IPv4 addresses are not so many. When Internet started a long time ago, 2^32 addresses (more than 4 billion) seemed to be a lot. Today the ICANN (the USA company which administrate addresses and “numbers” of the Internet) had already completly assigned all IPv4 address blocks to all “regional” authorities of several parts of the planet.
For this and other reasons we are now inside a migration-process to the new IPv6 protocol, which provide 128-bit addresses. A lot of estimations shown that this new kind of addresses will be enough for a lot of time, even we will use them in a very “bad-way”.
The migration-process already started officially in 2008 and will go ahead for several years maybe. We are already using a lot of migration-techniques on several networks (which provide both IPv4 and IPv6 connectivity).
Actually this lack of addresses was already predicted and known during the 90′ and the NAT (Network Address Translation) was created on purpose of “temporarily” solve the problem. This “temporarily” has been very long, because we still use it today and more than ever.
But, first of all, let me clarify some definitions. Plain “NAT” means the translation of a subnet of public addresses to a subnet of private addresses and vice-versa. This means that we do a one-to-one association. For each public address we associate a private address.
For example, let’s suppose that we have a router with two interfaces, one to the Internet and one to a local LAN network which uses IPv4 addresses.
Let’s also suppose we have 10 computers on the LAN and 10 public IP address available for Internet use. The plain NAT means that we could use 10 private addesses on the computers on the LAN and program the router in a way that, for each incoming IPv4 packet it will change the destination IP address with a private address and vice-versa, based on a association table. This permits to esely change public IP addresses of all machines (for example when we change ISP provider). This is actually a problem but there are serveral solution instead of duing a NAT.
But this “plain NAT” it’s quite never used today, what I want to talk about is the NAPT (Network Address and Port Translation) , which is often called just “NAT”, giving origin to this ambiguity.
The NAPT works in this way: let’s suppose we have again a local network and a router as before. Now let’s suppose we just have one public IP address and 10 computers on the local network. How can we connect all computers to the Internet? So first let’s do a step back and let’s see in a very easy way how a connection works.
Every computer wants to send/receive TCP and UDP packets. Each TCP and UDP packets it’s characterized by two “port” numbers, a source port and a destination port. The source port is an identifier to understand from which applicaton of the host from which the packet came, while the destination port is an identifier of the application to connect on the destination host. The destination host will swap destination and source port numbers in order to send back responses.
So, we will use private IP addresses as before on the local network and we will keep the public IP address on the router. The router will employ the NAPT, so when an initial packet came from the local network the router will check the source port of the TCP packet and it will check the free source port numbers on its address. The router will then choose a free source port for its address and will note on a table: “the local network host with address x.y.z.w has established a connection to a remote host k.h.j.l and all packets coming from x.y.z.w with source port X must be rewritten with my source port Y and my public address as source”. In a similar way it will read on reverse-way the previous route when a packet comes from the Internet. When a packet comes from the Internet, the router will check if the destination address is its public IP, if so it will then check the destination port and see if that port is used for some NAPT mapping. If the port is part of a NAPT mapping rule, it will find the row in the table, change the destination port y with the previously changed port X and the destination address with the private address x.y.z.w of the LAN host.All this system could be also deployed using more than one public address on the router, in order to increase the number of parallel connections (we will see that later).
Even if this system allow you to “solve” the IPv4 exhaustion problem, a lot of network administrators and people in the Internet commuity think that this is really an abomination and horror for TCP/IP network protocol suite. Here I write some of my thoughts about this:
8 Reasons for which NAPT (NAT) should not be used:
- NAPT goes against the most important rule about protocol layering, which says that a protocol of level k should not do any assumption about protocols of level k+1. A router usually should just take IP packets coming and route them using a route table. Instead of this, using NAPT, the router has also to check the IP packet payload (the TCP/UDP protocol header) in order to check port numbers. This should not be done according to the layering rule and it also cause a not expected overhead on a embedded device which should just forward packets but also starts to trace all TCP/UDP connections going over.
