|
Softpanorama
(slightly skeptical)
Open Source Software Educational Society |
May the
source be with you,
but remember the KISS principle ;-)
|
NAT
jpsdomain.org NAT & Private IP Address Ranges
An IP (Internet Protocol) Address is a 32-bit number broken up into "quads"
of 1 byte each, separated by dots. 1 byte is 8 bits which in decimal is a number
in the range 0 to 255. For example, 10.234.56.71 is an IP Address. There are
only so many "real" IP addresses, and they are (and have been) perpetually very
close to being used up and thus are very difficult to get.
One of the solutions to this problem is so-called "private" IP Addresses.
These are ranges of IP Addresses set aside expressly for use by a company or
other entity internally. Private IP Addresses cannot be used to connect directly
to the Internet--that is they are non-routable. These are also often called
RFC1918
addresses.
You use a Private IP Address when you wish to use TCP/IP on your LAN, but do
not wish to try and register enough legal or legitimate addresses for all your
devices. Even if you do wish to get than many, you will not. Essentially all
valid IP addresses are already owned, either by very large corporations (like
AT&T) or by ISPs. When you contract for service from an ISP, you are allocated
some number of legitimate IP Addresses out of that ISP’s pool of addresses.
- Increased security (since private IP addresses are not routable across
the Internet).
- You conserve the world-wide pool of IP Addresses.
- You do not have to register or pay for these IP Addresses in any way
(internal independence from ISP IP addresses).
- When you connect to the Internet via a Firewall and NAT (Network Address
Translation, AKA IP Masquerading) you will not block any address ranges from
yourself.
- Little or no performance degradation (depending on your Firewall).
See also my SOHO
Information Security and
Typical Home
Network Designs pages.
Disadvantages
- If you merge with a company that has chosen the same Private IP Address,
one or both of you will have to re-number. This can be difficult and
expensive.
- Some applications don't work with NAT.
- Anything using NBT (UDP 138), i.e. NT Networking cannot communicate
behind a Firewall with NAT. See below for the reason.
- Some applications needing encryption and key exchange (specifically any
application that embeds IPs in the datastream) may not work with NAT.
- It may require more work to plan and configure.
Private IP Address Ranges
This is the "classic"
RFC1918.
| Class |
From |
To |
CIDR Mask |
Decimal Mask |
| Class "A" or 24 Bit |
10.0.0.0 |
10.255.255.255 |
/8 |
255.0.0.0 |
| Class "B" or 20 Bit |
172.16.0.0 |
172.31.255.255 |
/12 (or more typically /16) |
255.240.0.0 (or 255.255.0.0) |
| Class "C" or 16 Bit |
192.168.0.0 |
192.168.255.255 |
/16 (or more typically /24) |
255.255.0.0 (or 255.255.255.0) |
Other useful Ranges
The following is adapted from this
comment associated with
RFC1918 and RFC3330.
See also the Bogon
List.
| Class/Type |
From |
To |
CIDR Mask |
Decimal Mask |
| Broadcast/This Net [RFC1700] |
0.0.0.0
255.255.255.255 |
N/A |
N/A |
N/A |
| Null |
0.0.0.1 |
0.255.255.255 |
/8 |
255.0.0.0 |
| Public-Data Networks [RFC1700] |
14.0.0.0 |
14.255.255.255 |
/8 |
255.0.0.0 |
| Cable Television Networks |
24.0.0.0 |
24.255.255.255 |
/8 |
255.0.0.0 |
| Loopback [RFC1700] |
127.0.0.0 |
127.255.255 |
/8 |
255.0.0.0 |
| Local-Link (for auto-DHCP) |
169.254.0.0 |
169.254.255.255 |
/16 |
255.255.0.0 |
| Testnet addresses (for tests only) |
192.0.2.0 |
192.0.2.255 |
/24 |
255.255.255.0 |
| 6to4 Relay Anycast [RFC3068] |
192.88.99.0 |
192.88.99.255 |
/24 |
255.255.255.0 |
| Network Interconnect/Testing [RFC2544] |
198.18.0.0 |
198.19.255.255 |
/15 (supernet) |
255.254.0.0 |
| Class "D" (IPv4 multicast) [RFC3171] |
224.0.0.0 |
239.255.255.255 |
/4 (supernet) |
240.0.0.0 |
| Class "E" (don't use) |
240.0.0.0 |
247.255.255 |
/4 (supernet) |
240.0.0.0 |
Network Address Translation (NAT) AKA IP Masquerading
NAT, AKA IP Masquerading, is the process by which a "private," "illegal," and
non-routable IP Address is translated into a "legal," routable address. There
are two kinds of NAT, often called static NAT and Hide NAT. Static NAT provides
a one to one correlation between the illegal private address and the legal
routable one. For example, the Web Server on 192.168.1.10 may be statically
mapped to 39.136.195.47. Hide NAT is a many to one arrangement where the many
illegal addresses behind some device appear to the Internet as one single
address (often the legal address of the device itself). For example, the entire
172.25.1.0 network may hide behind the single valid IP address of the device at
38.111.56.96.
