NAT is network address translation – It is used for better address utilization and also for security. If we use only one IP to the external world and all the machines in the local network use internal IP addresses, then it saves lot of address usage. Also it improves security as internal machines are not exposed to the outside world.
How does NAT works ? NAT has many different varieties of implementation. Of this popular is PAT(Port address translation).
How does NAT works ?
Assume 200.100.100.100 is the global IP available and internal IPs are in the range 10.x.x.x. Say if i try to have a HTTP connection to 203.179.222.22 from my machine ( which is 10.1.1.4) - the initial packet may look like this ( src Ip - 10.1.1.4, src port - say 1000, dest ip - 203.179.222.22 dest port - 80). The packet reaches the gateway, where NATing will take place transparent to the user. For each connection a mapping will be made - in this case for (10.1.1.4, 1000) a corresponding entry may be (200.100.100.100, 5000) where 200.100.100.100 is the public IP and 5000 is a free port selected from the available list.
So the entry is fo (10.1.1.4,1000) port is 5000. The packet will be modified and send to the outside world. The packet will become [ src IP - 200.100.100.100, src port -5000 and dest ip - 203.179.222.22 and dest port 80]. So the destination 203.179.222.22 is aware only of source 200.100.100.100 and will respond to that. When it reaches 200.100.100.100 it will look at the dest port - that is 5000 and will look for an entry in NAT table. In this case it will find that the entry is (10.1.1.4,1000) and will replace the destip, dest port with that and forward to the internal network.
The full process of NATing happens transparent to the user. Also NATing is assymetrical - it is used to access only outside world, from outside you cannot access inside machines. Administrators usually configure which all networks have to be NATed. All packets from other networks are simply forwarded.
NATing happens in layer 3/ Layer4. People sometimes confuses NATing with Proxying. Proxy is in application layer – some application sitting in the middle is proxying for the client as well as the server. It is not transparent, the client has to know about the proxy.
Thursday, October 19, 2006
Tuesday, October 17, 2006
Strong host routing
Strong host routing is an interesting concept. This is of interest in multi-homed ( having two or more network addresses) hosts. How to route a given packet to the network is done not only based on the "destination address", but also based on the "source address". Strong host model is mentioned in RFC 1122. This adds more security as packets cannot be sent out with a source address that does not belong to an interface in the host.
On Receive side,when a unicast packet arrives at a host, a weak host model will accept the packet if the destination address matches any of the local IP addresses of the host. But in strong host model it will accept the packet only if destination address matches the IP address of the interface in which it receives. It thus prevents any multi-home based network attacks.
Net Generation TCP/IP stack in Microsoft Vista supports strong host routing by default.
On Receive side,when a unicast packet arrives at a host, a weak host model will accept the packet if the destination address matches any of the local IP addresses of the host. But in strong host model it will accept the packet only if destination address matches the IP address of the interface in which it receives. It thus prevents any multi-home based network attacks.
Net Generation TCP/IP stack in Microsoft Vista supports strong host routing by default.
Subscribe to:
Posts (Atom)
About Me
- Anoop G
- Predictably Unpredicatble, lazy, careless, sincere, honest, caring, Trouble maker, emotional, likeable