Network Working Group M. Hurn INTERNET-DRAFT August, 96 Category: Informational Expire in six months Extending NAT Status of this Memo This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited. This document is an Internet Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as a "workingdraft" or "work in progress." To learn the current status of any Internet-Draft, please check the "1id-abstracts.txt" listing contained in the internet-drafts Shadow Directories on: ftp.is.co.za (Africa) nic.nordu.net (Europe) ds.internic.net (US East Coast) ftp.isi.edu (US West Coast) munnari.oz.au (Pacific Rim) Synopsis This document describes how the addressing scheme of the 'IP Network Address Translator (NAT) [1] could be extended. The extension takes advantage of the fact that the source port number in a full TCP/IP packet can be any value the originating host is not currently using. It also exploits the fact that (nearly) all the networking software will work with DNS. By using DNS and proxies the ENAT systems perform the address translation indirectly. For convenience the term ENAT will be used for the extended addressing scheme to distinguish it from the original. A ENAT system could be used equally for UDP/IP as well as TCP/IP. ICMP can be handled with restrictions. Table of Contents Status of this Memo 1 Synopsis 1 Introduction 1 Simple protocols 2 ENAT with DNS 3 ICMP 4 DNS Only 5 References 5 Security Considerations 5 Author's Address 5 Introduction Where NAT systems use a pool of IP addresses an ENAT system would use a pool of source ports. To give an example I will assume that the ENAT system is using a single class C address space (e.g. 192.168.142.x from RFC1597) on its LAN segment. To help with the explanation all IP addresses will use 3 ASCII characters (001-254) giving a 15 character string for the address. On the LAN interface the ENAT systems will use 192.168.142.001. The rest 192.168.142.002 to 192.168.142.254 can be manually or dynamically assigned to the PC's by the ENAT system using DHCP [2]. (Dynamic assignment is the preferred option.) For the WAN interface the ENAT system could use a manually or dynamically assigned IP address from the user's ISP. It is intended that a ENAT system will work as a DNS server (see below) as well as a (cashing as appropriate) proxy server for the applications that the system supports (e.g. mail, web etc). By using cashing proxies the ENAT system will reduce the need for address translation. The complexity of implementing a ENAT system is greatly reduced by restricting all network access through the system to using DNS. Please treat this document as a catalyst as I expect there are better and/or alternative ways to achieve the functionally that I have outlined below. Without DNS For simple protocols the ENAT system could dynamically translate the address and port used by the PC; to the IP address of the WAN interface and an unused port number. This is also known as IP Masquerading. In the following examples the IP addresses will be prefixed to indicate Source/Destination address and have the port number indicated thus (42). PC1 Host1 Host2 Host3 PC2 PC3 ...101 ...102 ...101 ...102 ...103 ...104 | | | | | | ------------ --------------------------- | 192.168.142. | 192.168.142. | | ...001 ...001 +-------+ +-------+ | ENAT1 | | ENAT2 | +-------+ +-------+ 172.016.042.056 172.030.005.060 | | /----------------------------------------\ | The Internet | \----------------------------------------/ | 010.234.055.046 Host4 A Telnet (23) exchange between PC2 and Host4 PC2 to ENAT2 S192.168.142.103(456) D010.234.055.046(23) ENAT2 to Host4 S172.030.005.060(753) D010.234.055.046(23) Host4 to ENAT2 S010.234.055.046(23) D172.030.005.060(753) ENAT2 to PC2 S010.234.055.046(23) D192.168.142.103(456) A Telnet (23) exchange between PC3 and Host4 PC2 to ENAT2 S192.168.142.104(456) D010.234.055.046(23) ENAT2 to Host4 S172.030.005.060(754) D010.234.055.046(23) Host4 to ENAT2 S010.234.055.046(23) D172.030.005.060(754) ENAT2 to PC2 S010.234.055.046(23) D192.168.142.104(456) A Telnet (23) exchange between PC1 and Host2 PC1 to ENAT1 S192.168.142.101(120) D172.030.005.060(23) ENAT1 to ENAT2 S172.016.042.056(522) D172.030.005.060(23) ENAT2 to Host2 S172.016.042.056(522) D192.168.142.101(23) Host2 to ENAT2 S192.168.142.101(23) D172.016.042.056(522) ENAT2 