Network address translator

From Citizendium, the Citizens' Compendium
Jump to: navigation, search
This article is developing and not approved.
Main Article
Talk
Definition [?]
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and not meant to be cited; by editing it you can help to improve it towards a future approved, citable version. These unapproved articles are subject to a disclaimer.

A network address translator (NAT) is a device, or often a software function, which maps Internet Protocol addresses between two different address spaces, most often, in an Internet Protocol version 4 context, the nonroutable "private" address space (see RFC 1918 and RFC 5735) and the "public" space in which Internet Service Providers communicate. NATs are not ideal solutions for many of their uses, and one of the design goals for Internet Protocol version 6 was to do away with the need for a NAT function. Deployment experience suggests there will still be needs for some NAT-like functions in IPv6, but it is realistic to assume that they will be far less common in an all-IPv6 world.

Basic functionality

Introduced in 1994, a NAT is a controlled violation of the "end-to-end" architectural principle of the Internet, which assumes addresses are unique from end host to end host. [1] [2] While NAT functions have been extremely useful, they also have created a variety of operational challenges, and one of the goals in developing Internet Protocol version 6 was to do away with the need for NAT service.

Its basic function is to translate the source and destination IP addresses, in the packet header, from one address space to another. In reality, it has to do more than this, since the IPv4 header has an error-detecting checksum that includes the IP addresses. After substituting the addresses, therefore, it has to recompute the checksum.

Most IP packets carry Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) payloads. The header of a TCP or UDP "segment" (i.e., a complete TCP or UDP message) also contains a checksum, which is computed on a "pseudo-header" containing not only the TCP/UDP header, but the IP addresses of the packet carrying it. The NAT, therefore, will have to recognize at least TCP and UDP payloads, and, as needed, recompute their checksum.

Application layer gatewaying

A number of protocols carried by TCP or UDP, such as File Transfer Protocol or Simple Network Management Protocol, may have IP addresses embedded in their application-layer messages. Depending on the context, these may or may not need to be translated to the address space to which the packet-level addresses are translated.

The ability to translate embedded IP addresses is beyond the scope of basic NAT. There are cases when they should be translated, as when going between two cooperating public address spaces. If the packet is being tunneled across the public Internet, the architecture may require that they not be translated.

Devices that are aware of application-layer protocols and can be configured to translate, or not translate, embedded protocols are called application layer gateways.

Advanced IPv4 NAT

References

  1. K. Egevang, P. Francis. (May 1994), The IP Network Address Translator (NAT), RFC1631
  2. P. Srisuresh, M. Holdrege (August 1999), IP Network Address Translator (NAT) Terminology and Considerations, RFC2663