NAT

NAT gives immediate, but temporary solution of a problem of deficit of addresses IPv4 which will disappear by itself with the advent of IPv6 protocol sooner or later. Now this problem is especially relevant in Asia and some other regions; soon it will declare itself also in North America. Therefore interest in use of IPv6 as more long-term solution of the problem of deficit of the addresses is clear.

NAT not only allows to reduce number of necessary addresses IPv4, but also forms additional protection of private network as in terms of any node which is out of network, communication with it is performed only through one, shared IP address. NAT? it not the same that the firewall or the proxy server, but are, nevertheless, an important element of security. General principles of work of NAT

To the clients of network who are from the inside of the NAT device the private IP addresses are appointed; usually it becomes through service DHCP (Dynamic Host Configuration Protocol? the protocol of dynamic setup of nodes) or by the static tuning performed by the administrator. During the communication session to the node which is outside of this private network usually there is a following. On client side

The application which is going to establish connection with the server opens the socket determined by the source IP address, port of a source, the appointment IP address, the port of destination and the network protocol. These parameters identify both endpoints between which there will be a communication session. When the application transmits data through a socket, the private IP address of the client (the source IP address) and client port (port of a source) are inserted into a packet in fields of parameters of a source. Fields of parameters of a destination point will contain the server IP address (the appointment IP address? remote node) and port of the server. As the destination point of a packet is out of private network, the client sends it to the main gateway. In this scenario a role of the main gateway is played by the NAT device. Outgoing packet in the NAT device

The NAT device intercepts outgoing packet and makes comparison of port, using the appointment IP address (the server address), the port of destination, the external IP address of the NAT device, external port, the network protocol and also the internal IP address and port of the client.

The NAT device keeps the table of comparisons of ports and saves the created comparison in this table. External IP address and port? these are the general the IP address and port which will be used in the current session of data transmission instead of internal the IP address and port of the client.

Then the NAT Ltransliruyet device ¦ a packet, transforming in a source field packet: the private, internal IP address and port of the client are replaced with the general, external IP address and port of the NAT device.

The transformed packet is sent on external network and as a result gets on the set server. On server side

Having received a packet, the server believes that it deals with some one computer which IP address allows global routing. The server will direct response packets to the external IP address and port of the NAT device, specifying the own IP address and port in source fields. Incoming packet in the NAT device

NAT accepts these packets from the server and analyzes their contents on the basis of the table of comparison of ports. If comparison of port for which the source IP address, the port of a source, the port of destination and the network protocol from incoming packet match the IP address of a remote node deleted with the port and the network protocol specified in comparison of ports is found in the table, NAT will execute inverse transformation. NAT replaces the external IP address and external port in fields of purpose of a packet with the private IP address and internal port of the client.

Then NAT sends a packet to the client on internal network. However if NAT does not find suitable comparison of ports, the incoming packet is rejected and disconnected.

Thanks to the NAT device the client has an opportunity to transfer data in the global environment of the Internet, using only the private IP address; neither from the application, nor from the client no additional efforts are required. The application should not address any special API interfaces, and the client does not need to perform additional tuning. In this case the NAT mechanism is transparent in relation to the client and to the server application? everything works simply and accurately.

However not all network applications use the protocols capable to interact with NAT. The problem also consists in it.

Problems of interaction of NAT and applications

Means of NAT successfully provides sharing of the uniform global IP address when the client initiates contact and accepts the answer through the same port. However many applications are used by the strategy based on the assumptions which become incorrect if the NAT device is used to Internet access. Some of similar problems are discussed below. Services in internal network

Many network services and servers recognize that if they set the listening socket, then any client on the Internet will be able to initiate with them contact. If on the periphery of network the NAT device is placed, then passing of the incoming traffic to services of internal network will require existence of the corresponding comparison of ports. Therefore such service will be available only to clients of private network, but not other nodes of the Internet.

Most often this problem is bypassed, manually configuring comparison of ports which allows the NAT device to transfer the traffic addressed in NAT with indication of certain external the IP address and port to the internal IP address and port used by service.

When such comparison is set, the service can receive incoming packets and becomes available to the clients external in relation to private network. Until comparison of ports is executed, contact with network is not kept.

