Jump to content

Network address translation

From Wikipedia, the free encyclopedia

Network address translation between a private network and the Internet

Network address translation(NAT) is a method of mapping an IPaddress spaceinto another by modifyingnetwork addressinformation in theIP headerof packets while they are in transit across a trafficrouting device.[1]The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstreamInternet service providerwas replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face ofIPv4 address exhaustion.One Internet-routableIP addressof a NAT gateway can be used for an entireprivate network.[2]

As network address translation modifies the IP address information in packets, NAT implementations may vary in their specific behavior in various addressing cases and their effect on network traffic. The specifics of NAT behavior are not commonly documented by vendors of equipment containing NAT implementations.[2]

History[edit]

IPv4 uses 32-bit addresses, capable of uniquely addressing about 4.4 billion devices. By 1992 it became evident that that would not be enough. The 1994RFC1631describes NAT as a "short-term solution" to the two most compelling problems facing the IP Internet at that time: IP address depletion and scaling in routing. By 2004, NAT had become widespread.[3]

Basic NAT[edit]

The simplest type of NAT provides a one-to-one translation of IP addresses (RFC 1631).RFC2663refers to this type of NAT asbasic NAT;it is also called aone-to-one NAT.In this type of NAT, only the IP addresses, IP headerchecksum,and any higher-level checksums that include the IP address are changed. Basic NAT can be used to interconnect two IP networks that have incompatible addressing.[2]

One-to-many NAT[edit]

Network address mapping

The majority of network address translators map multiple private hosts to one publicly exposed IP address.

Here is a typical configuration:

  1. A local network uses one of the designatedprivateIP address subnets (RFC 1918[4]).
  2. The network has a router having both a private and a public address. The private address is used by the router for communicating with other devices in the private local network. The public address (typically assigned by anInternet service provider) is used by the router for communicating with the rest of the Internet.
  3. As traffic passes from the network to the Internet, the router translates the source address in each packet from a private address to the router's own public address. The router tracks basic data about each active connection (particularly the destination address andport). When the router receives inbound traffic from the Internet, it uses the connection tracking data it stored during the outbound phase to determine to which private address (if any) it should forward the reply.[2]

All IP packets have a source IP address and a destination IP address. Typically, packets passing from the private network to the public network will have their source address modified, while packets passing from the public network back to the private network will have their destination address modified. To avoid ambiguity in how replies are translated, further modifications to the packets are required. The vast bulk of Internet traffic usesTransmission Control Protocol(TCP) orUser Datagram Protocol(UDP). For these protocols, theport numbersare changed so that the combination of IP address (within theIP header) and port number (within theTransport Layer header) on the returned packet can be unambiguously mapped to the corresponding private network destination. RFC 2663 uses the termnetwork address and port translation(NAPT) for this type of NAT.[4]Other names includeport address translation(PAT),IP masquerading,NAT overloadandmany-to-one NAT.This is the most common type of NAT and has become synonymous with the term "NAT" in common usage.

This method allows communication through the router only when the conversation originates in the private network, since the initial originating transmission is what establishes the required information in the translation tables. Thus aweb browserwithin the private network would be able to browse websites that are outside the network, whereas web browsers outside the network would be unable to browse a website hosted within.[a]Protocols not based on TCP and UDP require other translation techniques.

An additional benefit of one-to-many NAT is that it mitigatesIPv4 address exhaustionby allowing entire networks to be connected to the Internet using a single public IP address.[b]

Methods of translation[edit]

Network address and port translation may be implemented in several ways. Some applications that use IP address information may need to determine the external address of a network address translator. This is the address that its communication peers in the external network detect. Furthermore, it may be necessary to examine and categorize the type of mapping in use, for example when it is desired to set up a direct communication path between two clients both of which are behind separate NAT gateways.

For this purpose, RFC 3489 specified a protocol calledSimple Traversal of UDP over NATs(STUN) in 2003. It classified NAT implementations asfull-cone NAT,(address) restricted-cone NAT,port-restricted cone NATorsymmetric NAT,and proposed a methodology for testing a device accordingly. However, these procedures have since been deprecated from standards status, as the methods are inadequate to correctly assess many devices. RFC 5389 standardized new methods in 2008 and the acronymSTUNnow represents the new title of the specification:Session Traversal Utilities for NAT.

