NAT: Network Address Translation in the router

Since June 2012 with the sixth version of the internet protocol (IPv6), a solution for the increasing shortage of IP addresses is available. But the move to the new internet standard is a slow, drawn-out process.

According to a Google statistic, in October 2016 more than 85% of internet users worldwide still use the outdated IPv4. But with some 4.3 billion addresses, it’s no longer sufficient for supplying the large number of internet-enabled devices with unique IPs. Not only computers, tablets, or smartphones require access to the online world – in the Internet of Things (IoT), even refrigerators, personal scales, or coffee machines become smart network equipment.

IPv4 has compensated for the problem of address availability since the early 90s with a clear separation between private and public address spaces. In local networks (LANs), internet-capable devices with private IP addresses are addressed locally and connected to the internet with a common public IP. The go-between for public and private address areas is the router. Here is where Network Address Translation, or NAT, takes place.

What is NAT?

The abbreviation NAT stands for Network Address Translation, a process that takes place between two networks and generally in the router. There are two different types of network address translation: Source-NAT (SNAT) and Destination-NAT (DNAT).

Source-NAT

Private users mostly encounter network address translation in the form of Source-NAT. The method is used in home as well as company networks when a network device with a private IPv4 address is used to access the internet via a public IP. In general, the term NAT is used even if its meaning isn’t clear.

Term definition: NAT vs. PAT

Basically, a distinction must be made as to whether each private IP address in a network is to be allocated its own public IP address (1:1 translation) or whether all network devices share the same public IP (n:1 translation).

Strictly speaking, network address translation only deals with 1:1 translation in the literal sense, since in this case only the network addresses are rewritten. The n:1 translation, on the other hand, demands an adaptation of the port number. This method is known as PAT (Port and Address Translation) or NAPT (Network Address Port Translation).

Since the PAT concept in IPv4-based home and company networks is the standard case, this method is often inaccurately referred to as NAT. Common terms like NAT router or NAT table are also used within the framework of PAT concepts. So, when NAT is talked about today, usually PAT or NAPT is meant.

Functions of Port and Address Translation (PAT)

Network address translation is generally used in the form of PAT in order to connect multiple local devices to the internet over a common IP address.

Since private IPs aren’t routable (and therefore have no meaning on the internet), data packages that a computer (client) in the LAN sends to a server on the internet must be provided with a public IP by the router. For this, the private IP address of the client stored in the header of the data package is switched with its own public IP address. In addition, the internally utilized port number is replaced by one of the router’s free ports. This appears to servers on the internet as the sender of all data packages that are sent from the local network.

Complete connection information (IP addresses, ports, and timeouts) are saved in a so-called NAT table (technically, this should also be called a PAT table). The addressed server answers the query of the local computer with a data package, which is first sent back to the corresponding router port. This now has the task of assigning the incoming data packages to the respective network device that started the request. Everything the router needs for this is contained in the NAT table connection information. Here’s an example for clarification:

Imagine a router has been assigned the public IP address 217.229.111.18 by an internet service provider (ISP) and acts as a default gateway for a local network. This has the private IP address range 192.168.0.0/24 (all addresses from 192.168.0.0 to 192.168.0.24) available for network devices. Now, if a device (for example, a computer with the private IP address 192.168.0.2) wants to establish a connection to the internet (for example, to a web server with the public IP 71.123.239.82 at its port number 80), it reserves an internal port (e.g. 22433) and transmits the request to connect to the router listed as the default gateway. This is addressable internally via the private IP 192.168.0.1 and communicates to the outside with the public IP 217.229.111.18.

The router receives the following information: Device 192.168.0.2 wants to establish a connection on port 22433 to 71.123.239.82 on port 80. To comply with this request, the router has to replace the source address of the LAN device (IP address and port number) with the sender’s own address. For this, it reserves any free port (e.g. 61001) and forwards the network address translation: 192.168.0.2:22433 becomes 217.229.111.18:61001. All relevant information is stored in the NAT table on the router.

Client’s private IP Client’s port Router’s public IP Router’s public port
192.168.0.2 22433 217.229.111.18 61001

Once it’s received by the web server, the request is processed and, if possible, answered with the requested data package (i.e. a website’s data). This answer first reaches the router and then is forwarded using the stored connection information. According to the NAT table, the external port 61001 is reserved for response packages sent to port 22433 of the network device 192.168.0.2.

In addition to IP addresses and port numbers, the router notes a time marker for each connection in the NAT table. This serves as a timeout and indicates when the relevant entry can be deleted. This guarantees that ports don’t remain permanently open during inactivity and become the gateway for internet attacks.

Destination-NAT

While Source-NAT allows connections from the LAN to the internet, Destination-NAT is used to make a local device permanently accessible for incoming connections from the internet. For this, a public port is permanently linked to the IP address of a local network device via the router configuration. All data packages going to the respective port are automatically forwarded to the local target address. This is called port forwarding.

This method is used, for example, if a server is to provide services from the LAN on the internet. But open ports present a security risk. It’s recommended, then, to shield the local network from internet data traffic by isolating devices which are addressable by port forwarding in demilitarized zones (DMZ).

NAT: Security feature or liability?

The network address translation in the router is sometimes discussed as a security feature due to the strict separation of LAN and internet. The supposed protection function is just a side effect, though. NAT and PAT were developed to counteract the shortage of IPv4 addresses. This method can’t provide the functions of a firewall or a package filter.

But NAT and PAT do offer users in private networks a certain degree of privacy. Since all local IPv4 LAN devices go online via the same public IP address, users can more or less surf anonymously. The individual host behind the network router is not directly addressable over the internet – unless port forwarding has been established for this purpose. To outside observers, all requests seem to go from the LAN to the router.

The method also includes a protection function that ensures that all externally initiated connection attempts are automatically discarded, as long as you don’t undo it with port releases. Answer packages are only accepted from the internet if server responses are expected at a particular router port. Which web server answers isn’t checked under NAT or PAT. If a router port is opened as part of an internally initiated connection setup, it presents a security liability. It’s recommended to implement additional security mechanisms such as firewalls and package filters.

The weaknesses of network address translation via NAT or PAT, which primarily result from the strict separation of private and public address spaces, can’t be ignored. This is a breach of the end-to-end principle of internet design, so NAT is a problem for internet applications designed on the basis of the principle.

Protocols like FTP operate under the assumption that hosts on the internet communicate directly with one another without an intervening node changing IP addresses or port numbers. In NAT-based IPv4 networks, they can only be used with the help of bypass technologies. Each additionally required mechanism raises the complexity and likelihood of error of an IT system. So, the consistent implementation of the end-to-end principle is a central design goal of the new web standard IPv6.

IPv6: The end of NAT?

With the sixth version of the internet protocol, the number of IP addresses available worldwide has multiplied. Instead of 4.3 billion IPv4 addresses, there are now theoretically 340 sextillion IPv6 addresses available to connect network devices to the internet. In other words: Every coffee machine gets its own unique, globally routable IP address. The network address translation via NAT is basically made superfluous, but can still be used in IPv6 networks to shield private address areas from the public network.