Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   News
newer
When NAT becomes NOT
(old news - 10:28PM Tuesday Mar 07 2000)
NAT (Network address translation) is a fast way of packing multiple devices behind a single, public IP address.

For the DSL user, NAT is the easiest method of providing internet access to multiple PCs (whether home or office) no matter what the ISP has given them to work with in terms of IP addressing.

Many people use NAT without knowing it: Windows 98SE for example, with its "internet connection sharing" pack, is implementing NAT on the gateway machine, to provide net functions to others on your home network. Much other popular internet share software is NAT under another name.

NAT is the heart of many nifty network share devices, ones with an plug in, and a plug out - put one of these between your DSL line and a hub, and you can have 4, 8 or more computers sharing this one public IP address.

So what is the problem with NAT?

1. NAT and PPPoE

PPP does not sit mix well with NAT. Microsoft Windows 98SE ICS option will not work, and Microsoft recommend another NAT utility, Share the net, instead. Many ether to Ether NAT boxes also break, and have received quick brain surgery to get them back into shape. Boxes such as the Zyxel for example, are now capable of handling PPPoE and NAT in one.

2. NAT and some protocols

Various internet protocols break with a vanilla NAT implementation. FTP for example, will operate in two modes, passive and active. NAT does not support active mode FTP, so clients must be found that will operate in passive mode.

Folks attempting to use IRC servers will find the servers may reject their connection because they cannot find an identd daemon on your "public" IP address to query.

Multiple sessions on one game server may not work - the game server will not understand the difference between the two players, as they both seem to originate from the same address.

Popular programs like ICQ and Dialpad.com also require NAT settings to map ports from the outside to the inside, otherwise they operate in degraded mode or not at all.

Linux users are in the happy situation of being able to install kernel modules that cope with any number of these problems - they recognize the protocol and operate specially on the data to restore full services.

3. NAT and Security

NAT is actually great for security - it functions as a firewall for incoming connection requests: NAT will only pass on traffic on a pre-existing connection, so unless you "speak" to the net, the net is not allowed to "speak" to you. Do not assume NAT is the same as a firewall, however! firewalls allow rules, can inspect packets, and operate on many levels.. NAT is normally very simple, and will do nothing to stop data from inside your domain escaping to the net, or setting up a conversation with something on the net!

4. NAT and Encryption / VPNs

Having built defenses to stop the outside world getting in, or the inside world getting out, (firewalls), the next challenge is to stop the outside world snooping your conversation. This is solved, to some extent, by standard security methods in common use on the net: Everyone who has shopped online, has used secure web connections (when the little padlock icon goes on), and system administrators like to use secure telnet to remotely administer machines. This encryption is of the payload of the data packets, but not the packet addresses (headers) of each layer of protocol.

The next level up of security is end-to-end encryption or IPSEC tunnel. In this more secure system, even the packet addressing details are encrypted (tunnelled) inside packets that are addressed to the other end. By encrypting everything except the minimum required to get each packet to the other end, potential for evesdrop or meddling is dramatically reduced. IPSEC tunnel level protocol is probably the most secure open standard available and in common use on the net today.

5. NAT and IPSEC Tunnel

To work, NAT must re-write the header portion of each packet, to make it appear like it was coming from the public IP address, it must also re-write incoming packet headers, to address them to the machine responsible for the conversation in progress... this is a necessary function of NAT. Can you see the problem yet? IPSEC tunnel method is, by design, hardened against this: by breaking the "seal" on the letter, the whole package is no longer trusted by the recipient, and breaking the seal itself requires knowledge of the keys used to encypt it in the first place!

6. Why do we care about VPNs?

If you need to provide secure access to company resources to employees on the road, you need to give them the best VPN (virtual private network) solution. If NAT devices or firewalls exist at either your corporate gateway, or homes, then IPSEC tunnel is not going to work, at least in standard form! Corporate policy may not allow switching down to the less secure IPSEC transport level security.

