[Techtalk] reality check from networking gurus wanted

[R. Daneel Olivaw]

Hi there,

> Is the article correct and I'm just being thick, or is the author
> missing the boat? For example:
> 
> "Home users who talk about NAT are actually talking about PAT, or
> Port Address Translation. This is quite easy to remember: PAT
> translates ports, as the name implies, and likewise, NAT translates
> addresses."
> 
> Well now, my iptables rules definitely translate addresses. This
> snippet is for a network with a static routable public IP, and a Web
> server in a DMZ on a private IP:
> 
> $ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE --dport 80 -j DNAT
> --to-destination 192.168.2.25:80 $ipt -A FORWARD -p tcp -i $WAN_IFACE
> -o $DMZ_IFACE -d 192.168.2.25 --dport 80  -j ALLOW
> 
> DNAT translates the destination address, and outgoing packets are
> source-natted to the public IP:
> 
> $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 1.2.3.4
> 
> Sure looks like address translation to me.

I think this is just unneeded fuzzing.

NAT means only that you will change the content of an IP address field
in IP packets.
In DNAT, you change the target IP so the packets goes to a 'masked'
host. The source IP is unchanged, the 'masked' host may respond
correctly.
In SNAT, you want to change the source IP so the packets with your
router's own IP. This will mask the source IP of the real sender
(ususally, you do this to hide the private IP of LAN devices when they
call the internet, also sometimes called SUA: single user account)

Now, what is PAT ? you could look at it this way:
You are calling a host on port 12345 but the router knows that the real
port is 54321, so using PAT permits changing the Port used for a
connection.
What for ? well, most of the time, using NAT implies using PAT.
We need to go into this with more details.

We have a host 'HostA' that is on the internet (HostA_IP).
We have a host 'HostB' that stands on a private network (HostB_IP).
We have a router 'Router' that has 2 interfaces, one on the
internet (WAN_IP) and one on the private network (LAN_IP).

HostA has port 80 open for http requests.
HostB uses Router's LAN_IP as a gateway.
HostB wants to connect to port 80 on HostA.
HostB builds a connection that says (I skip details):
- HostB_IP:HostB_RandomOutgoingPort -> HostA_IP:80
as HostB has a private IP and Host1_IP is not in it's range, HostB will
need to connect through it's configured gateway (Router's LAN_IP).
At this point Router will see a packet for HostA. Router knows he is
faking internet access to all hosts on his lan segment using one single
public IP address WAN_IP (Called SNAT). Router will build a new
connection to HostA, on port 80, that looks like this:
- WAN_IP:Router_RandomOutgoingPort -> HostA_IP:80

Notice that 'Router_RandomOutgoingPort' is different from
'HostB_RandomOutgoingPort'. Why ? Well, remember that an IP connection
between 2 hosts is unique, meaning that it is defined by :
sourceIP:sourcePort + targetIP:targetPort
To not break this rule, Router has to be absolutely sure that his
outgoing port is not used twice. So what if 2 different hosts want to
connect out using respectively the same outgoing port (this would NOT
break the rule, as they each have a different IP) ? The router would be
unable to reuse the same port number twice for it's own outgoing
connections.

As you may have noticed, we do Port Address Translation : the router
keeps a table that will tell him what IP:Port source pair has asked
which IP:Port target pair. The router will then associate this to it's
own IP:Port source pair (containing his own IP and port) and the IP:Port
target pair (this obviously cannot be changed nor invented).

The other way around now.
HostA thinks there is a website (http on port 80) on Router's public IP
(WAN_IP) and wants to connect to it.
HostB hosts a web service, but this one is running on port 8080 (just
testing tomcat for instance).
Router is set up to do DNAT (actually he has to already do the SNAT job
for outgoing connections). Router has a rule saying:
if a connection comes in on WAN_IP:80 change the packet's target IP
with HostB_IP and change target's port number to 8080.
When the IP packet reaches HostB, HostB really thinks HostA conencted
to it whith it's real IP and HostB may respond, as Router will do the
job the other way round.

So, there is no real trouble between NAT & PAT.
Usually, any device that does NAT does PAT. Well, as far as I know.

The other way NAT is performed, is "FULL NAT", meaning : we map ALL &
ANY incoming connection to a host. This host then has to handle the
connection (the router may lay back and just automatically rplace the
address field once the incoming packet matches). Some vendors call this
a "DMZ host", the idea being that a host sitting in a DMZ should
receive all incoming connections to a public IP, just as if he would
have been conencted 'directly' to the internet. This is used if you
have several public IPs and want to map some entirely to an inside host
while filtering out some others.
This would be "pure NAT" without PAT.
You may even map all incoming connections to a "masked" host, while
filtering out some ports to redirect them to some other host. Here
again, NAT+PAT.

Sorry this got so long and I'm afraid this is not clear enough, but ask
back if I missed some details or just messed up the explanation.

> The concluding statement has me puzzled:
> 
> "IPv6 introduces the ability to have way more IP addresses than we
> really need. Does that mean that IPv6 will eliminate NAT? No. It also
> won't eliminate the usage of NAT everyone's familiar with: PAT. We
> all need somewhere to stow Windows boxes away from the myriad of
> uninitiated connection attempts that come from the Internet."
> 
> I look forward to IPv6 taking over and thereby bit-bucketing NAT
> forever with a glad heart. It's a kludge that has served its purpose;
> now it's time to start thinking about retirement. There ways other
> than NAT to protect private hosts, such as plain ole iptables
> filters, and IPv6 provides private addresses.
> 
> I'm digging deeply into both iptables and IPv6, and I'm working hard
> to get it right. I appreciate any comments from y'all smart kids.

Well, I understand it this way :
The major problem we have with IPv4, is the lack of IP addresses.
Say, I buy an internet connection. This is shipped with a monitored
router, monitoring I pay for on the xDSL line. I get one public full
featured IP address. My provider assigned me a block of addresses, not
just on IP, but 4 : 
- network address
- 1st usable IP address (usually that one I use)
- 2nd usable IP address (my gateway IP, that I need to get into the net)
- broadcast address
(you know you have one if the netmask you're given is 255.255.255.248)

This, is the smalles block that could be allowed.

I won't go into more details, but know that this way, IP addresses get
wasted in great numbers.
What is IPv6 ? put away the IP neighborhood discovery, integrated QOS &
encrypting and so on. The real advantage of IPv6 is that it gives you
an ENROMOUS IP field. Close to every human being could have several IP
addresses on earth (ok, maybe a bit less).
So the need of NATting would disappear (not exactly, but ...) every
computer could have it's own real routable IP address, inside of LANs
or not, your IP would stick to your device, roaming has been foreseen
in the protocol and even network migration.
The reason why NAT has been invented was not the protection of LAN
computers, but the expense that comes from buying as many public
routable addresses as there are IP devices.

IPv6 would resolve the NAT problem, not because it would replace it,
but because NATting would no longer be needed.

Again, there is a trick : we (network admins) use NATting to prevent
unauthorized access to computers that are behind NAT firewalls, it is a
great way to prevent scipt kiddies to scan end-users's wincrap boxes
and exploit weakly programmed software. Not only does it shield the
target hosts, but often there is close to no easy way to hack into a
cheap hardware device that is dumb and can only do outgoing NAT and
sometimes incoming NAT/PAT.

Well, I hope this helped a bit.

R. Daneel Olivaw,
The Human Robot Inside.