2. 1 Introduction
It is well known fact that the computer communicates with each other using
their IP address over the interrnet. The IP address is a 32 bit address
(in IPv4 scheme) and it uniquely identiļ¬es a computer overthe network of
computers i.e. internet. It is evident that only 232
unique addresses are
possible in with 32 bit scheme.However the available adreessses are even
less due to various reasons as such as some of them are reserved for special
puposes like multicasting, broadcasting.
Looking at the immense use of networking and therby the exponential growth
in the numberr of computers requiring unique IP address it seems that very
soon the adresses avialable inIPv4 saheme will be out of the stock. and then
no new IP adresses can be provided. Is it really going to happen? .Certainly
not. The solution proposed to this scheme is use 64 bit IP addresses, known
as IPv6.In this scheme all the IP addresses will be of 64-bit. Hence the
address space will grow from 232
to 264
, deļ¬nitely itās a huge space and
hopefully suļ¬cient for a long time.
However it is required to convert all the current IPv4 address into corre-
sponding IPv6 addresses to implement IPv6 scheme across the intrernet.But
it is not an easy task, since it requires entire networking structure to be
converted from 32-bit to 64-bit, all the routing table entries, the security
algorithms etc need to be changed. Which deļ¬ntely requires lots of time and
care also.
So for the meantime two major solutions were proposed:
CIDR CIDR stands forClassless InterDomain Routing. In this
the conventional claasful IP addressing is converted into classless ad-
dressing. In this scheme the IP address is divided into - netid i.e. the id
of network and host id i.e. the id of individual machine in the network
using the slash notation, the number after the slash gives the number
of bits in the net id and the remaining bits are host id.
172.31.100.29/23 implies that the 23 bits from MSB are netid and the
remaining 9 bits are the host id.
Hence in this case the net id is: 172.31.100 and the host is : 29
NAT A new technology is introduced to prevent the outrun of the IP ad-
dresses. This technology is termed as NAT i.e. Network Address
Translation. NAT is a standard that allows the LAN to group its sys-
tem such that they use a set of IP addresses for communicating with
the external networks, this set of address is called publicIPaddress
1
3. and another set of IP addresses for communication within the network,
which is called privateIPaddress.
2 NAT: Brief sescription
The gist of NAT in one line is that NAT maps private IPs to Public IPs.It
maps the IPaddress-port pair int he packet to another set of IP address-port
pair.
There are three address ranges reserved for private IPs:
ā¢ 10.0.0.0/8
ā¢ 172.16.0.0/16 to 172.31.0.0/16
ā¢ 192.168.0.0/24 to 192.168.255.0/24
The NAT technology is implemented in any of the devices that are at the
edge i.e. at the boundary of the LAN and the rest of the internet, like routers,
ļ¬rewalls.NAT can use one of the following mapping technique:
Static
In this there is one-to-one correspondence between the private IP ad-
dress and the public IP address. A private IP address always maps to
the same public IP always.
Dynamic
In this there is one-to-many mapping between the private and the
public IP address. A private IP address can be mapped to any one of
the available public IP address.
Overloading
In this there is many-to-one correspondence between the private and
public IP address. Many private IP address can be mappped to single
public IP address but with a diļ¬erent port. Hence this scheme is also
known as port ā address ā translation or port- level-multiplexed
NAT.
overlapping The solution to this dilemma is to use a more sophisticated
form of NAT. The other versions we have seen so far always trans-
late either the source address or the destination address as a datagram
passes from the inside network to the outside network or vice versa.
To cope with overlapping addresses, we must translate both the source
address and the destination address on each transition from the inside
2
4. to the outside or the other direction. This technique is called Overlap-
ping NAT in reference to the problem it solves, or Twice NAT due to
how it solves it. (Incidentally, despite the latter name, regular NAT is
not called Once NAT.)
Twice NAT functions by creating a set of mappings not only for the
private network the NAT router serves, but also for the overlapping
network (or networks) that conļ¬ict with the inside networkās address
space. In order for this to function, Twice NAT relies on the use of
the TCP/IP Domain Name System (DNS), just like bidirectional NAT.
This lets the inside network send requests to the overlapping network
in a way that can be uniquely identiļ¬ed. Otherwise, the router canāt
tell what overlapping network our inside network is trying to contact.