NAT implementation classifications
Full-cone NAT,also known asone-to-one NAT
  • Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort.
  • Any external hostcan send packets to iAddr:iPort by sending packets to eAddr:ePort.
(Address)-restricted-cone NAT
  • Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort.
  • An external host (hAddr:any) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:any."Any" means the port number doesn't matter.
Port-restricted cone NATLike an address restricted cone NAT, but the restriction includes port numbers.
  • Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort.
  • An external host (hAddr:hPort) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:hPort.
Symmetric NAT
  • The combination of one internal IP address plus a destination IP address and port is mapped to a single unique external source IP address and port; if the same internal host sends a packet even with the same source address and port but to a different destination, a different mapping is used.
  • Only an external host that receives a packet from an internal host can send a packet back.

Many NAT implementations combine these types, so it is better to refer to specific individual NAT behavior instead of using the Cone/Symmetric terminology. RFC 4787 attempts to alleviate confusion by introducing standardized terminology for observed behaviors. For the first bullet in each row of the above table, the RFC would characterize Full-Cone, Restricted-Cone, and Port-Restricted Cone NATs as having anEndpoint-Independent Mapping,whereas it would characterize a Symmetric NAT as having anAddress- and Port-Dependent Mapping.For the second bullet in each row of the above table, RFC 4787 would also label Full-Cone NAT as having anEndpoint-Independent Filtering,Restricted-Cone NAT as having anAddress-Dependent Filtering,Port-Restricted Cone NAT as having anAddress and Port-Dependent Filtering,and Symmetric NAT as having either anAddress-Dependent FilteringorAddress and Port-Dependent Filtering.Other classifications of NAT behavior mentioned in the RFC include whether they preserve ports, when and how mappings are refreshed, whether external mappings can be used by internal hosts (i.e., itshairpinningbehavior), and the level of determinism NATs exhibit when applying all these rules.[2]Specifically, most NATs combinesymmetric NATfor outgoing connections withstaticport mapping,where incoming packets addressed to the external address and port are redirected to a specific internal address and port.

NAT mapping vs NAT filtering[edit]

RFC 4787[2]makes a distinction between NAT mapping and NAT filtering.

Section 4.1 of the RFC covers NAT mapping and specifies how an external IP address and port number should be translated into an internal IP address and port number. It defines Endpoint-Independent Mapping, Address-Dependent Mapping and Address and Port-Dependent Mapping, explains that these three possible choices do not relate to the security of the NAT as security is determined by the filtering behavior and then specifies 'A NAT MUST have an "Endpoint-Independent Mapping" behavior.'

Section 5 of the RFC covers NAT filtering and describes what criteria are used by the NAT to filter packets originating from specific external endpoints. The options are Endpoint-Independent Filtering, Address-Dependent Filtering and Address and Port-Dependent Filtering. Endpoint-Independent Filtering is recommended where maximum application transparency is required while Address-Dependent Filtering is recommended where more stringent filtering behavior is most important.

Some NAT devices are not yet compliant with RFC 4787 as they treat NAT mapping and filtering in the same way so that their configuration option for changing the NAT filtering method also changes the NAT mapping method (e.g.Netgate TNSR). The PF firewall has apatchavailable to enable RFC 4787 support but this has not yet been merged.

Type of NAT and NAT traversal, role of port preservation for TCP[edit]

TheNAT traversalproblem arises when peers behind different NATs try to communicate. One way to solve this problem is to useport forwarding.Another way is to use various NAT traversal techniques. The most popular technique for TCP NAT traversal isTCP hole punching.

TCP hole punching requires the NAT to follow theport preservationdesign for TCP. For a given outgoing TCP communication, the same port numbers are used on both sides of the NAT. NAT port preservation for outgoing TCP connections is crucial for TCP NAT traversal because, under TCP, one port can only be used for one communication at a time, so programs bind distinct TCP sockets toephemeral portsfor each TCP communication, rendering NAT port prediction impossible for TCP.[2]

On the other hand, for UDP, NATs do not need port preservation. Indeed, multiple UDP communications (each with a distinctendpoint) can occur on the same source port, and applications usually reuse the same UDP socket to send packets to distinct hosts. This makes port prediction straightforward, as it is the same source port for each packet.

