| < draft-ietf-nat-traditional-03.txt | draft-ietf-nat-traditional-04.txt > | |||
|---|---|---|---|---|
| NAT Working Group P. Srisuresh | NAT Working Group P. Srisuresh | |||
| INTERNET-DRAFT Consultant | INTERNET-DRAFT Campio Communications | |||
| Obsoletes: RFC 1631 K. Egevang | Obsoletes: RFC 1631 K. Egevang | |||
| Category: Informational Intel Corporation | Category: Informational Intel Corporation | |||
| Expire in six months September 1999 | Expires as of October 9, 2000 April 9, 2000 | |||
| Traditional IP Network Address Translator (Traditional NAT) | Traditional IP Network Address Translator (Traditional NAT) | |||
| <draft-ietf-nat-traditional-03.txt> | <draft-ietf-nat-traditional-04.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||
| all provisions of Section 10 of RFC2026. | all provisions of Section 10 of RFC2026. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| skipping to change at page 2, line 8 ¶ | skipping to change at page 2, line 8 ¶ | |||
| Abstract | Abstract | |||
| Basic Network Address Translation or Basic NAT is a method by which | Basic Network Address Translation or Basic NAT is a method by which | |||
| IP addresses are mapped from one group to another, transparent to | IP addresses are mapped from one group to another, transparent to | |||
| end users. Network Address Port Translation, or NAPT is a method by | end users. Network Address Port Translation, or NAPT is a method by | |||
| which many network addresses and their TCP/UDP ports are translated | which many network addresses and their TCP/UDP ports are translated | |||
| into a single network address and its TCP/UDP ports. Together, | into a single network address and its TCP/UDP ports. Together, | |||
| these two operations, referred to as traditional NAT, provide a | these two operations, referred to as traditional NAT, provide a | |||
| mechanism to connect a realm with private addresses to an | mechanism to connect a realm with private addresses to an | |||
| external routing network with globally unique registered addresses. | external realm with globally unique registered addresses. | |||
| 1. Introduction | 1. Introduction | |||
| The need for IP Address translation arises when a network's internal | The need for IP Address translation arises when a network's internal | |||
| IP addresses cannot be used outside the network either for privacy | IP addresses cannot be used outside the network either for privacy | |||
| reasons or because they are invalid for use outside the network. | reasons or because they are invalid for use outside the network. | |||
| Network topology outside a local domain can change in many ways. | Network topology outside a local domain can change in many ways. | |||
| Customers may change providers, company backbones may be | Customers may change providers, company backbones may be | |||
| reorganized, or providers may merge or split. Whenever external | reorganized, or providers may merge or split. Whenever external | |||
| topology changes with time, address assignment for nodes within the | topology changes with time, address assignment for nodes within the | |||
| local domain must also change to reflect the external changes. | local domain must also change to reflect the external changes. | |||
| Changes of this type can be hidden from the users within the domain | Changes of this type can be hidden from users within the domain | |||
| by centralizing changes to a single address translation router. | by centralizing changes to a single address translation router. | |||
| Basic Address translation would allow hosts in a private network to | Basic Address translation would (in many cases, except as noted in | |||
| transparently access the external network and enable access to | RFC 2663 and section 6 of this document) allow hosts in a private | |||
| selective local hosts from the outside. Organizations with a | network to transparently access the external network and enable | |||
| network setup predominantly for internal use, with a need for | access to selective local hosts from the outside. Organizations with | |||
| a network setup predominantly for internal use, with a need for | ||||
| occasional external access are good candidates for this scheme. | occasional external access are good candidates for this scheme. | |||
| Many Small Office, Home Office (SOHO) users and telecommuting | Many Small Office, Home Office (SOHO) users and telecommuting | |||
| employees have multiple Network nodes in their office, running | employees have multiple Network nodes in their office, running | |||
| TCP/UDP applications, but have a single IP address assigned to | TCP/UDP applications, but have a single IP address assigned to | |||