It is, as a rule, quite difficult to configure comparison of ports manually; it requires certain experience. Therefore many individually working users and the staff of small offices cannot work with applications and services necessary to them without assistance and are forced in search of solution to address in technical support service of the Internet service provider, producer of the computer, trading company or producer of the gateway of the Internet. Besides such comparison imposes less restrictions? any external client will be able to use it for initiation of contact with the server. The enclosed addresses and ports

Some network applications assume that the IP address and port appointed to the client will always be available to global routing and will be able directly to be used on the Internet. In many cases these addresses are the private IP addresses from the ranges reserved by the IETF group. The application includes such private IP address or port in the part of the packet sent to the server containing useful data. The server can use this enclosed address for communication with the client.

If the server tries to answer, using the enclosed IP address and port instead of the compared values of the address and port provided by means of NAT, then the packet will be discarded by transfer. It occurs because the enclosed IP address cannot be routed. If the network application detects the NAT device and received at it the external IP address and external port, it could place the correct data in a packet. The applications using different sockets

Some network applications send traffic to the server or to other node, using a socket in one port? X ¦, and expect the answer from the server on the friend, the listening socket in port? Y ¦. NAT studies the outbound traffic and makes comparison of port? X ¦, but does not know that it is necessary to execute still comparison of ports for the returning packets addressed to the port? Y ¦. The incoming packets addressed to the port? Y ¦, are discarded. Waiting of access to ports

Some network protocols recognize that the port necessary to them widely known and allowing global routing, will always be available to them. When several clients together use one IP address, in each timepoint only one client has access to standard port. For example, only one web service can use in each timepoint external port 80 in the local area network. If it was not so, the NAT device could not define what client the external request concerns. It is necessary to take, in addition to setup by the user of comparison of ports, special measures to that different clients could be recognized from the outside of a local network. Use of several NAT devices

If the client is from the inside of the NAT device which, in turn, is protected by one more NAT device, there are new problems which essence is beyond this document. Effects for users and for the industry

Above technical aspects of problems of passing of NAT were described. In relation to the user these problems are shown very simply: applying NAT, he will not be able to work with services or applications necessary to it.

Most of users also do not suspect today that there are Lzhertvam and ¦ NAT. They know one: when they try to play a collective game or to use applications of peer-to-peer communication (for example, means of communication in real time), they do not manage it. On the screen there is an error message (something like Lnevozmozhno to establish connection ¦) or the application trying to be started comes to the end under abnormal condition.

In certain cases the user who is connected to the Internet via the normal modem of remote access will not face similar malfunctions. But if he becomes the subscriber of service of broadband access and will pass to the DSL modem or the cable modem, problems will become inevitable. The users expecting more effective communication on the Internet will be puzzled with suddenly appeared noises which are not allowing them to play games and to apply other services.

It can lead to growth of discontent among users which will be directed to manufacturers of computers, Internet service providers, producers of gateways of the Internet, etc. The client often does not know in what, and employees of technical support service not always manage to help the reason of malfunctions to him by phone.

But the problem concerns not only the user. It is also a problem of the producers providing to the user products and services. The addresses to a support service caused by problems of NAT mean increase in expenses and can reflect adversely on profits of the producer or seller of a product. As a result some part of users can lose interest in new services and applications, testing dissatisfaction because of unsuccessful access attempts to old services so NAT turns into a brake on the way of creation and distribution of the latest products and services.

Considering all these factors, it is necessary to recognize that solution of the problem of NAT becomes the major task for all industry. What is NAT Traversal?

NAT Traversal (passing of NAT)? it is a set of the opportunities allowing network applications to define that they are Lpod protection ¦ NAT devices, to learn the external IP address and to execute comparison of ports for transfer of packets of external port NAT to the internal port used by the application; all this is executed automatically so the user should not configure manually comparisons of ports or any other parameters.

This technology represents more complete problem solving of communication, the NAT devices caused by application, in comparison with the methods used earlier focused on specific applications. Still similar specialized solutions required or presence at the user of technical knowledge, or special completion from the creator of the application or the producer of the gateway of the Internet, or all this together.

Though means of passing of NAT is directed to the solution of some problems connected with NAT it are not a panacea and VSE is not capable to resolve problems. Nevertheless its embodiment in the automated type represents a major step in more complete satisfaction of users, decrease in load of technical support service and promotions of the latest services and applications, especially in the environment of a home network forward.