Furthermore, port preservation in NAT for TCP allows P2P protocols to offer less complexity and less latency because there is no need to use a third party (like STUN) to discover the NAT port since the application itself already knows the NAT port.[2][5]

However, if two internal hosts attempt to communicate with the same external host using the same port number, the NAT may attempt to use a different external IP address for the second connection or may need to forgo port preservation and remap the port.[2]: 9 

As of 2006,roughly 70% of the clients inP2Pnetworks employed some form of NAT.[6]

Implementation[edit]

Establishing two-way communication[edit]

In bidirectional NAT the session can be established both from inside and outside realms.

Every TCP and UDP packet contains a source port number and a destination port number. Each of those packets is encapsulated in an IP packet, whoseIP headercontains a source IP address and a destination IP address. The IP address/protocol/port number triple defines an association with anetwork socket.

For publicly accessible services such as web and mail servers the port number is important. For example, port 80 connects through a socket to theweb serversoftware and port 25 to a mail server'sSMTPdaemon.The IP address of a public server is also important, similar in global uniqueness to a postal address or telephone number. Both IP address and port number must be correctly known by all hosts wishing to successfully communicate.

Private IP addresses as described in RFC 1918 are usable only on private networks not directly connected to the internet. Ports are endpoints of communication unique to that host, so a connection through the NAT device is maintained by the combined mapping of port and IP address. A private address on the inside of the NAT is mapped to an external public address. Port address translation (PAT) resolves conflicts that arise when multiple hosts happen to use the same source port number to establish different external connections at the same time.

Telephone number extension analogy[edit]

A NAT device is similar to a phone system at an office that has one public telephone number and multiple extensions. Outbound phone calls made from the office all appear to come from the same telephone number. However, an incoming call that does not specify an extension cannot be automatically transferred to an individual inside the office. In this scenario, the office is a private LAN, the main phone number is the public IP address, and the individual extensions are unique port numbers.[7]

Translation process[edit]

With NAT, all communications sent to external hosts actually contain theexternalIP address and port information of the NAT device instead of internal host IP addresses or port numbers. NAT only translates IP addresses and ports of its internal hosts, hiding the true endpoint of an internal host on a private network.

When a computer on the private (internal) network sends an IP packet to the external network, the NAT device replaces the internal source IP address in the packet header with the external IP address of the NAT device. PAT may then assign the connection a port number from a pool of available ports, inserting this port number in the source port field. The packet is then forwarded to the external network. The NAT device then makes an entry in a translation table containing the internal IP address, original source port, and the translated source port. Subsequent packets from the same internal source IP address and port number are translated to the same external source IP address and port number. The computer receiving a packet that has undergone NAT establishes a connection to the port and IP address specified in the altered packet, oblivious to the fact that the supplied address is being translated.

Upon receiving a packet from the external network, the NAT device searches the translation table based on the destination port in the packet header. If a match is found, the destination IP address and port number is replaced with the values found in the table and the packet is forwarded to the inside network. Otherwise, if the destination port number of the incoming packet is not found in the translation table, the packet is dropped or rejected because the PAT device doesn't know where to send it.

Applications[edit]

Routing
Network address translation can be used to mitigate IP address overlap.[8][9]Address overlap occurs when hosts in different networks with the same IP address space try to reach the same destination host. This is most often a misconfiguration and may result from the merger of two networks or subnets, especially when using RFC 1918private networkaddressing. The destination host experiences traffic apparently arriving from the same network, and intermediate routers have no way to determine where reply traffic should be sent to. The solution is either renumbering to eliminate overlap or network address translation.
Load balancing
Inclient–serverapplications,load balancersforward client requests to a set of server computers to manage the workload of each server. Network address translation may be used to map a representative IP address of the server cluster to specific hosts that service the request.[10][11][12][13]

Related techniques[edit]

IEEEReverse Address and Port Translation (RAPT or RAT) allows a host whose realIP addresschanges from time to time to remain reachable as a server via a fixed home IP address.[14]Cisco's RAPT implementation is PAT or NAT overloading and maps multiple private IP addresses to a single public IP address. Multiple addresses can be mapped to a single address because each private address is tracked by a port number. PAT uses unique source port numbers on the inside global IP address to distinguish between translations.[c]PAT attempts to preserve the original source port. If this source port is already used, PAT assigns the first available port number starting from the beginning of the appropriate port group 0–511, 512–1023, or 1024–65535. When there are no more ports available and there is more than one external IP address configured, PAT moves to the next IP address to try to allocate the original source port again. This process continues until it runs out of available ports and external IP addresses.

