Network Address Translation (NAT)

NAT is a technology to enable hosts with private addresses to communicate with other hosts in the public internet

In order to save the IP address, people use private address in forming local network.

NAT is a way to conserve IP addresses

the numbers of IPv4 itself is not enough for us to use.
In order to save the IP address, people use private address in forming local network.
When they want to go outside, they need to go through the NAT router
NAT router translate private network to public network so the device can assess internet
Also the internet can access the device in the private network.

NAT routers translation is done by:
- replacing the source address of all the outgoing packets by the global NAT address
  - Going outside -> use a public source address
- replacing destination address of all the incoming packets with the appropriate private address.
  - Going in -> use a private destination address

This is an example of Configuration when using NAT:

NAT Terminology

Inside network is the set of devices using private addresses (Local Addresses)
Outside network refers to all other networks (Global Addresses)

NAT includes four types of addresses:

Inside local address
Inside global address
Outside local address
Outside global address

Going outside -> change the source address to public
Going in -> change the destination address to private

Static NAT Translation and Dynamic NAT Translation

Static NAT Translation

one-to-one mapping of local and global addresses
mappings are configured by the network administrator and remain constant.
Static NAT is particularly useful when servers hosted in the inside network must be accessible from the outside network.
A network administrator can SSH to a server in the inside network by pointing the SSH client to the proper inside global address.

Since Static NAT Translation is one-to-one, we need to have enough public addresses to be assigned.

Dynamic NAT Translation

The pool of public IPv4 addresses (inside global address pool) is available to any device on the inside network on a first-come, first- served basis. (Still one-to-one)
The pool must be large enough to accommodate all inside devices.
A device is unable to communicate to any external networks if no addresses are available in the pool.

Port Address Translation (PAT), the NAT overload

PAT is also known as NAT overload.

Port Address Translation (PAT) maps multiple private IPv4 addresses to a single public IPv4 address or a few addresses.
PAT uses the pair source port and source IP address to keep track of what traffic belongs to what internal client.
- Use port number to indentify private hosts
By also using the port number, PAT forwards the response packets to the correct internal device.
The PAT process also validates that the incoming packets were requested, thus adding a degree of security to the session.

Typo in the images, should be 209.165.200.225 instead of 226.

Comparing NAT and PAT:

NAT translates IPv4 addresses on a 1:1 basis between private IPv4 addresses and public IPv4 addresses.

PAT modifies both the address and the port number.

NAT forwards incoming packets to their inside destination by referring to the incoming source IPv4 address provided by the host on the public network.

With PAT, there is generally only one or a very few publicly exposed IPv4 addresses.

PAT is able to translate protocols that do not use port numbers, such as ICMP; each one of these protocols is supported differently by PAT.

Port Forwarding

Port forwarding is the act of forwarding a network port from one network node to another.

A packet sent to the public IP address and port of a router can be forwarded to a private IP address and port in inside network.
Port forwarding is helpful in situations where servers have private addresses, not reachable from the outside networks.

Summary of NAT

Benefits of NAT

Conserves the legally registered addressing scheme
Increases the flexibility of connections to the public network
Provides consistency for internal network addressing schemes
Provides network security

Disadvantages of NAT

Performance is degraded
End-to-end functionality is degraded
End-to-end IP traceability is lost
Tunneling is more complicated
Initiating TCP connections can be disrupted

Address Resolution Protocol (ARP)

The ARP protocol provides two basic functions:

Resolving IPv4 addresses to MAC addresses
Maintaining a table of mappings

We look to frame structure. If we want to send data using Ethernet, we need to specify the end point within a link. That means we need to specify the source and destination address in the frame. That means in order to send the data we need to know the MAC address of the destination address.

We need ARP for knowing the MAC address of the destination address, by knowing the IP address.

Each IP node (Host, Router) on LAN has ARP table
ARP Table: IP/MAC address mappings for some LAN nodes
- < IP address; MAC address; TTL>
- TTL (Time To Live): time after which address mapping will be forgotten (typically 20 min)

If the host want to send data to a particular destination,

First check for ARP table to see wthether it has the MAC address for that given IP address
If no, we make use of ARP protocol to help us to find out the mapping

ARP Operation - 2 way hand shaking

HOW ARP Protocol map the MAC address and IP address together?

Simply ask on the same network (using Broadcast address FF-FF-FF-FF-FF-FF ) and get the reply of MAC address.