to ENAT1 S172.030.005.060(23) D172.016.042.056(522) ENAT1 to PC1 S172.030.005.060(23) D192.168.142.101(120) Note, the port number for the service (23) remains intact. From client to server its in the destination address, and in the source address when its server to client. This implies that ENAT systems have a look-up table which maps service(port number) to the local host that provides that service. It also means that for each service there can only be ONE host that is on an ENAT connected network that can be used to provided a given service to the external networks. In the above example all Telnet requests (from the Internet) to the ENAT2 site will go to Host2. ENAT with DNS In the case where the protocol can imbed the source and destination addresses within the data packets, for example FTP. Simple address translation has problems See RFC 1631 [ref. 1], as such it is not recommended by the author. One option that can overcome the problems with simple address translation is to use DNS, a phantom segment and proxy servers. The proxy servers work at the application level and only pass data between input and output in this way the problem of imbedded address information is avoided. In the explanation below I will continue to describe Telnet secessions for simplicity and continuity. L1 L2 Ln P1 P2 P3 Pn | | | : : : : ---------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | : +-------------+ | ENAT | +-------------+ | /----------------------------------------\ | The Internet | \----------------------------------------/ | | | | | R1 R2 R3 R4 Rn Where L1 to Ln Local Hosts L1 IP Address 192.168.142.101 P1 to Pn Phantom Hosts P1 IP Address 172.024.000.001 R1 to Rn Remote Hosts R1 IP Address 010.234.055.201 ENAT WAN IP Address 172.016.042.056 A sample secession L1 to R1 Local Host L1 makes a DNS request for the IP address of Remote Host R1. The ENAT system forwards the request to the Internet. When the address has been resolved, the ENAT system returns the Phantom IP address P1 to host L1 and keeps the true IP address of R1 in a look-up table. The packet flow becomes: L1 to ENAT(P1) S192.168.142.101(567) D172.024.000.001(23) ENAT(WAN) to R1 S172.016.042.056(753) D010.234.055.201(23) R1 to ENAT(WAN) S010.234.055.201(23) D172.016.042.056(753) ENAT(P1) to L1 S172.024.000.001(23) D192.168.142.101(567) In practice this is two telnet secessions L1 to ENAT(P1) and ENAT(WAN) to R1. L1 to ENAT(P1) S192.168.142.101(567) D172.024.000.001(23) ENAT(P1) to L1 S172.024.000.001(23) D192.168.142.101(567) and ENAT(WAN) to R1 S172.016.042.056(753) D010.234.055.201(23) R1 to ENAT(WAN) S010.234.055.201(23) D172.016.042.056(753) The ENAT system works as a proxy server between the Phantom and WAN interfaces. The following examples show that an ENAT system could handle multiple secessions without breaking the protocol. L2 to R1 L2 to ENAT(P2) S192.168.142.102(567) D172.024.000.002(23) ENAT(WAN) to R1 S172.016.042.056(777) D010.234.055.201(23) R1 to ENAT(WAN) S010.234.055.201(23) D172.016.042.056(777) ENAT(P2) to L2 S172.024.000.002(23) D192.168.142.102(567) L1 to R3 L1 to ENAT(P3) S192.168.142.101(555) D172.024.000.003(23) ENAT(WAN) to R3 S172.016.042.056(888) D010.234.055.203(23) R3 to ENAT(WAN) S010.234.055.203(23) D172.016.042.056(888) ENAT(P3) to L1 S172.024.000.003(23) D192.168.142.101(555) ICMP The ICMP messages that handle flow control to an affected interface will remain unchanged. Pings will needed to be spoofed by the ENAT system. Upon receiving a users ping the ENAT system will send out a ping of its own and will only send a reply to the users ping when it has had its own ping returned. DNS Only If the ENAT system is restricted to using DNS. Then most of the code that is needed to turn a Unix system (for example) into a ENAT system will be at the application level. The two main areas of system level programming will be the phantom segment driver and the modified DNS server. References [1] P. Francis, K. Egevang, "The IP Network Address Translator (Nat)", RFC 1631. [2] Droms, R., "Dynamic Host Configuration Protocol", RFC 1541, Bucknell University, October 1993. Security Considerations Security issues are not discussed in this memo. Author's Address Mike Hurn 11 Blackstone Ave Eldene Swindon SN3 6DN England Phone: +44 (0)1793 523759 EMail: mikeh@bcs.org.uk