NAT Devices
There are three devices that typically perform NAT. They are routers,
firewalls and proxy servers.
Hide Mode NAT
In hide mode, the external address of the NAT device "hides" most or all
outgoing connections. To the Internet, it seems that all traffic originates from
this single address, when it really comes from all different machines on the
internal network. The traffic is differentiated at the NAT device by a table of
port numbers. For example, the port used for Web Surfing is port 80 (http). If a
client computer at 192.168.1.37 surfs to
www.dell.com, the NAT
device may assign that to port 20,134. When the response comes back, the
firewall knows that anything directed to port 20,134 really goes to the client
at 192.168.1.37. That way, more than one person can surf at the same time, using
the same external IP address, but everything goes to the correct person.
Static Mode NAT
In static mode, there is a one to one correlation between internal (illegal,
non-routable) and external (legal, routable) addresses. The must be the
case if you wish top have an E-Mail server, Web server or any other service that
is accessible from the Internet. DNS (Domain Name Service) published the IP
Addresses of server (or services) that are accessible. These published addresses
must be legal, and routable. The IP network of addresses available for this use
is termed the "moat" network, below. A typical "moat" network looks like this:
| IP Address |
Description |
| 209.146.2.40 |
Network Name |
| 209.146.2.41 |
Available IP Address (usually assigned to the internal router
interface) |
| 209.146.2.42 |
Available IP Address (usually assigned to the external firewall
interface) |
| 209.146.2.43 |
Available IP Address (may be Web server?) |
| 209.146.2.44 |
Available IP Address (may be E-Mail server?) |
| 209.146.2.45 |
Available IP Address |
| 209.146.2.46 |
Available IP Address |
| 209.146.2.47 |
Broadcast Address |
A very interesting thing happens with static NAT, however. Since the router
is at IP address 209.146.2.41, when it sees a packet destined for 209.146.2.43,
it "arps" for the Web server. Since the router knows that it is on network
209.146.2.40/29 and the Web server address is 209.146.2.43 they should be on the
same network. But they really aren’t. So when the router "arps" (uses the
Address Resolution Protocol to find the Web server), the Web server will not
answer, since it is really on network 192.168.1.0/24. To solve this
problem, devices that perform static NAT also perform "proxy arp".
Any device configured to do static NAT has a list of servers it will "answer
for" when it hears an arp request. IT will essentially lie and say, "yes, I am
that server, please send me the packet." When it get the packet, it forwards it
to the real server.
A Typical Internet Connection Scenario
A very common small business-class (as opposed to home use) Internet
connection looks like this following:
Re:A router routes packets. (Score:5, Informative)
by mad flyer (589291) on
Monday January 17, @11:17PM (#11392113)
|
Technically it's more PAT (port address translation) rather than NAT
(network address translation).
On cisco it's also the "nat overload".
NAT leave you somewhat vulnerable it's a mapping address for address (many
to many). Don't feel secure with NAT without firewalling.
PAT is much more closed (many to one).
It's also true that everyone say NAT when they do PAT. |
Notes:
- Those pages are written by people for whom English is not a
native language. Some amount of grammar and spelling errors
should be expected.
- This is a Spartan WHYFF (We Help You For Free) site. It
cannot replace the best teachers and
the
best books.
- The site contain some obsolete pages as it develops like a
living tree... Some links on older pages
are broken. Please
try to use Google, Open directory, etc. to find a replacement link
(see
HOWTO search the WEB for details).
We would appreciate if you can
mail us a correct link.
|
|
[Nat00] "The Network Address Translation White Paper,"
@Home Networks, at
http://work.home.net/whitepapers/natwpaper.html
Copyright © 1996-2007 by Dr. Nikolai Bezroukov.
www.softpanorama.org was
created as a service to the UN Sustainable Development Networking Programme (SDNP)
in the author free time.
Submit
comments This document is an industrial compilation designed and created
exclusively for educational use and is placed under the copyright of the
Open Content License(OPL).
Original materials copyright belong to respective owners. Quotes are made
for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on
this web page are those of the author and are not endorsed by, nor do they necessarily
reflect, the opinions of the author present and former employers, SDNP or any other
organization the author may be associated with. We do not warrant the correctness
of the information provided or its fitness for any purpose.
Last modified:
February 28, 2008