- NAPT is against the hierarchic model of IP, which says that any host connected to the Internet is identified globally in unique way by an IP address. In some cases this could be a good thing for our anonymity, but surely not a warranty that we could not be traced anyway in serveral other ways.
- Internet application should not be obliged to use TCP and UDP. If a user behing a NAT decides to use a different (layer 4) transport protocol, he will not be able to use it, because NAPT works only on TCP and UDP checking port numbers. On some transport protocol there are no port numbers. ICMP for example, the control protocol for IP workings and network diagnostics, does not use port numbers but it’s necessary anyway. For this reason NAPT routers employ several workarounds in order to send/receive packets correctly (whatching other numbers inside the ICMP packets). This is obviously again other “hard” work for the router. We should not forget that each time that we add something to do on the router side, the workload for each packet increase and some network lines could slowly increase latency and congestions.
This means that manufacturers may need powerful hardware and so high costs (and energy consumption). I understand that this is a bit exaggerated view of the probolem, but if we have really a lot of traffic (and not just 10 computers), we should start to consider also this problems.
- The parallel number of connections decrease. This is because the NAPT router should use one of its free source ports for each connection, since the available ports are 2^16 (actually the first 4096 should not be used for NAPT), we can’t have mort than 65535 connections for each public IP address used by the NAPT router. You could think that it’s a big number, but if we use just one IP address for the network of a small company or a university campus (and maybe someone is doing port-scanning or other bad things), the router will exhaust port numbers and the network will not accept new connections. If we have 100 computers behind the NAPT, each one could do around 655 connections. Try to open a p2p software on some of them and see what happens.
So for this reasons, manly on corporate networks, we start to use not just one IP address, but a pool of IP addresses, in order to have more parallel connections available. So at this point, was it really necessary to use NAPT if we had other public addresses? Maybe for a university campus the answer would be “yes”, but for a small office could be “no”.
- NAPT transform Internet from a connectionless network, to a connection-oriented network. This is because the NAPT device must keep track of all informations related to a connection going over it. If a NAPT router goes down and its NAPT mapping table goes away, all TCP/UDP/ICMP connection will not be able to continue when the router cames back online. Instead, without NAPT, when a router goes down and then up, the endpoints using a TCP connection will see just a short lag (router’s reboot time) in communication. Also UDP has problems, let’s say for example that we are doing a VoIP call when someone reboots the router. VoIP usually works over RTP protocol (which runs over UDP). If we are using a norma router we will just have a short absence of communication, then the audio will come back. Instead, using the NAPT, the VoIP call will be lost and we should call back again. I know, it’s not a so common scenario, but it shows how much NAPT is evil.
- Usually each host connected to the Internet is able to connect to some servers or expose some services on the network, so that other people could connect. Sadly, using the NAPT we can’t get incoming connections to our host. You could say that it’s possible to configure the NAPT router to forward some ports. So let’s say I have two hosts on the LAN who want to expose a HTTP webserver (TCP port 80). We just have 1 public IP address and we can use the TCP port 80 just one time, so we could in any case provide access to just one of the two hosts, the other one should use a non-standard port. I think that (also) because of the NAPT, Internet is becoming everyday more a “download-only” network. This is more a philosophical problem instead of a technical one, but I think that the good side of the Internet (since its first days of existance) is the possibility to expose to anyone a self-hosted service, in any point on the world, without the neet to ask to someone else to host it.