The NAT Traversal technology should be considered as the improvised mechanism which should be used in case of need, but not in all situations in a row. The need for NAT and, therefore, in NAT Traversal technology will disappear with the advent of IPv6 when each client receives the IP address allowing global routing. There are different forecasts concerning that how soon universal deployment of IPv6 will come to the end. The companies of the industry, including Microsoft, invest heavily in promotion of IPv6, however the solution NAT Traversal described below will bring a lot of benefit now and in the next several years to all who work at home and at small offices and experience difficulties with use of NAT. Principles of work of NAT Traversal

NAT Traversal in the work relies on the protocols of detection and management entering the specifications set by the Forum UPnP (Universal of the Plug and Play). As a part of the Forum UPnP there is a working committee which is engaged in drawing up the protocol of control of lock devices of the Internet (Internet Gateway Device, IGD) and determination of services for these devices.

The gateways of the Internet supporting obligatory elements of the protocol of device management of IGD will announce the presence and to publish XML documents with descriptions for operations control rooms of the local networks. Operations control rooms will be able to learn from these documents what transactions UPnP are required to be caused to define whether support of NAT in the gateway is included, and to execute comparison of ports.

The NAT Traversal API interface as a part of Windows allows to avoid need of access to UPnP directly; he turns on functions of detection, management and setup of the NAT device. NAT Traversal API

When the network application needs to detect the NAT device and to adjust parameters of its work, the application can use the NAT Traversal API interface which is included in Windows package (and completely described in Platform SDK packet materials) and to execute the following functions: define whether there is a NAT device; receive the external IP address of NAT; obtain data on static comparison of specific external port if like that exists; add static comparison of ports if the external port was not earlier appointed; include or turn off specific comparison of ports, without deleting it; change the description static the comparison of ports clear for the user; delete static comparison of ports; receive the list of static comparisons of ports for a local network.

Using these functions of the application can bypass many problems caused by existence of NAT. It is necessary to consider that the NAT Traversal API interfaces as a part of Windows support comparisons of ports only of unlimited validity period today? so-called static comparisons of ports. The NAT Traversal API interfaces as a part of Windows XP

The NAT Traversal API interfaces are established in Windows XP by default. They can also be set on the computers working running Windows Me and Windows 98; the special program which is available on Windows XP compact disk is for this purpose used? setup wizard of network (Network Setup Wizard). For access to the NAT Traversal API interfaces users also should set the observer of Internet Explorer of version 6.0 providing additional support of means of syntax analysis of XML.

NAT Traversal in Windows 2000 at the moment is not supported. Support of NAT Traversal in gateways of the Internet

Support of NAT Traversal in gateways of the Internet is implemented in the form of support of the IGD specification (Internet Gateway Device) determined by Working committee on gateways of the Internet within the Forum UPnP. Producers of gateways should mean that the NAT Traversal API interfaces included in Windows make the following assumptions of operation of IGD devices. IGD devices announce only one external interface in each timepoint. Though from the technical point of view the declaration of several external interfaces is admissible, the NAT Traversal API functions will use only the first of them. IGD support the comparisons of ports providing transfer of packets from any remote IP address to internal clients. IGD support comparisons of ports in which as the client the broadcast address is specified. IGD support different numbers for external port NAT and internal port of the client. IGD generate declarations with version number 1. Static comparisons of ports act beyond all bounds long, despite of resets, changes of the IP addresses and presence of the client on the server.

The more producers of gateways of the Internet realize advantages of UPnP technology as circumventors of problems of NAT and the more users get acquainted with these means, the chances that the solution NAT Traversal based on UPnP will become indispensable attribute of devices of this category are higher.

Producers of gateways of the Internet should join the ranks of the Forum UPnP? so they will be able quicker to learn about how to achieve compatibility of the devices with the UPnP standards.

It is necessary to notice that means of the general access to connection of the Internet to Windows XP supports version 0.9 of the UPnP IGD standard. It is expected that version 1.0 will be compatible to version 0.9. As applications are used by NAT Traversal

NAT Traversal use method the application depends on a number of factors, for example, from what should be validity period of comparison of ports and how many clients or services use this port. It is very important that applications destroyed at the end (Lochishchal and ¦) the static comparisons of ports created by them to free ports for other applications.