| their remote access router by their service provider to access | their remote access router by their service provider to access | |||
| remote networks. This ever increasing community of remote access | remote networks. This ever increasing community of remote access | |||
| users would be benefited by NAPT, which would permit multiple | users would be benefited by NAPT, which would permit multiple | |||
| nodes in a local network to simultaneously access remote networks | nodes in a local network to simultaneously access remote networks | |||
| using the single IP address assigned to their router. | using the single IP address assigned to their router. | |||
| skipping to change at page 3, line 26 ¶ | skipping to change at page 3, line 28 ¶ | |||
| The definition of terms used in this document may be found in "IP | The definition of terms used in this document may be found in "IP | |||
| Network Address Translator Terminology and Considerations" [REF1]. | Network Address Translator Terminology and Considerations" [REF1]. | |||
| 2. Overview of traditional NAT | 2. Overview of traditional NAT | |||
| The Address Translation operation presented in this document is | The Address Translation operation presented in this document is | |||
| referred to as "Traditional NAT". There are other variations of | referred to as "Traditional NAT". There are other variations of | |||
| NAT that will not be explored in this document. Traditional NAT | NAT that will not be explored in this document. Traditional NAT | |||
| would allow hosts within a private network to transparently | would allow hosts within a private network to transparently | |||
| access hosts in the external network. In a traditional NAT, | access hosts in the external network, in most cases. In a | |||
| sessions are uni-directional, outbound from the private network. | traditional NAT, sessions are uni-directional, outbound from the | |||
| Sessions in the opposite direction may be allowed on an | private network. Sessions in the opposite direction may be allowed | |||
| exceptional basis using static address maps for pre-selected | on an exceptional basis using static address maps for pre-selected | |||
| hosts. Basic NAT and NAPT are two variations of traditional NAT, | hosts. Basic NAT and NAPT are two variations of traditional NAT, | |||
| in that translation is Basic NAT is limited to IP addresses alone, | in that translation is Basic NAT is limited to IP addresses alone, | |||
| whereas translation in NAPT is extended to include IP address and | whereas translation in NAPT is extended to include IP address and | |||
| Transport identifier (such as TCP/UDP port or ICMP query ID). | Transport identifier (such as TCP/UDP port or ICMP query ID). | |||
| Unless mentioned otherwise, Address Translation or NAT throughout | Unless mentioned otherwise, Address Translation or NAT throughout | |||
| this document will pertain to traditional NAT, namely Basic NAT | this document will pertain to traditional NAT, namely Basic NAT | |||
| as well as NAPT. Only the stub border routers as described in | as well as NAPT. Only the stub border routers as described in | |||
| figure 1 below may be configured to perform address translation. | figure 1 below may be configured to perform address translation. | |||
| skipping to change at page 5, line 23 ¶ | skipping to change at page 5, line 25 ¶ | |||
| destination, and sends the packet to it's primary router. The stub | destination, and sends the packet to it's primary router. The stub | |||
| router has a static route for net 198.76.0.0 so the packet is | router has a static route for net 198.76.0.0 so the packet is | |||
| forwarded to the WAN-link. However, NAT translates the source | forwarded to the WAN-link. However, NAT translates the source | |||
| address 10.33.96.5 of the IP header to the globally unique | address 10.33.96.5 of the IP header to the globally unique | |||
| 198.76.29.7 before the packet is forwarded. Likewise, IP packets | 198.76.29.7 before the packet is forwarded. Likewise, IP packets | |||
| on the return path go through similar address translations. | on the return path go through similar address translations. | |||
| Notice that this requires no changes to hosts or routers. For | Notice that this requires no changes to hosts or routers. For | |||
| instance, as far as the stub A host is concerned, 198.76.28.4 is | instance, as far as the stub A host is concerned, 198.76.28.4 is | |||
| the address used by the host in stub B. The address translations | the address used by the host in stub B. The address translations | |||
| are completely transparent. Of course, this is just a simple | are transparent to end hosts. Of course, this is just a simple | |||
