Network address translation - Wikipedia

#readwise # Network address translation - Wikipedia ![rw-book-cover](https://upload.wikimedia.org/wikipedia/commons/thumb/c/c7/NAT_Concept-en.svg/1200px-NAT_Concept-en.svg.png) ## Metadata - Author: [[wikipedia.org]] - Full Title: Network address translation - Wikipedia - URL: https://en.wikipedia.org/wiki/Network_address_translation ## Summary Network Address Translation (NAT) helps connect private networks to the Internet by changing IP address information in data packets. There are different types of NAT, including one-to-one and one-to-many translations. NAT keeps internal IP addresses hidden, using a public IP address instead for external communications. This technology is important for applications like VOIP and video conferencing, which need special methods to work through NAT. ## Highlights Network address translation (NAT) is a method of mapping an IP [address space](https://en.wikipedia.org/wiki/Address_space) into another by modifying [network address](https://en.wikipedia.org/wiki/Network_address) information in the [IP header](https://en.wikipedia.org/wiki/IP_header) of packets while they are in transit across a traffic [routing device](https://en.wikipedia.org/wiki/Router_(computing)). ... It has become a popular and essential tool in conserving global address space in the face of [IPv4 address exhaustion](https://en.wikipedia.org/wiki/IPv4_address_exhaustion). One Internet-routable [IP address](https://en.wikipedia.org/wiki/IP_address) of a NAT gateway can be used for an entire [private network](https://en.wikipedia.org/wiki/Private_network). ^wjg5n6 --- As network address translation modifies the IP address information in packets, NAT implementations may vary in their specific behavior in various addressing cases and their effect on network traffic. Vendors of equipment containing NAT implementations do not commonly document the specifics of NAT behavior. ([View Highlight](https://read.readwise.io/read/01jjfhav2fagbk30hexfcjwem9)) --- All IP packets have a source IP address and a destination IP address. **Typically, packets passing from the private network to the public network will have their source address modified, while packets passing from the public network back to the private network will have their destination address modified.** To avoid ambiguity in how replies are translated, further modifications to the packets are required. The vast bulk of Internet traffic uses [Transmission Control Protocol](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) (TCP) or [User Datagram Protocol](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (UDP). For these protocols, **the [port numbers](https://en.wikipedia.org/wiki/Port_number) are changed so that the combination of IP address (within the IP header and port number (within the transport layer header) on the returned packet can be unambiguously mapped to the corresponding private network destination.** RFC 2663 uses the term network address and port translation (NAPT) for this type of NAT. Other names include port address translation (PAT), *IP masquerading*, *NAT overload*, and *many-to-one NAT*. This is the most common type of NAT and has become synonymous with the term *NAT* in common usage. ^blqv68 **This method allows communication through the router only when the conversation originates in the private network, since the initial originating transmission is what establishes the required information in the translation tables.** Thus a [web browser](https://en.wikipedia.org/wiki/Web_browser) within the private network would be able to browse websites that are outside the network, whereas web browsers outside the network would be unable to browse a website hosted within. Protocols not based on TCP and UDP require other translation techniques. ([View Highlight](https://read.readwise.io/read/01jjfhf2kqvka4ng3g4w4sg0)) ^l8asyx --- Network address and port translation may be implemented in several ways. Some applications that use IP address information may need to determine the external address of a network address translator. This is the address that its communication peers in the external network detect. Furthermore, it may be necessary to examine and categorize the type of mapping in use, for example when it is desired to set up a direct communication path between two clients both of which are behind separate NAT gateways. For this purpose, **RFC 3489 specified a protocol called *Simple Traversal of UDP over NATs* ([STUN](https://en.wikipedia.org/wiki/STUN)) in 2003. It classified NAT implementations as *full-cone NAT*, *(address) restricted-cone NAT*, *port-restricted cone NAT* or *symmetric NAT*, and proposed a methodology for testing a device accordingly. However, these procedures have since been deprecated from standards status, as the methods are inadequate to correctly assess many devices. RFC 5389 standardized new methods in 2008 and the acronym *STUN* now represents the new title of the specification: *Session Traversal Utilities for NAT*.** ([View Highlight](https://read.readwise.io/read/01jjfhhr12kn4jafaygvnq22x2)) ^egrkhz --- ## NAT implementation classifications ### Full-cone NAT, or NAT 1, also known as *one-to-one NAT* - Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort. - *Any external host* can send packets to iAddr:iPort by sending packets to eAddr:ePort. ([View Highlight](https://read.readwise.io/read/01jjfhqr3qmahtpc3fvth17ay7)) --- ### (Address)-restricted-cone NAT, or NAT 2 - Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort. - An external host (*hAddr:any*) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:*any*. *Any* means the port number doesn't matter. ([View Highlight](https://read.readwise.io/read/01jjfht8ne4zc4z7f6gfhf5px9)) --- ### Port-restricted cone NAT, or NAT 3 - Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort. - An external host (*hAddr:hPort*) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:hPort. It is similar to an address restricted cone NAT, but the restriction includes port numbers. ([View Highlight](https://read.readwise.io/read/01jjfhzk23b3svpk936mphakn4)) --- ### Symmetric NAT, or NAT 4 - The combination of one internal IP address plus a destination IP address and port is mapped to a single unique external source IP address and port; if the same internal host sends a packet even with the same source address and port but to a different destination, a different mapping is used. - Only an external host that receives a packet from an internal host can send a packet back. ([View Highlight](https://read.readwise.io/read/01jjfj1vwnq6yzs85x5fh3e6q1)) --- ## Better Terminology? RFC 4787 attempts to alleviate confusion by introducing standardized terminology for observed behaviors. For the first bullet in each row of the above table, the RFC would characterize Full-Cone, Restricted-Cone, and Port-Restricted Cone NATs as having an *Endpoint-Independent Mapping*, whereas it would characterize a Symmetric NAT as having an *Address- and Port-Dependent Mapping*. For the second bullet in each row of the above table, RFC 4787 would also label Full-Cone NAT as having an *Endpoint-Independent Filtering*, Restricted-Cone NAT as having an *Address-Dependent Filtering*, Port-Restricted Cone NAT as having an *Address and Port-Dependent Filtering*, and Symmetric NAT as having either an *Address-Dependent Filtering* or *Address and Port-Dependent Filtering*. ([View Highlight](https://read.readwise.io/read/01jjfjf6msskxz0vc87vqbsweh)) ---