Address translation (NAT) is:RoutertakePrivate addressConvert toPublic address It enables data packets to be sent to the Internet, and when receiving data packets from the Internet, it converts the public address to the private address.In a computer network,Network address translation(Network Address Translation or NAT for short, also called network masking or IP masking)firewallOverwrite source whenIP addressOr/and purposeIP addressTechnology.
Network Address Translation (NAT), also known as address proxy, realizes the function of private network accessing external network.[1]
This technology is widely used in manyhostBut only through one publicIP addressAccess the private network of the Internet.According to the specification,RouterIt can't work like this, but it is indeed a convenient and widely used technology.Of course, NAT also makes the communication between hosts more complex, resulting in lower communication efficiency.
summary
Announce
edit
Réseau sans NAT
R é seau avec NAT starts as a solutionIPv4Address shortage to avoid reservationIP addressDifficult schemes have become popular.Network address translationIt is widely used in many countries. Except the United States, almost everyone in the United States has been given an address for historical reasons.So NAT becomes a network connection between home and small officeRouterBecause for them, the cost of applying for redundant IP addresses is higher than the benefits.
In a typical configuration, a local network uses the specification of a VPCSubnet(such as 192.168. x.x or 10. x.x.x) and a router connected to the network.This router occupies thisnetwork addressA private address of a space (such as 192.168.0.1), and it also passes one or moreInternet Service ProviderPublicIP address(called "overload" NAT) connected to the Internet.When information is transferred from the local network to the Internet, the source address is immediately converted from a private address to a public address.The router tracks the basic data on each connection, mainly the destination address and port.When a reply is returned to the router, it determines the forwarding toIntranetWhich ofhost;If multiple public addresses are available, when the data packet returns,TCPorUDPClient'sPort numberIt can be used to decompose data packets.For a system on the Internet,RouterIt acts as the source and destination address of communication.
Some people have always believed that the widespread adoption of IPv6 will make NAT unnecessary, because NAT is just a processIPv4Ofaddress spaceInadequate methods.
shortcoming
Announce
edit
In a NAT enabledRouterLowerhostNo real end-to-end connection has been established, and you cannot participate in someInternet Protocol。Some need to initialize theTCPConnection and useStateless protocol, such asUDP's service will be interrupted.Unless the NAT router makes some specific efforts, the sent packets will not reach the correct destination address.Some agreements can sometimes beApplication layer gatewayWith the help of (see below), a NAT instance, such as FTP, can be accommodated between hosts participating in NAT.NAT will also complicate security protocols, such as IPsec.
End to endThe connection isIABAs one of the core Internet protocols supported by the Internet Architecture Board, some people believe that NAT is a violation of the public Internet.someInternet Service ProviderOnly provide local services to their customersIP addressTherefore, they must access services outside the ISP network through NAT, and whether these companies can truly provide Internet services has also been discussed.
benefit
Announce
edit
In addition to bringing convenience and cost, NATfull duplexIn some cases, the lack of connection support can be seen as a beneficial feature rather than a limitation.To some extent, NAT depends on a machine on the local network to initialize andRouterOn the other sidehostIt can prevent malicious activities of hosts on the external network.This will preventNetwork worm virusTo improve the reliability of the local system and prevent malicious browsing to improve the privacy of the local system.Many NAT enabledfirewallThis function is used to provide core protection.In addition, it is alsoUDPThe cross LAN transmission provides convenience.
Conversion mode
Announce
edit
At present, there are three address translation methods.One is often abbreviated as "NAT"Network address translation(sometimes called“network addressPort conversion ", recorded asNAPT), which supports port mapping and allows multiplehostShare a commonIP address。
The second one can also be called NAT or "basic NAT" or "static NAT", but it is simpler in technology. It only supports address translation and does not supportPort Mapping, which requires an IP address for each current connection.BroadbandRouterThis method is usually used to allow a designated computer to receive all external connections, even when the router itself has only one available external IP address. This router is sometimes marked as a DMZ host.
The third is called pooled NAT, which defines a series of legal addresses in the external network and maps them to the internal network by dynamic allocation.[2]
NAT supporting port conversion can be divided into two categories:Source Address TranslationAnd destination address translation NAT.In the former caseIP addressIt will be rewritten. In the latter case, the IP address of the connected computer will be rewritten.In fact, the above two methods are usually used together to support two-way communication.
Applications affected by NAT
Some high-level protocols (such as FTP, Quake, SIP) send network layer (layer 3) information within the valid data of IP packets.For example, FTP in active mode uses separate ports to control command transmission and data transmission respectively.When a file transfer is requested,hostAt the same time of sending the request, it also informs the other party which port it wants to accept data on.However, if the host sends the request behind a simple NAT firewall, the information received by the other side will be invalid due to the port mapping.
OneApplication layer gateway(Application Layer Gateway or ALG) can correct this problem.The ALG software module running on the NAT firewall device can update any invalid information caused by address translation.Obviously, ALG needs to understand the upper layer protocol to be modified, so each protocol with this problem needs to have a separate ALG.
However, most traditional client server protocols other than FTP do not need to send network layer (layer 3) information, and thus do not need ALG.
Another possible solution to this problem is to use theSTUNThis kind of technology, but it only aims atUDPAnd needs it to build in this technology.This technique is also invalid for symmetric NAT.Another possible solution isUPnP, but it needs to be used together with NAT devices
Usage Examples
Announce
edit
load balance : Destination address translation NAT canredirectSome servers are connected to other randomly selected servers.
Expiration: The destination address translation NAT can be used to provide highly reliable services.If one system passesRouterOnce the router detects that the server is down, it can use the destination address translation NAT to transparently transfer the connection to a backup server.
Transparent proxy: NAT can redirect the HTTP connection to the Internet to a specific HTTPproxy server To cache data and filter requests.someInternet Service ProviderUse this technology to reducebandwidthInstead of having their customers configure their browsers to support proxy connections
Source network address translation
Source Address TranslationIt is an address translation based on the source address. It is mainly used for intranet access to the internet, reducingPublic address The number of hidden internal addresses.
asIP addressThe three PCs, 192.168.1.2192.168.1.3192.168.1.4, share the public IP address of 119.75.213.61 and Internet connection after source address conversion.
Destination address translation
Destination address translation can be divided into targetsAddress mapping, ObjectivesPort Mapping, Serverload balancing Etc.Destination address translation is also called reverse address translation or address mapping.The destination address translation is a one-way mapping for the target address, which is mainly used when the internal server provides services to the external. The difference between the destination address translation and the static address translation is that it is one-way.The external can actively access the internal, but the internal cannot actively access the external.In addition, destination address translation can be used to achieve load balancing, that is, one destination address can be converted to multiple internal server addresses.You can also map different ports to different machines through port mapping.
For example, a PC on the Internet (218.92.1.2) accesses the Internet address 119.75.213.61 and converts the destination address of the router to a server 192.168.1.100 that accesses the intranet