Mapping of Address and Portis a Cisco proposal that combinesAddress plus Porttranslation with tunneling of the IPv4 packets over an ISP provider's internalIPv6network. In effect, it is an (almost)statelessalternative tocarrier-grade NATandDS-Litethat pushes theIPv4 address/port translation function (and the maintenance of NAT state) entirely into the existingcustomer premises equipmentNAT implementation. Thus avoiding theNAT444and statefulness problems of carrier-grade NAT, and also provides a transition mechanism for the deployment of native IPv6 at the same time with very little added complexity.

Issues and limitations[edit]

Hosts behind NAT-enabled routers do not haveend-to-end connectivityand cannot participate in some internet protocols. Services that require the initiation ofTCPconnections from the outside network, or that use stateless protocols such as those usingUDP,can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination. Some protocols can accommodate one instance of NAT between participating hosts ( "passive mode"FTP,for example), sometimes with the assistance of anapplication-level gateway(see§ Applications affected by NAT), but fail when both systems are separated from the internet by NAT. The use of NAT also complicatestunneling protocolssuch asIPsecbecause NAT modifies values in the headers which interfere with the integrity checks done byIPsecand other tunneling protocols.

End-to-end connectivity has been a core principle of the Internet, supported, for example, by theInternet Architecture Board.Current Internet architectural documents observe that NAT is a violation of theend-to-end principle,but that NAT does have a valid role in careful design.[15]There is considerably more concern with the use of IPv6 NAT, and many IPv6 architects believe IPv6 was intended to remove the need for NAT.[16]

An implementation that only tracks ports can be quickly depleted by internal applications that use multiple simultaneous connections such as anHTTPrequest for a web page with many embedded objects. This problem can be mitigated by tracking the destination IP address in addition to the port thus sharing a single local port with many remote hosts. This additional tracking increases implementation complexity and computing resources at the translation device.

Because the internal addresses are all disguised behind one publicly accessible address, it is impossible for external hosts to directly initiate a connection to a particular internal host. Applications such asVOIP,videoconferencing,and other peer-to-peer applications must useNAT traversaltechniques to function.

Fragmentation and checksums[edit]

Pure NAT, operating on IP alone, may or may not correctly parse protocols with payloads containing information about IP, such asICMP.This depends on whether the payload is interpreted by a host on theinsideoroutsideof the translation. Basic protocols asTCPandUDPcannot function properly unless NAT takes action beyond the network layer.

IP packets have a checksum in each packet header, which provides error detection only for the header. IP datagrams may become fragmented and it is necessary for a NAT to reassemble these fragments to allow correct recalculation of higher-level checksums and correct tracking of which packets belong to which connection.

TCP and UDP, have a checksum that covers all the data they carry, as well as the TCP or UDP header, plus apseudo-headerthat contains the source and destination IP addresses of the packet carrying the TCP or UDP header. For an originating NAT to pass TCP or UDP successfully, it must recompute the TCP or UDP header checksum based on the translated IP addresses, not the original ones, and put that checksum into the TCP or UDP header of the first packet of the fragmented set of packets.

Alternatively, the originating host may performpath MTU Discoveryto determine the packet size that can be transmitted without fragmentation and then set thedon't fragment(DF) bit in the appropriate packet header field. This is only a one-way solution, because the responding host can send packets of any size, which may be fragmented before reaching the NAT.

Variant terms[edit]

DNAT[edit]

Destination network address translation (DNAT) is a technique for transparently changing the destinationIP addressof a routed packet and performing the inverse function for any replies. Anyroutersituated between two endpoints can perform this transformation of the packet.

DNAT is commonly used to publish a service located in a private network on a publicly accessible IP address. This use of DNAT is also calledport forwarding,orDMZwhen used on an entireserver,which becomes exposed to the WAN, becoming analogous to an undefended militarydemilitarized zone(DMZ).