- A lot of application-level protocols (DCC and FTP in active mode for example) use IP addresses of hosts inside application-level messages (to notice the server where to send some data). The NAPT doesn’t know anything about this and the result is that these protocols does not works anymore today. On some routers there are some deep packet inspection sytems which are able to recognize this messages and alter them while opening ports in the NAPT mapping (a lot of NAPT routers do that for FTP active mode for example). I think this is even worse of what we were talking before. This is because now the router does not just have to check for layer-4 messages, but even layer-7 messages! Rebuilding TCP packets to search for a byte sequence it’s not a fast/easy thing to do for a router, it adds a lot of overhead. If you aren’t still convinced about this problem maybe you should read the workarounds that IPsec creators made for using IPsec over NAPT. IPsec can sign or crypt the payload of IP packets in order to make them secure and with reliable source. IPsec, in order to add this feature, sign all the IP payload. This is a problem because some fields which should be fixed (port numbers) are changed by the NAPT and the sign check fail. Also, if the packet it’s encrypted the NAPT can’t read port numbers!
- NAPT doesn’t let you able to keep open idle connections. Often could be useful to keep an open connection where any data comes for hours or weeks (let’s think about today populars websockets or IMAP with IDLE command). TCP/IP supports this feature without problems since the connection state is keep just by endpoints. But the NAPT, since it has few free port numbers to use, can’t just keep them allocated forever (for connections bad-closed and DoS attacks to the NAPT). So, for these reasons the NAPT closes some connections when are not “active” and reallocate port numbers for new connections. The worst thing about this is that (on some NAPT implementations), the two hosts does not recive any notification of this “disconnection” by the NAPT, so they still think to be connected but they aren’t, and they will discover that just when trying to send something to the other host.
On the other hand, without NAPT, we could shutdown the router, change communication lines, change the way we connect to the router, put the host in standby, cut fiber optics cables in the Atlantic ocean and wait. We could do whatever we want, when we will be back online, if the addresses of endpoints are not changed, we are still “connected” to the other host and we are still able to send data on the same connection, that’s all thanks to TCP/IP.
Someone could ask “so how can I keep open idle connections over NAPT?”, there are many answers, maybe the most popular is to use something like “ping/pong” messages like IRC does sometimes. Another answer could be to use a workaround called “TCP-Keepalive” which sends some empty TCP packets sometimes inside the connection in order to show to the NAPT that we are active and that it should not delete the mapping rule.
The NAT is not a firewall
A lot of people think that the NAPT, for how it works, it could be used (improperly) as a firewall technique. Let’s imagine, for example, a university campus network. We don’t want that students turn on SMTP servers in order to start spamming or other stuff like that. How could we prevent this? Some people say “let’s take up a NAT so they can just connect outside”. This could work but it’s not the purpose of NAPT and I consider a bad idea, in particular on small networks where we have public addresses for everyone. The purpose of NAPT is not that, to block incoming connections it’s possible to implement a stateful firewall on the router or a separate machine, in order to prevent LAN hosts to expose services to the Internet.
Let’s say an example of how to implement this on iptables:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT #We permit anything to go outside from our local network
iptables -A FORWARD -i eth0 -o eth1 -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT #We accept just connection related or established
Actually using this setup, the firewall will anyway use level 4 informations and we have some similar problems as stated before, but it’s still better than using the NAPT, for the other reasons we said.
Some people says that NAPT protects them from network attacks. Really?
- On some NAPT cheap routers can happen that, for several reasons, the WAN and LAN interface are actually the same physical card, so if you send a packet to the WAN interface, it will go inside the LAN.
- On some routers are enabled some modules in order to gen FTP active mode and DCC protocols working (as we stated before). This is good but it also gives you some security issues. Using some special attack techniques it’s possibile to use this mechanism in oder to open an arbitrary port on the NAPT to an arbitrary host in the local network. For example using a special webpage with a java or flash application (see for example here)
- Some local networks implement the UPnP protocol on the main router (using the so called “IGD” service). Using the IGD service, an host on the local network could ask to the router to add a port-mapping rule in oder to get incoming connections from outside. It turns out that some routers accept this kind of requests also from the WAN interface (see this paper)
Other bad things
Did you know? Some ISP providers started to give you private addresses instead of public ones. This is called Carrier-Grade NAT and it’s still bad because it again breaks the end-to-end connectivity.