Asking all the members in the same network for MAC address on given IP address
- using Broadcast address FF-FF-FF-FF-FF-FF
Then get back the reply of the MAC address by that IP address
- then record into ARP table
ARP request is broadcast (1 to all)
ARP reply is unicast (1 to 1)

Example:

A wants to send datagram to B, and B’s MAC address not in A’s ARP table.
A broadcasts ARP query packet, containing B’s IP address
- Destination MAC address = FF-FF- FF-FF-FF-FF
- all machines on LAN receive ARP query
B receives ARP packet, replies to A with its (B’s) MAC address
- frame sent to A’s MAC address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out)
- soft state: information that times out (goes away) unless refreshed
ARP is “plug-and-play”:
- nodes create their ARP tables without intervention from network administrator

How about if the Source and the Destination are not in the same network?

Assume A knows B’s IP address, send datagram from A to B via R
There are multiple ARP tables in router R, one for each IP network (LAN)

A creates datagram with source A, destination B

A uses ARP to get R’s MAC address for 111.111.111.110

A creates link-layer frame with R’s MAC address as destination, frame contains A- to-B IP datagram

A’s adapter sends frame

R’s adapter receives frame

R removes IP datagram from Ethernet frame, knows it is destined to B

R uses ARP to get B’s MAC address

R creates frame containing A-to-B IP datagram sends to B

Another example: Alice sending to Bob :

Dest LL| Source LL| Source IP | Dest IP | Data

ARP Packet Format

Hardware Type: Ethernet→01
Protocol Type: IPV4 → $(0800)_{16}$
Hardware Length: Ethernet → 6 bytes
Protocol Length: IPv4 → 4 bytes
Operation: Request (1) or Reply (2)
Source hardware address: Source MAC address
Source protocol address: Source IP address
Destination hardware address: Destination MAC address (6 bytes of 0s in request message)
Destination protocol address: Destination IP address

Need not to be Ethernet or IPv4.

Hardware = Link-layer

Protocol = Network-layer

Total 4+4+6+4+6+4 = 28 bytes

Encapsulation of ARP

Data Padding is 18 bytes.

Example:

Node A has a packet to send to Node B

Node A and B are on the same network

When Node A broadcasts a ARP request:

When Node B returns its own link-layer address to Node A:

ARP Package

Cache Table
- Store the mapping of IP address and link layer address
Queues
- The system maintains a set of queues, one for each destination, to hold the IP packets while ARP tries to resolve the hardware address
Output Module
- The output module waits for an IP packet from the IP software.
Input Module
- The input module waits until an ARP packet (request or reply) arrives.
Cache Control Module
- Responsible for maintaining the cache table

Example

The ARP output module receives an IP datagram (from the IP layer) with the destination address 114.5.7.89.

It checks the cache table and finds that an entry exists for this destination with the RESOLVED state (R in the table).
It extracts the hardware address, which is 457342ACAE32, and sends the packet and the address to the data link layer for transmission.
The cache table remains the same.

Twenty seconds later, the ARP output module receives an IP datagram (from the IP layer) with the destination address 116.1.7.22.

It checks the cache table and does not find this destination in the table.
The module adds an entry to the table with the state PENDING and the Attempt value 1.
It creates a new queue for this destination and enqueues the packet.
It then sends an ARP request to the data link layer for this destination.

The cache table updated to:

Fifteen seconds later, the ARP input module receives an ARP packet with target protocol (IP) address 188.11.8.71.

The module checks the table and finds this address. It changes the state of the entry to RESOLVED and sets the time-out value to 900.
The module then adds the target hardware address (E34573242ACA) to the entry.
Now it accesses queue 18 and sends all the packets in this queue, one by one, to the data link layer.

The cache table updated to:

Twenty-five seconds later, the cache-control module updates every entry.

The time-out values for the first three resolved entries are decremented by 60.
The time-out value for the last resolved entry is decremented by 25.
The state of the next-to-the last entry is changed to FREE because the time- out is zero. For each of the three pending entries, the value of the attempts field is incremented by one.
After incrementing, the attempts value for one entry (the one with IP address 201.11.56.7) is more than the maximum (5); the state is changed to FREE, the queue is deleted, and an ICMP message is sent to the original destination

The cache table updated to:

Internet Control Message Protocol (ICMP)

During packet transmission, we may encounter some problems such as:
- A router cannot find a route to the final destination
- TTL becomes zero
- The final destination does not receive all fragments
A host may need to determine if a router or another host is alive
- IPv4 has no error-reporting or error-correcting mechanism.
- ICMPv4 has been designed to compensate for these.

