terminal host, if there is a NAT device route. However, the advantage of this method is that it is installed without changing the host and router.
In this article, some concepts defines, for example, "address domain", "transparent routing", "TV port", "alg", and other concepts can be found in NAT-TERM.
2. Traditional NAT Overview:
The address conversion operation described in this document is based on "traditional NAT". Other NATs are not given in this document. In most cases, traditional NAT allows transparent and external hosts to host transparent and external hosts in the local area network. In traditional NAT, from the local area network to wide area network mode is a single direction. The two tasks in the opposite direction may allow the pre-selecting host status address. Basic NAT and NAPT are different traditional NAT because basic NAT address transformations are limited to IP addresses, however NAPT's address translation includes IP address translation and transmission authentication (such as TCP / UDP ports or ICMP query IDs). 2.1 Overview of Basic NAT:
The basic NAT operation is as follows. Having a series of IP addresses and external network communication, through mapping local addresses, a global unified address. If the number of local nodes is equal to or less than the number of valid general addresses, each local address ensures mapping. In addition, the number of nodes that can be exported to a wide area network is limited by the general address. A single local address should be mapped into a special global universal address to ensure connecting to an external connection with an external address. Multi-channel simultaneous tasks can be initialized from a local node to map with the same address.
The address in a residue is only valid locally and is ineffective in this domain. However, the address in a residue can be used by any other residual domain. For example, a single Class A address can be used by many residual domain addresses. Install NAT at the exit point of each residual area and the backbone network. If there are multiple exits, each exit should have the same conversion table.
2.2 NAPT Overview:
There is a saying that an organization has a local area network and a wide area network to the service provider. The residual area of the local area network The valid address in the wide area network connection and the remaining nodes in this organization have only a local valid IP address. In this case, multiple nodes of the local area network allow multiple connections to a wide area network, with a registered unique IP address with the help of NAPT. NAPT allows mapping two types (registration IP addresses, TV ports) to two types (? Register IP address, number of TV ports). This model is in line with the requirements of the registration IP address to connect to the WAN for the registration IP address provided by the SOHO group service provider. This model is able to extend the local node that allows the internal connection through the map of each service TV port that registers the IP address.
In addition to redirection information type, TCP / UDP tasks and ICMP information can be controlled by NAPT routers. The ICMP query type package is the same as the conversion type of the TCP / UDP package, where the logo domain of the ICMP Baotou is a pair of query flags for the registration IP address. The flag field in the ICMP query information is set by the sender and has no changes from the query asking. So, a pair address (local IP address, local ICMP query flag) maps into a pair (registration IP address, the ICMP query flag) through the NAPT router, which guarantees that any type of local host has a unique logo. Changes to ICMP error messages are given in later chapters, including changes in ICMP payloads and IP and ICMP headers.
In NAPT settings, any of the IP addresses of the WAN interface of the IP address and the residual area network, the router must ensure that distinguishes from their own TCP, UDP, or ICMP query tasks and those that occur in the local area network node. All internal tasks (including TCP, UDP, and ICMP query tasks) are assumed to be directly to the NAT router as a final node, unless the target service port is static mapped to different nodes in the local area network.
The task of TCP, UDP, and ICMP query types is not allowed from local nodes to be transmitted from NAPT routers.
3.0 Task Transmission Process
The traditional NAT transmission process is the same as described in [NAT-TERM]. The following sections describe the special contents of traditional NAT.
3.1 Address Binding:
With basic NAT, when the first outer transmission task is initialized from a private host, an internal private address is bound to an external address. Later, all other rumors will be used to transfer package data from the same address binding from the same private address initialization. For NAPT, when many private addresses map a global unique address, the binding is from a pair address (private IP address, private TV port) to another pair address (assign address, assign TV port). Like basic NAT, the binding is determined when there is a pair of addresses (private IP addresses, private TV ports) in the first outer transmission task. Since it is not a general practice, it is possible that multiple tasks initializes a pair of identical addresses (private addresses, private ports) are possible in a private host. In this case, a unique binding of a pair address (private address, private TV port) may be used for packages from tasks from the same address host.
3.2 Address query and conversion:
In an address binding or address pair binding (assuming NAPT to establish), a soft state will use binding to maintain any connection. Packs belonging to the same task will obess the task query of the conversion purpose. The exact attribute of the conversion will be discussed in the next chapter.
3.3 Unprocesses the address
The binders will terminate when the last task is terminated based on a single address or to the end of the address.
4.0 package transmission
The package belonging to the NAT management task experiences the conversion in any direction. A detailed description of the legacy data task is taken in detail.
4.1 IP, TCP, UDP and ICMP header operations:
In the basic NAT model, the IP header of each package must change, including IP addresses (source IP addresses of external packets, destination IP addresses for ribs) and IP checksum.
For TCP and UDP tasks, changing corrections including TCP and UDP headers. This is because TCP / UDP checksum has a false head containing source and destination IP addresses. There is an exception, and the UDP header of the checksum is no need to change. As for the ICMP query package, no additional changes are required because there is no IP address in the ICMP header.