SNAT[edit]

The meaning of the termSNATvaries by vendor:[17][18][19]

  • source NATis a common expansion and is the counterpart ofdestination NAT(DNAT). This is used to describe one-to-many NAT; NAT for outgoing connections to public services.
  • stateful NATis used byCisco Systems[20]
  • static NATis used by WatchGuard[21]
  • secure NATis used byF5 Networks[22]and by Microsoft (in regard to theISA Server)

Secure network address translation (SNAT) is part of Microsoft'sInternet Security and Acceleration Serverand is an extension to the NAT driver built intoMicrosoft Windows Server.It provides connection tracking and filtering for the additional network connections needed for theFTP,ICMP,H.323,andPPTPprotocols as well as the ability to configure a transparent HTTPproxy server.

Dynamic network address translation[edit]

How dynamic NAT works.

Dynamic NAT, just like static NAT, is not common in smaller networks but is found within larger corporations with complex networks. Where static NAT provides a one-to-one internal to public static IP address mapping, dynamic NAT uses agroupof public IP addresses.[23][24]

NAT hairpinning[edit]

NAT hairpinning,also known asNAT loopbackorNAT reflection,[25]is a feature in many consumer routers[26]where a machine on theLANis able to access another machine on the LAN via the external IP address of the LAN/router (with port forwarding set up on the router to direct requests to the appropriate machine on the LAN). This notion is officially described in 2008,RFC5128.

The following describes an example network:

  • Public address:203.0.113.1.This is the address of theWANinterface on the router.
  • Internal address of router:192.168.1.1
  • Address of the server:192.168.1.2
  • Address of a local computer:192.168.1.100

If a packet is sent to203.0.113.1by a computer at192.168.1.100,the packet would normally be routed to thedefault gateway(the router)[d]A router with the NAT loopback feature detects that203.0.113.1is the address of its WAN interface, and treats the packet as if coming from that interface. It determines the destination for that packet, based on DNAT (port forwarding) rules for the destination. If the data were sent to port 80 and a DNAT rule exists for port 80 directed to192.168.1.2,then the host at that address receives the packet.

If no applicable DNAT rule is available, the router drops the packet. AnICMP Destination Unreachablereply may be sent. If any DNAT rules were present, address translation is still in effect; the router still rewrites the source IP address in the packet. The local computer (192.168.1.100) sends the packet as coming from192.168.1.100,but the server (192.168.1.2) receives it as coming from203.0.113.1.When the server replies, the process is identical to an external sender. Thus, two-way communication is possible between hosts inside the LAN network via the public IP address.

NAT in IPv6[edit]

Network address translation is not commonly used inIPv6because one of the design goals of IPv6 is to restore end-to-end network connectivity.[27]The large addressing space of IPv6 obviates the need to conserve addresses and every device can be given a unique globally routable address. Use ofunique local addressesin combination withnetwork prefix translationcan achieve results similar to NAT.

The large addressing space of IPv6 can still be defeated depending on the actual prefix length given by the carrier. It is not uncommon to be handed a /64 prefix – the smallest recommended subnet – for an entire home network, requiring a variety of techniques to be used to manually subdivide the range for all devices to remain reachable.[28]Even actual IPv6-to-IPv6 NAT, NAT66, can turn out useful at times: the APNIC blog outlines a case where the author was only provided a single address (/128).[29]

Applications affected by NAT[edit]

Someapplication layerprotocols, such asFile Transfer Protocol(FTP) andSession Initiation Protocol(SIP), send explicit network addresses within their application data. File Transfer Protocol in active mode, for example, uses separate connections for control traffic (commands) and for data traffic (file contents). When requesting a file transfer, the host making the request identifies the corresponding data connection by itsnetwork layerandtransport layeraddresses. If the host making the request lies behind a simple NAT firewall, the translation of the IP address or TCP port number makes the information received by the server invalid. SIP commonly controlsvoice over IPcalls, and suffer the same problem. SIP and its accompanyingSession Description Protocolmay use multiple ports to set up a connection and transmit voice stream viaReal-time Transport Protocol.IP addresses and port numbers are encoded in the payload data and must be known before the traversal of NATs. Without special techniques, such asSTUN,NAT behavior is unpredictable and communications may fail.Application Layer Gateway(ALG) software or hardware may correct these problems. An ALG software module running on a NAT firewall device updates any payload data made invalid by address translation. ALGs need to understand the higher-layer protocol that they need to fix, and so each protocol with this problem requires a separate ALG. For example, on many Linux systems, there are kernel modules calledconnection trackersthat serve to implement ALGs. However, ALG cannot work if the protocol data is encrypted.

