For example, if a data packet comes from a machine with an internal IP Address of 192.168.253.12 internally and your ISP has assigned the router a single external IP address of 230.123.001.23 then the router takes the outbound packet and replaces the source address by 230.123.001.23:11, i.e. same external public address but using port 11.

When the packet arrives at the destination there is the possibility that it will become confused by the return port number, but most simply make up a return packet and send it to the address and port number specified. Any applications that don't do this cause NAT a problem but there are few such problem cases left because NAT is so important.

When the router gets a data packet addressed to 230.123.1.23:01 i.e the router's public address it uses the port number to find out which internal IP address to send it to, in this case 192.168.253.12. 

By mapping internal IP addresses to port numbers within a single external IP address the router can connect a fairly large number of users to the Internet using just one public IP address.

A NAT router maps internal addresses to external addresses using port numbers. (click for larger image)

Firewall for Free

Not only does NAT give you an easy way of connecting your network to the Internet, it also provides a high degree of security because of the way it works.

For example, how can someone on the Internet gain access to one of the machines on the internal network?

The simple answer is they can’t because the router only delivers packets that arrive in response to outgoing packets and none of the machines connected to the local network have valid IP addresses. That is, it is impossible for an external agent to initiate a connection to a local machine.

Of course this can also be a problem for protocols that require an external machine to make a connection.

For example, if you want to run a webserver then you need to allow external machines to connect via port 80. If you want to, you can generally set a NAT enabled router to pass all inbound packets that aren't responses to outgoing packets, to a specified internal machine which then handles requests to all port numbers i.e. it’s the one webserver, email post office, FTP server and so on in the network.

A more advanced NAT router will generally let you map inbound packets to individual machines on the basis of port numbers. So one machine can be designated as the Web server, another the FTP server and so on. This is generally called "port mapping" or "virtual servers".  For this to work you must have at least a single fixed IP address allocated or you have to use dDNS.

As far as the outside world is concerned your local network has just this one IP address and looks like one big machine.

IPv6

In principle NAT might have saved us from running out of externally routable addresses. It most certainly has prolonged the life of the current Internet standard IPv4 by allowing the reuse of addresses many times over but... the modern Internet needs more addresses.

IPv6 solves the problem by simply increasing the number of bits used for the source and destination address.  IPv4 uses 32 bit addresses where IPv6 used 128 bits. This means that IPv6 can provide more then 10^28 addresses for every human on the planet.

Once the IPv4 addresses have all been allocated it is likely that only IPv6 addresses will be allocated and the move to IPv6 will accelerate.

The big problem is that IPv6 and IPv4 are not compatible. However while IPv4 networks exist there are a number of solutions to routing traffic over mixed networks.

The key idea is that any machine would have to operate both IPv4 and IPv6 stacks. It is easy to see how IPv6 hosts can access IPv4 machines - they simply reduce the number of bits used in the address i.e. the first 32 bits of the 128 bits of the IPv6 address can be mapped to IPv4 machines.  However there is no easy way to allow an IPv4 machine to address an IPv6 machine - how can a 32 bit address be correctly expanded to 128 bits. The only reasonable solution is to equip the entire connection path with software for IPv4 and IPv6. Notice that in principle this is just a software change and no hardware needs to be replaced. In practice hardware will probably have to be replaced.

The big problem is that until the entire Internet is IPv6 or dual IPv6/IPv4 any new IPv6 site will only be accessible from IPv6 equipped machines but IPv6 machines will be able to access both IPv6 and IPv4. 

Things aren't quite as bleak as this sounds because a client that can work with IPv6 and IPv4 i.e. most modern operating systems can connect to IPv6 sites as long as the connection path is also IPv6 or can support an IPv6 tunnel. In other words if your connection all the way to the Internet is IPv6 enabled then you can work with either protocol.

At the moment this is a relatively rare occurrence. It you want to know if you can work with IPv6 search for IPv6 test site on your favourite search engine and try it out.

If you really need IPv6 and your ISP doesn't support it your only option is to use an IPv6 Tunnel Broker. In this case you will still need an IPv6 capable machine and an IPv6 capable router connecting you to your ISP. Software does the rest and the Tunnel routes your IPv6 packets onto the IPv6 portion of the Internet. Most brokers will also put your IPv6 address on the network for you so that other IPv6 clients can access your servers. Unfortunately currently IPv6 tunnels don't work  well with NAT.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.