2.1 NAT Table
It is the table maintained by the NAT server. It contains the entries of of the
each node behind the NAT. It contains the private IP address of the node
and the its corresponding public address.
The NAT table is refreshed periodically.
2.2 Working of NAT
The working of NAT can be summarized in the following points:
ā¢ When two systems witihn the LAN wants to communicate, they com-
municate using their private IP address, in this case no private to public
mapping is required.
ā¢ When a system within the LAN wants to communicate with an system
that is outside the LAN. As the packet reaches the router that imple-
ments the NAT technology, the NAT server ļ¬rst veriļ¬es that the packet
is inside to outside packet and it speciļ¬es the criteria speciļ¬ed for
translation, if so it checks its NAT table, if it has enttry correspond-
ing to the private IP address this table it map the private IP to the
corresponding public IP address. and then forward the packet to the
destination with the source IP as the public IP.
ā¢ When the response from an external network reaches to the LANās
NAT router, the destination IP of the corresponding packet is one of
the public IP of the LAN. the NAT router then checks the translation
table for the IP and amp it to the corresponding private IP.
3
5. ā¢ However it is not possible to make outside to inside connectio that is
initiated by some outside system.
3 NAT TRAVERSAL
3.1 The NAT TRAVERSAL PROBLEM
A system outside a LAN can not initiate a connection to any system inside
the LAN that is using the NAT. This problem is termed the NAT traver-
sal problem. This is due to the reason that the NAT is unab;le to perform
the reverse mapping i.e it can map private IP to public IP and the pub-
lic IP in response to the private IP but can not perform the mapping of
public IP to private IP in case of outside initiated queries.
3.2 Traversal approches
To overcome the NAT traversal problem the various NAT traersal approaches
have been proposed. Most of them make use of third party server for outside
to inside connection. However some other approaches have been proposed
most promising one is the autonomous NAT traversal.
Using third paty server for connection revarsal To have the outside
to inside connection in the NAT is using thied party server. It is the
most populr approach for the above ssaid purpose. The third party
server are located outsise the LAN behind the NAT.
What it actually does is that it involves a third party seerver. When a
client ouside the NAT wants to establish the connection with the server
behind NAT, the process proceeds as follows:
ā¢ The client request the third party server to help establish connec-
tion with the server.
ā¢ Then the third party server notiļ¬es the server that the client
wants to establish the connection.
ā¢ The server then initiates the connection with the client.
This approach is termed as connection revarsal approach be-
cause the thirdd party server turns the client initiated communica-
tion to the sever initiated communication. However it is required
that the serveralways nees d to maintain connection to third party
server
4
6. The major drawback of third party server approach is that it
ā¢ It require third party to be involved.
ā¢ It is a complex pproach
ā¢ An attacker can easily attack the system by analyzing the traļ¬c.
The major third party server are:
TURN
TURN stands for Traversal Using Relays around NAT. It
is a protocoll that facilitate outside to inside connection in the
NAT. However it does not alow the system behind hte NAT to be
server but only to connect to single system outside the NAT. i.e.
the TURN allows to establish the connection between one system
inside the NAT and other one outside the NAT but not to multiple
system.
In this way it is as secure as the NAT but it turns the table so
that the connection in NAT can be established from outside to
inside
Interactive Connectivity Establishment
It is used for the same purpose. It uses STUN and TURN and
other likewise protocols as tools. The ICE resides within the sys-
tem outside the NAT i.e. the client.Using the various tools the
client gets the list of addresses. ICE perform connectivity test on
each of them. and uses the best address.
The major advantage of this protocol is thst it always ļ¬nd the
path if one exists and the path it uses is the best one.
However the drawback is that it requires several iterations.
Relaying When both the peers are behind NAT then the relaying
method is used. A third party server is used and peers communicate
via this server. The method works as follwing:
ā¢ Both the peers have aeither TCP or UDP connection with the
server.
ā¢ The peer that wants to initiate the communication with another
peer, it transmits it message to the server.
ā¢ Since server has connection with the peer Hence the server then
relay this message to the other peer.
5
7. ā¢ when the other peer respond to the initating peer, it can not
directly communicate. So it transmit tje message to thr server
involved and the server in turn relay the mesasge back to the
peer.
this approach is considered to be the most reliable approach. But it
requires lot of network bandwidth, consumes server processing power.
Also the communication latency increases. Hence it is the least eļ¬cient
approach.