Another possible solution to this problem is to useNAT traversaltechniques using protocols such asSTUNorInteractive Connectivity Establishment(ICE), or proprietary approaches in asession border controller.NAT traversal is possible in both TCP- and UDP-based applications, butthe UDP-based techniqueis simpler, more widely understood, and more compatible with legacy NATs.[citation needed]In either case, the high-level protocol must be designed with NAT traversal in mind, and it does not work reliably across symmetric NATs or other poorly behaved legacy NATs.

Other possibilities arePort Control Protocol(PCP),[30]NAT Port Mapping Protocol(NAT-PMP), orInternet Gateway Device Protocolbut these require the NAT device to implement that protocol.

Most client–server protocols (FTP being the main exception[e]), however, do not send layer 3 contact information and do not require any special treatment by NATs. In fact, avoiding NAT complications is practically a requirement when designing new higher-layer protocols today.

NATs can also cause problems whereIPsecencryption is applied and in cases where multiple devices such asSIP phonesare located behind a NAT. Phones that encrypt their signaling with IPsec encapsulate the port information within an encrypted packet, meaning that NAT devices cannot access and translate the port. In these cases, the NAT devices revert to simple NAT operations. This means that all traffic returning to the NAT is mapped onto one client, causing service to more than one client behind the NAT to fail. There are a couple of solutions to this problem: one is to useTLS,which operates atlayer 4and does not mask the port number; another is to encapsulate the IPsec withinUDP– the latter being the solution chosen byTISPANto achieve secure NAT traversal, or a NAT with"IPsec Passthru"support; another is touse a session border controller to help traverse the NAT.

Interactive Connectivity Establishmentis a NAT traversal technique that does not rely on ALG support.

The DNS protocol vulnerability announced byDan Kaminskyon July 8, 2008,[31]is indirectly affected by NAT port mapping. To avoidDNS cache poisoning,it is highly desirable not to translate UDP source port numbers of outgoing DNS requests from a DNS server behind a firewall that implements NAT. The recommended workaround for the DNS vulnerability is to make all caching DNS servers use randomized UDP source ports. If the NAT function de-randomizes the UDP source ports, the DNS server becomes vulnerable.

Examples of NAT software[edit]

See also[edit]

Wikimedia Commons has media related toNetwork Address Translation.

Notes[edit]

  1. ^Most NAT devices today allow the network administrator to configure static translation table entries for connections from the external network to the internal masqueraded network. This feature is often referred to asstatic NAT.It may be implemented in two types:port forwardingwhich forwards traffic from a specific external port to an internal host on a specified port, and designation of aDMZ hostwhich passes all traffic received on the external interface (on any port number) to an internal IP address while preserving the destination port. Both types may be available in the same NAT device.
  2. ^The more common arrangement is having computers that require end-to-end connectivity supplied with a routable IP address, while having others that do not provide services to outside users behind NAT with only a few IP addresses used to enable Internet access.
  3. ^The port numbers are 16-bit integers. The total number of internal addresses that can be translated to one external address could theoretically be as high as 65,536 per IP address. Realistically, the number of ports that can be assigned a single IP address is around 4000.
  4. ^Unless an explicit route is set in the computer'sroutingtables.
  5. ^This issue can be avoided by usingSFTPinstead of FTP

References[edit]