If the application represents a network service (for example, the Web server) which needs any widely known port throughout its existence, the installation program of such application can configure static comparison of port using the NAT Traversal API interfaces. If the network topology remains to a constant and mechanisms of cleaning do not affect this comparison, external clients will be able to contact to service during the entire period of its work. The program of removal of the application will have to delete comparison. After abnormal failure static comparisons of ports will remain, despite the absence of service. Change of the external IP address will be automatically considered by static comparison of ports.

If the application does constantly not work or not guarantees that its static comparisons of ports will be supported all the time by network, it can reserve any known port at each start and return it at each completion of work. It can be done using in parallel the activated scenario. Also other option is possible: instead of adding and removal of comparison of ports the application every time will switch on and off it. It is also possible to leave static comparison of ports permanent and just to update it at application launch.

And in this case change of the external IP address is automatically considered by static comparison of ports.

If the same extension of port is used by several applications of different clients of private network at once, these applications should be changed a little to ensure functioning of several clients. In each timepoint only one client can compare to external port this extension of port. Such mode is recommended: the right to use port is acquired by the first client. Other clients should request asymmetric comparisons in which the internal port would differ from external.

It is necessary to consider such special case: several clients can listen to the same external port for the only purpose? be the detected remote nodes. Incoming packets can be transformed so that the broadcast address, but not the address of the specific client was specified as the internal IP address of the client. The clients listening to network through this port will be able to answer, initiating own connection to a remote node. Such method is not recommended for general use as incoming packets with this destination address will be accepted by each client of network, creating for them additional loading.

If the service needs to listen to any port during a short period, it should request static comparison of port in the application, but not in the scenario. Having finished work, the service should execute at once cleaning (to delete comparison). In the application it is necessary to keep account of own operating comparisons of ports. As a result if there is a failure of the application and it will not manage to close comparisons of ports, at next run of the application it will be able to obtain all data necessary for cleaning.

If the application should go offline without cleaning of the comparisons of ports, they will be saved, and responsibility for cleaning is shifted to the user. Now in Windows the mechanism of cleaning is absent as it is difficult to define when the application stops using comparison. NAT Traversal shortcomings

Though NAT Traversal allows to solve a number of the problems connected with connection via NAT devices, some problems nevertheless remain. They are listed below. NAT Traversal uses model of open trusted relationships. It means that all appendices in private network are had access to all comparisons of ports set in NAT. As a result considerably the flexibility of administration (points of management become more) increases, however applications lose the rights of exclusive ownership of the comparisons. The conflict resolution is a duty of applications. If the application tries to compare the port which is already compared to other client it is necessary or to find other port, or to respectively change a program code. NAT Traversal does not solve a problem of Internet service providers which distribute the private addresses and use NAT for connection of clients. In this case NAT appears outside of the gateway of the Internet, actually in network of provider. Means of NAT Traversal in home or small office network will not be able to work if the NAT device in client network is protected by one more same NAT device. Therefore Internet service providers are not recommended to unroll NAT in the networks. Initially the application has no access to NAT Traversal? it needs to be changed that it was possible to cause the API functions, or to accompany with the corresponding scenario. However, it is quite feasible task for the developer, especially considering that fact that as soon as NAT Traversal mechanisms are integrated into the application, it purchases capability to work with a set of different gateways of the Internet. Applications, having finished work with comparisons of ports, should execute after themselves cleaning. Static comparisons remain vaguely long and most all are suitable for services which are going to listen to widely known ports throughout all existence of the application. The gateway of the Internet on which means of NAT are set should support the Universal Plug and Play Internet Gateway Device specification of version 0.9 or more late. Conclusion

NAT represents the solution of the problem of exhaustion of namespace of IPv4 approved by the IETF group. The gateways of the Internet using NAT often are installed houses and at small offices. They are applied because are cheap, manageable and do not require installation of the special software.

Lack of use of NAT is that it interferes with application of collective games, services of communication in real time and applications of peer-to-peer communication. This results from the fact that network protocols work proceeding from the assumptions of architecture of network which with the advent of NAT cease will be executed.

The NAT Traversal technology allows applications to detect the NAT device, to define the shared IP address allowing global routing and to configure static comparisons of ports for the purpose of elimination of some problems of communication. The solution NAT Traversal does not save from all problems connected with NAT, but prevents some of them.

Sources

VRN.ru