Network Address Translation

Network Address Translation. It is a fundamental method in computer networking that remaps one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally developed as a short-term solution to IPv4 address exhaustion and is detailed in RFC 1631. Its widespread adoption by ISPs and within enterprise networks has been critical for conserving the global pool of public addresses.

Overview

The initial concept was formalized by Kjeld S. Egevang and Paul Francis in the early 1990s, with the seminal specification published as RFC 1631 by the IETF. Its rapid deployment was driven by the pressing scarcity of IPv4 addresses, a problem foreseen as early as the 1980s. While the long-term successor protocol, IPv6, provides an immense address space, the transition has been prolonged, ensuring the continued necessity of this technology. Major networking equipment vendors like Cisco Systems, Juniper Networks, and Huawei have integrated robust support into their router and firewall products.

Operation and types

The basic process involves a device, typically a router or firewall, rewriting the source or destination address of an IP packet. In the most common form, known as Port Address Translation or PAT, a single public address can represent numerous private hosts by also translating TCP and UDP port numbers. Static configurations map a specific private address to a dedicated public one, often used for hosting servers like HTTP or FTP. Dynamic methods allocate addresses from a pool, while techniques like Twice NAT are used in complex scenarios such as merging networks from corporate mergers.

Implementation considerations

Deployment requires careful planning to avoid breaking applications that embed IP address information within their payload, such as those using the FTP or SIP. Modern implementations often include Application Layer Gateways to handle these protocols. Performance can be impacted on devices maintaining large state tables for thousands of concurrent sessions, a consideration for ISP-scale operations. Compatibility with end-to-end security protocols like IPsec can also present challenges, sometimes requiring specific modes like NAT-Traversal.

Security and limitations

It provides a degree of inherent security by obscuring internal network topology, acting as a basic firewall since unsolicited inbound connections are typically blocked. However, this stateful filtering is not a substitute for a dedicated intrusion detection system or comprehensive security policy. Limitations include complicating peer-to-peer applications and VoIP services, which led to the development of auxiliary protocols like ICE and STUN. The technique also violates the original architectural principle of the Internet as an end-to-end transparent network, a point of long-standing debate within the IETF.

Standards and protocols

The core specifications are maintained by the IETF, primarily within RFC 3022. Numerous complementary protocols have been standardized to mitigate its drawbacks, including STUN, TURN, and ICE for facilitating multimedia sessions. The IANA has reserved specific IPv4 address ranges, such as those defined in RFC 1918, for private use behind such gateways. Ongoing work in groups like the IETF BEHAVE working group continues to address behavioral requirements and interoperability.

Category:Internet architecture Category:Internet protocols Category:Network address translation