  1. ^Network Protocols Handbook(2 ed.). Javvin Technologies Inc. 2005. p. 27.ISBN9780974094526.Retrieved2014-09-16.
  2. ^abcdefghiFrançois Audet; Cullen Jennings (January 2007).Network Address Translation (NAT) Behavioral Requirements for Unicast UDP.IETF.doi:10.17487/RFC4787.RFC4787.
  3. ^Geoff Huston (September 2004)."Anatomy: A Look Inside Network Address Translators"(PDF).The Internet Protocol Journal.
  4. ^abWing, Dan (2010-07-01)."Network Address Translation: Extending the Internet Address Space".IEEE Internet Computing.14(4): 66–70.doi:10.1109/MIC.2010.96.ISSN1089-7801.S2CID31082389.
  5. ^"Characterization and Measurement of TCP Traversal through NATs and Firewalls".December 2006.
  6. ^"Illuminating the shadows: Opportunistic network and web measurement".December 2006. Archived fromthe originalon 2010-07-24.
  7. ^"The Audio over IP Instant Expert Guide"(PDF).Tieline. January 2010. Archived fromthe original(PDF)on 2011-10-08.Retrieved2011-08-19.
  8. ^"Using NAT in Overlapping Networks".August 2005.
  9. ^"VPNs with Overlapping Subnets Problem Scenario".September 2017.
  10. ^Srisuresh, Pyda; Gan, Der-Hwa (August 1998).Load Sharing using IP Network Address Translation.RFC2391.
  11. ^"What Is Layer 4 Load Balancing?".June 2020.
  12. ^"What is load balancing?".November 2018.
  13. ^"Configure Server Load Balancing Using Dynamic NAT".June 2018.
  14. ^Singh, R.; Tay, Y.C.; Teo, W.T.; Yeow, S.W. (1999). "RAT: A quick (and dirty?) push for mobility support".Proceedings WMCSA'99. Second IEEE Workshop on Mobile Computing Systems and Applications.pp. 32–40.CiteSeerX10.1.1.40.461.doi:10.1109/MCSA.1999.749275.ISBN978-0-7695-0025-6.S2CID7657883.
  15. ^Bush, R.; Meyer, D. (2002).Some Internet Architectural Guidelines and Philosophy.IETF.doi:10.17487/RFC3439.RFC3439.
  16. ^Velde, G. Van de; Hain, T.; Droms, R.; Carpenter, B.; Klein, E. (2007).Local Network Protection for IPv6.IETF.doi:10.17487/RFC4864.RFC4864.
  17. ^"Enhanced IP Resiliency Using Cisco Stateful NAT".Cisco.
  18. ^"Use NAT for Public Accessto Servers with Private IP Addresses on the Private Network (WatchGuard configuration example)"(PDF).watchguard.Archived fromthe original(PDF)on 2013-01-17.
  19. ^"K7820: Overview of SNAT features".AskF5.August 28, 2007.RetrievedFebruary 24,2019.
  20. ^"Enhanced IP Resiliency Using Cisco Stateful NAT".Cisco.
  21. ^"Use NAT for Public Accessto Servers with Private IP Addresses on the Private Network (WatchGuard configuration example)"(PDF).watchguard.Archived fromthe original(PDF)on 2013-01-17.
  22. ^"K7820: Overview of SNAT features".AskF5.August 28, 2007.RetrievedFebruary 24,2019.
  23. ^"Dynamic NAT".26 January 2016.Retrieved2022-04-19.
  24. ^"Dynamic NAT".Retrieved2022-04-19.
  25. ^"What is NAT Reflection/NAT Loopback/NAT Hairpinning?".NYC Networkers. 2014-11-09.Retrieved2017-04-27.
  26. ^"NAT Loopback Routers – OpenSim"(MediaWiki).OpenSimulator.2013-10-21.Retrieved2014-02-21.
  27. ^Iljitsch van Beijnum (2008-07-23)."After staunch resistance, NAT may come to IPv6 after all".Ars Technica.Retrieved2014-04-24.
  28. ^Dupont, Kasper (Aug 18, 2015)."subnet - IPv6 subnetting a /64 - what will break, and how to work around it?".Server Fault.Retrieved2023-04-20.
  29. ^Cilloni, Marco (2018-02-01)."NAT66: The good, the bad, the ugly".APNIC Blog.Retrieved2023-04-20.
  30. ^D. Wing, Ed; Cheshire, S.; Boucadair, M.; Penno, R.; Selkirk, P. (2013).Port Control Protocol (PCP).IETF.doi:10.17487/RFC6887.RFC6887.
  31. ^Messmer, Ellen (2008-07-08)."Major DNS flaw could disrupt the Internet".Network World.Archived fromthe originalon 2009-02-13.Retrieved14 June2021.

External links[edit]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Network_address_translation&oldid=1231989722"