In the NAPT model, the change in IP headers and the same in basic NAT. For TCP / UDP tasks, changes in the header must expand into the conversion of the conversion TV port (source TV port of rumor data). The ICMP header must change in the ICMP query package instead of the query ID and ICMP header checksum. Private host query ID must be converted into a rumor assignment ID and internal bi-transmission. ICMP header checks must be corrected to explain the query ID conversion.
4.2 Check and adjust
NAT corrections can be accurately calculated by each package, as in addition to simple domain conversion, they include one or more checksum corrections. Fortunately, we have an algorithm that makes it easy to adjust IP, TCP, UDP, and ICMP header checksum. Because all of these headers calculate the gap with a auxiliary check and add the gap and put it to the verification.
4.2 ?? ICMP package error correction:
The change in ICMP error message includes changes in the external IP and ICMP headers and embedded in the ICMP error message payload.
In order for NAT to the destination host, the IP address embedded in the IP header in ICMP error must be changed, and the checksum of embedding IP headers must also change. The last ICMP header checks must also be loaded with payload. Changes in changes.
In NAPT settings, if IP information and TCP, UDP or ICMP query packs embedded in ICMP, you must change the corresponding TV port number or the query flag field in the ICMP query header in the TCP / UDP header.
Finally, the IP header that transmits the ICMP package must change.
4.3 ?? FTP support
As one of the most common applications, FTP requires an ALG to manage control task payloads to determine the data transmission parameters. FTP ALG is an integer part of most NAT execution. The FTP ALG table requires a dedicated table to correct the TCP series and confirmation source FTP or the purpose of FTP ports. This table should have an active address, destination address, source port, destination port, series number, and timestamp. The new content is only increased when the FTP port command or PASV feedback. The number of each FTP port command or the PASV feedback series may increase or decrease. The series is increased during the time of passage and the number of confirmation has decreased.
For any NAT, FTP payload is limited to private addresses and their assigned external addresses (encoded as ASCII code 8). But for NAPT settings, this conversion must include the TCP port (ASCII).
4.4 ?? DNS support;
Considering that traditional NAT tasks are mainly from local proof data, DNS ALG may avoid use of the following traditional NAT. The DNS server inside the LAN maintains an internal host address or a map that is likely to external host addresses and names. The external DNS server is just a map of the external host address and the name of the name without mapping the internal host. If a local area network does not have an internal DNS server, all DNS requests are directly mapped to the external DNS server to map the external host.
4.6 IP option processing
An IP data containing any IP option recording routing, strict source routing or loose source routing includes recording and using an IP address of an intermediate router. The NAT intermediate router may not support these options or to handle the addresses when these options are processed. The result of converting the address will be that private address is exposed in the source route. This will not hazard the transmission path of the message because each router only looks at the router.
5 mixed problems
NAT limitations
Widely, [NAT-TERM] includes the limitations of all NAT types. The following sections describe the limitations of traditional NAT.
5.1 ??????????? Private and security
Traditional NAT is considered to provide a private mechanism because the task is unidirectional connection from the host and the exact address of the private host address to the external network. Enhance the same characteristics of privateness make debugging problems more difficult (including security issues). If you use a host in a private network to use a way to use the Internet (for example, try to attack another machine or even send big spam news), then more difficult to pursue the reason because the host is hidden in the NAT server).
5.2 ARP interface based on the mapping universal address NAT in the local area network
NAT must only be in the edge router or residual domain. Examples of the examples provided in this document Basic NAT and NAPT can maintain a wide area network from the NAT router to the external router. (, For example, the service provider router).
However, if the WAN connection is replaced by a local area network connection and if all NAT maps are the same IP subnet, the NAT router will provide address range ARP support belonging to the same subnet. According to the ARP requires the NAT mapping universal address, its own MAC address is a must set in basic NAT. If a NAT router does not adapt to these requirements, there is no other node in the network to have these addresses and then not reflected.
These ideas are not likely to use NAPT settings in addition to a single address in the NAPT map is not the interface address of the NAT router. (For example, the exchange of exchanges from basic NAT to NAPT is discussed above. An address within the range of directly connected to the NAT address map can avoid static routing settings of the service provider router.
The author's opinion is that a local area network is connected to the service provider router is not very ordinary. However, the seller is interested in supporting ARPs in this case.
5.3 Conversion of TCP / UDP Datasters in NAPT Settings
In NAPT Settings Transformation of TCP / UDP Datasters in NAPT (eg, those issued from private hosts) are destined to fail. Its reasons are as follows: Only the first data contains the TCP / UDP header, and this data header is necessary to send the datagram. The next fragment does not contain TCP / UDP port information, but contains some of the flag information contained in other first datagrams. That is, two private hosts send TCP / UDP data to report the same destination host. And they use the same piece sign. When the destination host receives these two unrelated datagrams, they have the same slice sign, and the same assignment host address, so it is impossible to determine which send task. Correspondingly, two tasks crash at the same time. 6.0 current implementation
Many industry applications, these business applications, and NAT described in this document. Linux public software has NAT under IP camouflage. FreeBSD public software uses napt to run the background program for mail delivery. However, it must be noted that the Linux source program contains the GNU statement, and the FreeBSD software contains the UC Berkeley declaration.
7.0 Safety Consideration
The security consideration of any NAT is also applicable to the safety consideration of any NAT in the {NAT-TERM} description.
?