7. VPN solutions with NAT

The long term solution is going to be IPv6 - the new IP address space that provides thousands of IPs per square metre of the globe: NAT is not required when everything is uniquely addressable.. (at least the IP shortage problem that drives NAT adoption is no longer there), although firewalls and other reasons to hide private nets may still be. Unfortunately, IPv6 is some way off.
IPSEC software packages, such as the system from NetSeal claim to have worked around the problem by allowing corporate firewalls and internal machines to work together to communicate the nature of the transmission, as well as tag the encrypted transmission itself, thus providing the firewall with enough information to make decisions based on its standard rule-set, without the overhead of decryption and recryption of every byte of data. NetSeal would require comprehensive adoption though.

The ISB2LAN NAT box (see our equipment page) has been tweaked to cope with VPN solutions: simply by recognizing encrypted packets as trustworthy, it points them at a single internal address, so Mum can be using her secure VPN from the office, while the rest of the family fool around on the net using regular NAT.. not a very elegant solution, but for home use, it is quick and effective, and more importantly may be the only solution available under the circumstances.

Forums » When NAT becomes NOT
view: topics flat text 
Post a:
Anon

Re: When NAT becomes NOT

FYI: Wingate 4.0 (now in beta at »www.wingate.com) includes NAT. I have been running Wingate 3 since I was unable to get Win98 SE NAT working. Wingate's NAT is working fine for me (althought there are reports of problems, especially with ICQ) and eliminates the need to run client software on the client system.
permalink · 2000-03-08 12:07:19 · Reply to this
Anon There is one other way to get a VPN to work with
NAT - use dual-assignment.

While it's a little unorthodox, you can set up your NAT device, then set up a plain-jane router that is bridged ACROSS the NAT. In this scenario most internal machines use the private IP numbers and go through the NAT device. However, the few machines on the inside that must establish VPN connections to the outside, (or vis-versa) these systems use public IP numbers that are routed through the plain-jane router. On the inside net you will be running 2 IP ranges, in fact you can even set up the plain-jane router to route between these ranges, so the internal systems on the public IP range can reach other internal systems on the private range!

In this way you can get the benefit of the IP address conservation of private IP number usage through NAT, as well as run your VPN.

Also, one other thing to consider. In increasing years the shortage of IPv4 numbers will reach far higher porportions than it is today. It is going to be more and more difficult for organizations and individuals to retain large blocks of legal IPv4 IP numbers when either NAT or Proxy is possible. It is also very unlikely that IP v6 will make much difference - in all likelyhood organizations will merely implement NAT devices that not only translate between private and public IP numbers - but also translate between IPv4 and IPv6 numbers! So, even if your ISP delivers IPv6 to your organizations "doorstep", unless you are prepared to replace every single last internal device in your organization with upgraded devices that support IPv6, your going to still be running IPv4 and using NAT.

What this all boils down to is that it's a very bad idea to roll out any TCP/IP solutions at this time that depend on hard-coding the IP number in the data portion of the TCP/IP packet payload. Fancy VPN solutions are best implemented from router-to-router, and that don't involve the desktop computers.
permalink · 2000-03-11 03:08:55 · Print · Reply to this
Anon Well, I'm intrigued to read that Windows 98SE ICS doesn't work with PPPoE. In fact, I have it set up on my home network, and it is working fine. This comment is being delivered via ICS and PPPoE (Bell Atlantic is my DSL provider). I didn't know that it wasn't supposed to work until after I set it up--good thing! The hardest part was installing the second NIC in the ICS computer. Once I had the ICS computer talking to my home LAN, installing ICS itself was straightforward.
permalink · 2000-03-12 10:30:05 · Reply to this
kbgorman

join:2000-03-12
Richmond, VA
·Comcast

Re: When NAT becomes NOT

I also am using Windows 98SE ICS on my home network without any problems (Bell Atlantic is my DSL provider, PPPoE). I started "fresh" with the host as a stand-alone machine and removed all networking. I then added the NIC for the external modem, followed BA's instructions to set up the DSL connection and made certain it was working correctly, added another NIC for the LAN (added NetBEUI attached only to the home NIC), made certain it was working, and then installed ICS (that was the easiest step!)

There is very little difference in the ICS DSL setup and regular dial-up ICS setup, just make sure you choose "#1 Dialup" in the ICS wizard as the way to connect to the internet, and the local NIC as the adapter you use to access you home network. I also have a regular dialup setup that I use as a backup when DSL is down, and ICS works with both (they both use #1Dialup).