Autonomous Traversal
In this approach no third party server involves. In this way it reduces
complexity and decreases the chances of attack.
The basic assumption of this approach is that the outside system knows
the public IP address(s) of the NAT router behind which the intended
system resides. It is possible due to the previous exchange betweent
he outside system and the inside system. The outside system can be
termed asclient and the inside system as server. The steps involved in
the autonomous NAT traversal can be dscribed as following:
Communicate the public IP of client to the server
The sever periodically sends a message to a known IP address.
It may use ICMP ECHO REQUEST message to an unallo-
cateed IP address i.e. for which no entry exis in the routing table.
Since no entry teh server sent request for an unallocated IP. Hence
the NAT router will not be able to route this request and will
response with message like ICMP DESTINATION UNREACH-
ABLE. Server simply ignores such message.
As the result of this message the NAT router will enable routing
of replies in response to this request.
The client will also fake such reply.Actually client transmits a
TTL EXPIRED message to the NAT router. The sever listen
for such fake ICMP replies and when it recieves any such reply it
initiates connection to the senderās address speciļ¬ed in the fake
message.
In this manner the sever get the public IP of the client. If the client
listens on the pre-agreed port, the port number can be sent as the
part of payload of the ICMP ECHO RESPONSE message.
Server connects to the client
Now the server has the public IP of the client. So it can initiate
6
8. the communication with the client. The communication proceed
in the same way as in the normarl NAT.
A problem arissees in the autonomous approach when client is
also behind the NAT. The NAT disallows the client to make the
fake ICMP response.However there is theoritical solution to this
problemm but the solution does not work practically. Hence the
major drawback of the autonomous approach is that it fails for
NAT-to-NAT communication.
4 NAT Punching or Hole Punching
The NAT traversal techniques are also called NAT punching or hole punching
techniques. This is termed so, because these technique create a hole in the
NAT system to enable outside to inside connection.
Hole punching tecchniques are classiļ¬ed on the basis of the messsages in-
volved to create a hole in hte system. The major approaches are as following:
UDP Hole Punching
For hhole punching this technoque uses the UDP messages i.e. User
Datagram messages. In this method the server behind the NAT need
to maintain comnnection with the third party server permanently.The
metod can be described as following:
ā¢ Since there is a pemanent UDP connection betweent he server
and the third party server. Hence the NAT table has an entry
corresponding to the third party server.
ā¢ When the client requests the third party server to help him to
establish connection with the server behind the NAT.
ā¢ The third party server replies the client with the private and the
public IP of the server behind the NAT. At the same time the
sever also notiļ¬es hte server behind th e NAT that a client wants
to establish connection. The notiļ¬cation message contains the IP
address of the client.
ā¢ Now Bothe the client and the server behind the NAT know the IP
of each other. So the server behind the NAT can start the UDP
session with the client.
7
9. TCP Hole Punching
Hole punching in the TCP session if far more complicated than that
in the UDP session. Since TCP involve a secure, reliable end-to-end
connection and also involve many more mechanisms like sequencing
and synchronization of packets. Hence while applying NAT punching
thee issues should be addressed fairly. Which in turn increasse the
complexity of NAT punching to grea extent. The process of TCP hole
punching is as following:
ā¢ Theer is a permanent TCP connection between the server and the
third party server. Hence the NAT table has the corresponding
entry.
ā¢ The cient request the third party server to help it to establish TCP
connection with the server behin the NAT.
ā¢ The server then replies the client the private IP and the public IP
of the client. At the same time the third party server notiļ¬es the
server behind the NAT that a client with this IP address wants to
establish TCP connectio with you.
ā¢ Now the server sends the SYN packet to the client. And it also
listen for any incoming connection attempts from the client.
ā¢ The server waits for its SYN-ACK response to the already sent
SYN packet. If it recieves it it send another ACK packet to
acknowledge the SYN-ACK.
ā¢ Thus the three-way handshake process completes, the client and
the server starts TCP communication.
5 Conclusion
NAT is required for the whole IPv4 to IPv6 transition period. It is working
eļ¬ciently. There are various NAT traversal approaches but none of them
is standardized. Hence some problems also arises. It is also a matter of
debate, whether NAT traversal or hole punching is threat to the network
security. However the hole punching techniques used are classiļ¬ed on the
basis of the type of the network, type of the connection etc. These all are
showing satisfactory performance.
8