ICMP Format

ICMPv4 messages can be divided into two categories:

Error-reporting messages
- Reporting problems encountered by a router when it processes an IP packet
- Error includes:
  - Destination unreachable
  - Source quench
  - Time exceeded
  - Parameter problems
  - Redirection
Query messages
- Occur in pairs
- Get information from a router or another host

Error Reporting Messages

Error messages are always sent to the original source
- Use the source IP address of the related datagram
However, no error message for the following cases
- A datagram having a multicast address or special address (such as 127.0.0.0 or 0.0.0.0)
- A datagram carrying an ICMP error message
- A fragmented datagram that is not the first fragment
All error messages contain a data section that includes the IP header of the original datagram and the first 8 bytes of data in that datagram
- These 8 bytes of data are the port numbers and sequence number (TCP only) – see the 1st 8 bytes header of TCP and UDP
- This information is needed by the transport layer to handle the error.

Type and Code values:

Type 03: Destination unreachable (Codes 0 to 15)

Type 04: Source Quench (Code 0)

Type 05: Redirection (Codes 0 to 3)

Type 11: Time exceed (Codes 0 and 1)

Type 12: Parameter problem (Codes 0 and 1)

Destination Unreachable

Type = 03, Destination unreachable

This may happen when we use HTTP to access a web page, but the server is down.
Then, the message “destination host is not reachable” is created and sent back to the source
The code field for this type specifies the reason for discarding the datagram.

Different Code has different meaning : The reason why the destinantion is unreachable

Source Quench

Type = 04, Source quench

The network has encountered congestion and the datagram has been dropped.
One source-quench message is sent for each datagram that is discarded due to congestion.
Then, the source/transport layer control the flow of packets.
It can be considered as a congestion control – Choke packet method

Example:

Redirection

Type = 05, Redirection

Inform the source that it needs to change its default router in the future.
The router does not discard the datagram in this case

Example: Host A wants to send a datagram to host B.

The datagram goes to R1. (Router R2 is obviously the most efficient routing choice, but host A did not choose router R2.)
R1, after consulting its table, finds that the packet should have gone to R2. It sends the packet to R2 and, at the same time, sends a redirection message to host A.
Host A’s routing table can now be updated.

Time exceed

Type = 11, Code = 0, Time exceeded

Time-to-live value becomes 0, the datagram is dropped by the router

Type = 11, Code = 1, Time exceeded

Not all fragments arrive at the destination within a predefined period of time

Parameter problem

Type = 12, Code = 0, Parameter Problem

There is an error or ambiguity in one of the header fields. In this case, the value in the pointer field points to the byte with the problem.

Type = 12, Code = 1, Parameter Problem

The required part of an option is missing. In this case, the pointer is not used.

Query Messages

Usage of Query Messages:

Echo Request and Reply: To test the liveliness of hosts or routers in the internet
Timestamp Request and Reply: To find the one-way or the round-trip time for an IP datagram between two devices
Address Mask Request and Reply: a host sends an Address Mask Request message on the network to get a response from a router.
Router Solicitation and Router Advertisement

Echo Request and Reply

Type 8: Echo request

Type 0: Echo Reply

Timestamp Request and Reply

Type 13: Timestamp request

Type 14: Timestamp reply

The source creates a timestamp-request message.
- The source fills the orignal timestamp field at departure
- The other two timestamp fields are filled with zeros.
The destination creates the timestamp-reply message.
- The destination copies the original timestamp value from the request message into the same field in its reply message.
It then fills the receive timestamp field with the time when the request was received.
Finally, it fills the transmit timestamp field with the time when the reply message departs.

Round-Trip Time Calculation:

sending time = receive timestamp − original timestamp
receiving time = returned time − transmit timestamp
round-trip time = sending time + receiving time

One Example is Ping. We can calculate the round-trip time.

1	$ ping google.com

Another Example is Traceroute. round-trip-time are also measured.

1	$ traceroute google.com

Address Mask Request and Reply

Type 17: Address Mask request

Type 18: Address Mask Reply

This is used to obtain the subnet mask
The request can be sent directly to a router or broadcast to on the network

Router Solicitation

For a host to find out what routers are connected to its own network Or to see if those routers are functioning
To locate the router on the network

Identifier and Sequence number fields are not used.

Router Advertisement

Router Advertisement Message

It will send back a list of routers that attached to the network

If address preference = 0, then this should be the default router