Introduction to Network Address Translation (NAT)
An IPv4 address is a 32-bit number used for addressing devices that communicate using Internet Protocol, a layer 3 protocol used across the internet. There are private and public versions where public IP addresses are used to route information across the internet and private IP addresses are unrouteable. Unrouteable simply means that the internet routers will drop any IP Packet containing an IP address of this type. Routable or public IP addresses are typically allocated to you by your service provider and unfortunately are in short supply.
Since there aren't enough public IP addresses for every device that wants to communicate over the internet it is common to use private IP addresses on the LAN and only one public IP address for internet access. For private LAN traffic to be routed over the Internet, the device’s internal IP address first needs to be translated (mapped) to a public IP address, a process performed by a NAT router. Essentially, NAT can utilize a single public address to represent the entire LAN to the outside world in a transparent process. Without NAT, packets using private IP addresses will be discarded by the first internet router the packet tries to cross.
What is NAT?
NAT stands for Network Address Translation. It works on the Layer 3 network level where it deals with IP packets. NAT was originally developed to help slow the depletion of public IPv4 addresses and also eliminates the need for IP addresses to be renumbered when networks are switched and can prevent address overlap. This makes it very useful in migrating and merging networks, sharing server loads and creating virtual servers inside global registered IP addresses. Of course, by allowing multiple private IP addresses to access a single internet connection, NAT saves the cost of buying an individual public IP address for each device needing to access the internet.
Along with translating addresses, NAT can provide an additional layer of security by hiding internal IP addresses and masking information from outside malicious actors. In this way, a NAT router works somewhat like a firewall guarding the LAN network. Having said that, we should mention that NAT is not a true firewall in the traditional sense in that it will not actively review the contents of a data packet. Instead, you may want to think of NAT as only a first step towards security. NAT does not replace security measures such as firewalling, monitoring, antivirus protection, intrusion detection, application security, or zero trust services.
What About IPv6?
IPv4 address exhaustion prompted the introduction of the IPv6 addressing system in 2012. Whereas IPv4 has approximately 4.2 billion available private IP addresses up for use, IPv6 leverages 128-bit addressing creating potentially 340 trillion...trillion...trillion public IP addresses (not a typo), enough for every device on Earth to have its own IP address. But until IPv6 is fully adopted, NAT remains a networking reality. As of March 2022, according to Google, the IPv6 adoption rate globally is around 34%. Adoption of IPv6 has been held back by its complexity, the cost of replacing network infrastructure, and its lack of backwards compatibility with IPv4.
NAT Protocol Types
NAT has three basic protocols: Static, Dynamic and Port Address Translation (PAT):
1. Static NAT: Static NAT is a one-to-one mapping of publicly routable IPv4 addresses to private IPv4 addresses, meaning there will be a fixed public address for every privately IP addressed device that needs to send information across the router. So, if you need more than one device on the private network that needs access to the internet you will need multiple public IP addresses. This doesn’t help with conserving public IP addresses but may work in some applications where only one device needs to have access to the internet and where that same device needs to be accessed via the internet.
If you are interested in learning more about Static NATs, be sure to check out our paper on How NAT is Used in Industrial Automation.
2. Dynamic NAT (Pooling): Dynamic NAT allows one publicly routable IPv4 address to be used by many private IPv4 addresses devices. When a private IPv4 addressed device needs to communicate across the router, typically the internet, it will borrow the public IPv4 address and the router will make a temporary static translation between the device’s private address to the public address. When the device using the public address is done communicating across the router, the public IP address is released and is available for another device to use. This process can even be implemented using a pool of public IP addresses. There might be times when the public address or pool of addresses are all being used which would prevent any other devices from being able to cross the router. Additionally, the IP translation mappings are temporary so access from the public side to the private side becomes problematic.
3. Port Address Translation (PAT): PAT is an advanced, more flexible type of dynamic NAT. PAT maps several private IP addresses to a single public address at the same time. It does this by altering the port numbers associated with IP connections. The IP and port translations are kept in a NAT table. The NAT table holds all the critical information regarding which public IP/port combination has been mapped to which private IP/port combination. So, one public IP can represent multiple private IP addresses by using unique port numbers.
PAT is the most widely used and trusted form of NAT. The diagram below gives a description of how PAT operates.
What is a NAT Table?
The NAT process centers on the NAT table, an operation that is managed within an industrial router. NAT tables are created by tracking bi-directional connections between the internal network (LAN) and the external network (Internet). As connections are made across the router, the NAT table is populated. In this way, the router can consult the NAT table, locate the correct connection entries, and perform the necessary change to a packet address to ensure it goes where it should. Data packets are discarded if no match is found.
Each row in the NAT table is a pairing of a private IP address/port number with an outside destination address and port number. A connection is characterized by source address, source port, destination address, and destination port. Once connections are closed, the entries are deleted from the table.
How Does a NAT Table Work?
A dynamic Network Address Translation (NAT) table is a critical component of internet protocol on a NAT-enabled router. NAT is used to translate IP addresses and port numbers between the private (local) network and the public (Internet) network. Its primary purpose is to allow multiple devices on a private network to share a single, public IP address with the use of port numbers. The dynamic NAT table is where the router keeps track of these translations.
Here's how a NAT table works:
1. Incoming Packet Capture: When a packet arrives at the NAT-enabled router from the private network destined for the Internet, the router examines the source IP address and port number of the packet.
2. NAT Table Lookup: The wireless or wired router checks its NAT table to see if there is an existing translation entry for the source IP address and port number. The NAT table contains entries for active connections, mapping the private IP addresses and ports to a public IP address and port.
3. Translation Decision: If there is a matching entry in the NAT table, the router knows that this packet belongs to an existing connection and needs to be translated. It modifies the source IP address and port number in the packet to the corresponding public IP address and port stored in the NAT table.
4. Update Timeout: NAT table entries have a timeout value associated with them. If no traffic is seen for a particular connection for a specified period, the entry will expire and be removed from the NAT table. This ensures that the NAT table doesn't grow indefinitely and helps maintain security.
5. Outgoing Packet Capture: When a response packet comes back from the Internet to the router (with the public IP address and port), the router checks its NAT table to find the corresponding private IP address and port associated with the destination IP address and port in the packet.
6. Translation Reversal: If there is a matching entry in the NAT table, the router modifies the destination IP address and port in the incoming packet to the private IP address and port stored in the NAT table.
By dynamically translating IP addresses and port numbers, the NAT table allows multiple devices with multiple, private networks and private IP addresses to share a single, public network and a single public IP address, without conflicting with each other. It is a crucial component of network security and helps to hide the internal structure of the private network from external entities which is ideal for security purposes.
Summary
Network Address Translation (NAT) was devised to conserve the declining number of public IPv4 addresses available for use. NAT assigns one legal, globally unique IP address to multiple devices on a private network, therefore giving them access to the Internet or internet access to other outside networks. NAT also provides additional security by effectively hiding the entire, inside network internal private network itself.
The Antaira technical support team is here to help you so you are no longer asking, 'What is NAT?'. We will resolve your Network Address Translation (NAT) challenges so you can optimize your industrial networks. Call us today at 1-714-671-9000 or send us an email at sales@antaira.com.