| example. There are numerous issues to be explored. | example. There are numerous issues to be explored. | |||
| 2.2. Overview of NAPT | 2.2. Overview of NAPT | |||
| Say, an organization has a private IP network and a WAN link to a | Say, an organization has a private IP network and a WAN link to a | |||
| service provider. The private network's stub router is assigned | service provider. The private network's stub router is assigned | |||
| a globally valid address on the WAN link and the remaining nodes | a globally valid address on the WAN link and the remaining nodes | |||
| in the organization have IP addresses that have only local | in the organization have IP addresses that have only local | |||
| significance. In such a case, nodes on the private network could | significance. In such a case, nodes on the private network could | |||
| be allowed simultaneous access to external network, using the | be allowed simultaneous access to external network, using the | |||
| skipping to change at page 10, line 37 ¶ | skipping to change at page 10, line 37 ¶ | |||
| if (x & 0x10000) { x++; x&=0xffff; } | if (x & 0x10000) { x++; x&=0xffff; } | |||
| nlen-=2; | nlen-=2; | |||
| } | } | |||
| x=~x & 0xFFFF; | x=~x & 0xFFFF; | |||
| chksum[0]=x/256; chksum[1]=x & 0xff; | chksum[0]=x/256; chksum[1]=x & 0xff; | |||
| } | } | |||
| 4.3. ICMP error packet modifications | 4.3. ICMP error packet modifications | |||
| Changes to ICMP error message will include changes to IP and | Changes to ICMP error message will include changes to IP and | |||
| ICMP headers on the outer layer as well as changes to the | ICMP headers on the outer layer as well as changes to headers | |||
| headers of the packet embedded within the ICMP payload due | of the packet embedded within the ICMP-error message payload. | |||
| to error. | ||||
| In order for NAT to be completely transparent to the host, the | In order for NAT to be transparent to end-host, the IP address | |||
| IP address of the IP header embedded within the payload of the | of the IP header embedded within the payload of ICMP-Error | |||
| ICMP packet must be modified, the checksum field of the same | message must be modified, the checksum field of the embedded | |||
| IP header must correspondingly be modified, and the ICMP header | IP header must be modified, and lastly, the ICMP header | |||
| checksum must also be modified to reflect changes made to the | checksum must also be modified to reflect changes to payload. | |||
| payload. | ||||
| In a NAPT setup, if the IP message embedded within ICMP happens | In a NAPT setup, if the IP message embedded within ICMP happens | |||
| to be a TCP, UDP or ICMP Query packet, you will also need to | to be a TCP, UDP or ICMP Query packet, you will also need to | |||
| modify the appropriate TU port number within the TCP/UDP header | modify the appropriate TU port number within the TCP/UDP header | |||
| or the Query Identifier field in the ICMP Query header. | or the Query Identifier field in the ICMP Query header. | |||
| Lastly, the IP header of the ICMP packet must also be modified. | Lastly, the IP header of the ICMP packet must also be modified. | |||
| 4.4. FTP support | 4.4. FTP support | |||
| skipping to change at page 16, line 7 ¶ | skipping to change at page 16, line 4 ¶ | |||
| [9] J. Postel, "INTERNET CONTROL MESSAGE (ICMP) SPECIFICATION", | [9] J. Postel, "INTERNET CONTROL MESSAGE (ICMP) SPECIFICATION", | |||
| RFC 792 | RFC 792 | |||
| [10] J. Postel, "User Datagram Protocol (UDP)", RFC 768 | [10] J. Postel, "User Datagram Protocol (UDP)", RFC 768 | |||
| [11] J. Mogul, J. Postel, "Internet Standard Subnetting Procedure", | [11] J. Mogul, J. Postel, "Internet Standard Subnetting Procedure", | |||
| RFC 950 | RFC 950 | |||
| [12] Brian carpenter, Jon Crowcroft, Yakov Rekhter, "IPv4 Address | [12] Brian carpenter, Jon Crowcroft, Yakov Rekhter, "IPv4 Address | |||
| Behaviour Today", RFC 2101 | Behaviour Today", RFC 2101 | |||
| Authors' Addresses | Authors' Addresses | |||
| Pyda Srisuresh | Pyda Srisuresh | |||
| Consultant | Campio Communications | |||
| 849 Erie Circle | 630 Alder Drive | |||
| Milpitas, CA 95035 | Milpitas, CA 95035 | |||
| U.S.A. | U.S.A. | |||
| Voice: (408) 263-7527 | Voice: (408) 519-3849 | |||
| EMail: srisuresh@yahoo.com | EMail: srisuresh@yahoo.com | |||
| Kjeld Borch Egevang | Kjeld Borch Egevang | |||
| Intel Denmark ApS | Intel Denmark ApS | |||
| Voice: +45 44886556 | Voice: +45 44886556 | |||
| Fax: +45 44886051 | Fax: +45 44886051 | |||
| EMail: kjeld.egevang@intel.com | EMail: kjeld.egevang@intel.com | |||
| http: //www.freeyellow.com/members/kbe | http: //www.freeyellow.com/members/kbe | |||
| End of changes. 13 change blocks. | ||||
| 27 lines changed or deleted | 25 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||