I guess just because someone at Microsoft says it, it may not always be correct (they're just people, too!) Hopefully this misinformation can be corrected. ICS is easy, secure, and free...you can't beat it!
permalink · 2000-03-13 09:27:23 · Print · Reply to this
Anon Erm...
NAT, is NOT firewall security. It's simple, very simple address translation. It doesn't prevent inbound connections. It doesn't filter all inside addresses to a singular outside address.
"That's PAT, that does that."
;said the cat in the hat!

The idea behind NAT and PAT is simply to keep publicly routable IP addresses on one side of the router (the public side), and your inside, private (non-routable) addresses on the other.

Effectively, it's as if you had a gate at the end of your street, and all the public mail addresses were given to the gate person, who then distributed them to your private street address within the gated community. A mail bomb sent to your public address will still be delivered to your private one. There is no inspection of the traffic, just forwarding. The security comes from the fact that people cannot see you directly.

(You can further obsfuscate the issue by using someone else's publicly routable address inside your private network, in effect doing an offhand form of NAT at a different layer, but should NAT on the router fail, your network will probably lose total internet connectivity.)

Requiring connections to be established from the inside network is a firewall issue, and is not part of NAT or PAT. It can't be, because if all outside queries were rejected, you'd either have to open a permanent hole in your NAT table, or you'd never give responses to DNS, email, and other queries. That's a good thing right? Umm..not if you're running a game server and want folks to connect to you!

Finally, you can't do encryption over NAT, because the source address is part of the decryption algorythim, and if it's altered, the decryption will fail.

See RFC 1631 at:

»www.faqs.org/rfcs/rfc1631.html

for more detailed info.

Regards,
-Bouncer-
permalink · 2000-03-13 10:26:18 · Print · Reply to this

justin
Australian
join:1999-05-28
Brooklyn, NY

Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech

Re: When NAT becomes NOT

The mailbomb/mailman analogy is not correct in my experience. NAT devices and NAT software that is being marketed as such do not pass on packages unless a preexisting connection has been opened to the outside party. The letter (packet) cannot be addressed to an inside address unless you've been contacted first.. the packet is dropped.
If you port scan a NAT box, no ports are open, no machines get your packets, no matter how many machines live behind it.
So it isnt a firewall (I said that in the article) but it does provide basic protection.
And the end of the article points out the VPN issues as well.
If you can point me to some documentation for a NAT box or NAT software that shows how a new connection from outside can get in without explicitly allowing it, please post!
permalink · 2000-03-13 15:46:51 · Print · Reply to this
Anon

Re: When NAT becomes NOT

Well,

We're kind of going in circles, because I just realized we're talking about two different kinds of NAT. You're referring to outbound-NAT, and I'm referring to bi-directional NAT.

(From RFC 2663: )

"With a Bi-directional NAT, sessions can be initiated from hosts in the public network as well as the private network. Private network addresses are bound to globally unique addresses, statically or dynamically as connections are established in either direction."

Pretty much sums up Bi-directional NAT in a nutshell. We'll call it a draw. (LOL)

To me, the real problem is this:
Neither out-bound or bi-directional does NAT do inspection of the packet. A firewall WILL do that, and more. In addition, out-bound packet sourcing for security isn't part of the RFC, it's more to do with propagating routing tables, and shouldn't be relied upon as the primary method of defense. I'm not down on NAT at all, I just wouldn't bet my data, or recommend you betting yours, on it.

Regards,
-Bouncer-
permalink · 2000-03-13 19:37:28 · Print · Reply to this
Anon In the old days, when I had win95 and ppp, I used nat32 (»www.nat32.com), which is an excellent piece of shareware that worked fine with ppp, and which claims to beat win98 connection sharing. Then I switched to Linux, which makes a great NAT box with PPP or with an always-on connection. NAT seems to be usually called "IP Masquerade" in the Linux community. There's a HOWTO document about it (»www.linuxdoc.org/HOWTO/IP-Masque···WTO.html), and when coupled with ipchains you have a pretty decent NAT + firewall box. You can buy these off the shelf or if you have a little nerd in you you can set up your own.
permalink · 2000-03-22 09:33:51 · Print · Reply to this
Forums » When NAT becomes NOT

Tuesday, 10-Nov 23:09:19 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.