第四章 第二節

網路位址轉換器 NAT

Network Address Translation

動機• 解決 IP addresses 不夠的問題• IPv6

– 現有的網路設備需要重新設計– 代價昂貴

• Virtual IP Gateway(VIP Gateway)– 架構於目前的 IPv4 上– 更多的主機連上 Internet

NAT: Network Address Translation

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.4

138.76.29.7

local network(e.g., home network)

10.0.0/24

rest ofInternet

Datagrams with source or destination in this networkhave 10.0.0/24 address for

source, destination (as usual)

All datagrams leaving localnetwork have same single source

NAT IP address: 138.76.29.7,different source port numbers

NAT: Network Address Translation

• Motivation: local network uses just one IP address as far as outside world is concerned:– range of addresses not needed from ISP: just one IP

address for all devices– can change addresses of devices in local network

without notifying outside world– can change ISP without changing addresses of

devices in local network– devices inside local net not explicitly addressable,

visible by outside world (a security plus).

NAT: Network Address TranslationImplementation: NAT router must:

– outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #). . . remote clients/servers will respond using (NAT IP

address, new port #) as destination addr.

– remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair

– incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table

NAT: Network Address Translation

10.0.0.1

10.0.0.2

10.0.0.3

S: 10.0.0.1, 3345D: 128.119.40.186, 80

1

10.0.0.4

138.76.29.7

1: host 10.0.0.1 sends datagram to 128.119.40.186, 80

NAT translation tableWAN side addr LAN side addr

138.76.29.7, 5001 10.0.0.1, 3345…… ……

S: 128.119.40.186, 80 D: 10.0.0.1, 3345

4

S: 138.76.29.7, 5001D: 128.119.40.186, 80

2

2: NAT routerchanges datagramsource addr from10.0.0.1, 3345 to138.76.29.7, 5001,updates table

S: 128.119.40.186, 80 D: 138.76.29.7, 5001

3

3: Reply arrives dest. address: 138.76.29.7, 5001

4: NAT routerchanges datagramdest addr from138.76.29.7, 5001 to 10.0.0.1, 3345

NAT: Network Address Translation

• 16-bit port-number field: – 60,000 simultaneous connections with a single

LAN-side address!

• NAT is controversial:– routers should only process up to layer 3– violates end-to-end argument

• NAT possibility must be taken into account by app designers, eg, P2P applications

– address shortage should instead be solved by IPv6

NAT traversal problem• client want to connect to

server with address 10.0.0.1– server address 10.0.0.1 local to

LAN (client can’t use it as destination addr)

– only one externally visible NATted address: 138.76.29.7

• solution 1: statically configure NAT to forward incoming connection requests at given port to server– e.g., (123.76.29.7, port 2500)

always forwarded to 10.0.0.1 port 25000

10.0.0.1

10.0.0.4

NAT router

138.76.29.7

Client?

NAT traversal problem• solution 2: Universal Plug and

Play (UPnP) Internet Gateway Device (IGD) Protocol. Allows NATted host to:learn public IP address

(138.76.29.7)enumerate existing port

mappingsadd/remove port mappings

(with lease times)

i.e., automate static NAT port map configuration

10.0.0.1

10.0.0.4

NAT router

138.76.29.7

IGD

NAT traversal problem• solution 3: relaying (used in Skype)

– NATed server establishes connection to relay– External client connects to relay– relay bridges packets between to connections

10.0.0.1

NAT router

138.76.29.7

Client

1. connection torelay initiatedby NATted host

2. connection torelay initiatedby client

3. relaying established

NAT 概述

Token Ring

Internet

IBM PS/210.0.0.1

IBM PS/210.0.0.5

IBM PS/210.0.0.2

IBM 相容型10.0.0.4

IBM 相容型

Mac II

Mac SE/Classic10.0.0.3

VIP Gateway

IBM PS/210.0.0.2

IBM PS/210.0.0.3

IBM PS/210.0.0.5

IBM 相容型10.0.0.1

Mac SE/Classic10.0.0.4

VIP Gateway

140.130.2.8

140.150.2.3

10.0.0.254

10.0.0.254

LAN

140.52.5.25

192.2.89.25

NAT Gateway 內部之運作

Internet

10.0.0.1(port : 2048)

140.1.2.3(port : 23) VIP

GatewayInner IP10.0.0.25

Internet IP140.9.9.9

¨Ó·½¦ì§}

10.0.0.1 140.1.2.3 2048 23

¥Øªº¦ì§} Port(D)Port(S)¨Ó·½¦ì§}

140.9.9.9 140.1.2.3 2048 23

¥Øªº¦ì§} Port(D)Port(S)

¨Ó·½¦ì§}

140.1.2.3 10.0.0.1 23 2048

¥Øªº¦ì§} Port(D)Port(S)¨Ó·½¦ì§}

140.1.2.3 140.9.9.9 23 2048

¥Øªº¦ì§} Port(D)Port(S)

¨Ó·½¦ì§}

10.0.0.1 140.1.2.3 2048 23

¥Øªº¦ì§} Port(D)Port(S)

140.9.9.9 140.1.2.3 232048

Mapping Table

¨Ó·½¦ì§}

10.0.0.1 140.1.2.3 2048 23

¥Øªº¦ì§} Port(D)Port(S)

140.9.9.9 140.1.2.3 232048

Mapping Table

NAT Gateway 計算之圖示

Internet

VIPGateway

VIPGateway

72.88.9.10

140.252.1.29Private Internet

(192.168.0.0~192.168.255.255 )

Private Internet(192.168.0.0~192.168.255.255 )

VIPGateway

140.150.2.3Private Internet

(192.168.0.0~192.168.255.255 )

NAT Gateway 可提供多少主機連上 Internet?

141616293031 104.22]2)222[(

41000106

104.29

14

在 IPv4 下所能連上 Internet 的主機數量

平均全球每個人能分到的主機數

IPv4(class A)31 071523 81624

0

31 071523 81624

1 0

31 071523 81624

1 1 0

IPv4(class B)

IPv4(class C)

Address Allocation for Private Internets

RFC 1597 IANA reserves the IP address space for the

private LAN• 10.0.0.0~10.255.255.255 • 172.16.0.0~172.31.255.255 • 192.168.0.0~192.168.255.255

)2( 24

)2( 20

)2( 16

Client-based

• 以交大資工系為例 , 全系分配到的 IP address space 有 .17,.209,.214,.215,.216,.235.

共 1536 個 IP addresses.

• 對外所提供的各種 server( 如 mail server, ftp server, BBS server ,proxy server 等等 )約有十三台 . 因此 server 數量和 client 比起來是小很多 .

• Server 所佔比例約百分之一 .

推動 IPv6 所耗費的資金• 美國 NGI 耗資 60 億美金，推動

IPv6 在各大學校園內試驗。• 我國國科會亦投入 3 億美金資助美方做此項試驗。

• 預計公元 2000 年將 IPv6 商業化。

摘自經濟日報

IPv6 的問題• IPv6 與 IPv4 的相容問題。• 各層 Layer 的軟體都為必須配合 IPv6 而改寫 (TCPv6 、 UDPv6 ……、 ) 。

• 所有現行的硬體設備如：Gateways 、 Routers 都必須撤換更新。

• IP header 加大，會增加資料傳輸時的 overhead 。

NAT 的優點• 避免 IP 的浪費• 減少駭客入侵的機會• 當主機真正要接上 Internet ，不需要重

新指派 IP 位址

架設 NAT 的缺點• 購置 NAT 的成本• 效能

– 位址轉換、重新計算 Checksum

• 穩定性• 安全性

– 限制加密編碼與身份驗證的使用