home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1997 December
/
Internet_Info_CD-ROM_Walnut_Creek_December_1997.iso
/
drafts
/
draft_n_r
/
draft-rfced-info-hurn-01.txt
< prev
next >
Wrap
Text File
|
1996-08-08
|
11KB
|
287 lines
Network Working Group M. Hurn
INTERNET-DRAFT August, 96
Category: Informational Expire in six months
<draft-rfced-info-hurn-01.txt>
Extending NAT
Status of this Memo
This memo provides information for the Internet community.
This memo does not specify an Internet standard of any kind.
Distribution of this memo is unlimited.
This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet
Drafts as reference material or to cite them other than as a
"workingdraft" or "work in progress."
To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the internet-drafts Shadow
Directories on:
ftp.is.co.za (Africa)
nic.nordu.net (Europe)
ds.internic.net (US East Coast)
ftp.isi.edu (US West Coast)
munnari.oz.au (Pacific Rim)
Synopsis
This document describes how the addressing scheme of the 'IP Network
Address Translator (NAT) [1] could be extended. The extension takes
advantage of the fact that the source port number in a full TCP/IP
packet can be any value the originating host is not currently using. It
also exploits the fact that (nearly) all the networking software will
work with DNS. By using DNS and proxies the ENAT systems perform the
address translation indirectly.
For convenience the term ENAT will be used for the extended addressing
scheme to distinguish it from the original. A ENAT system could be used
equally for UDP/IP as well as TCP/IP. ICMP can be handled with
restrictions.
Table of Contents
Status of this Memo 1
Synopsis 1
Introduction 1
Simple protocols 2
ENAT with DNS 3
ICMP 4
DNS Only 5
References 5
Security Considerations 5
Author's Address 5
Introduction
Where NAT systems use a pool of IP addresses an ENAT system would use a
pool of source ports.
To give an example I will assume that the ENAT system is using a single
class C address space (e.g. 192.168.142.x from RFC1597) on its LAN
segment. To help with the explanation all IP addresses will use 3 ASCII
characters (001-254) giving a 15 character string for the address.
On the LAN interface the ENAT systems will use 192.168.142.001. The
rest 192.168.142.002 to 192.168.142.254 can be manually or dynamically
assigned to the PC's by the ENAT system using DHCP [2]. (Dynamic
assignment is the preferred option.)
For the WAN interface the ENAT system could use a manually or
dynamically assigned IP address from the user's ISP.
It is intended that a ENAT system will work as a DNS server (see below)
as well as a (cashing as appropriate) proxy server for the applications
that the system supports (e.g. mail, web etc). By using cashing proxies
the ENAT system will reduce the need for address translation.
The complexity of implementing a ENAT system is greatly reduced by
restricting all network access through the system to using DNS.
Please treat this document as a catalyst as I expect there are better
and/or alternative ways to achieve the functionally that I have outlined
below.
Without DNS
For simple protocols the ENAT system could dynamically translate the
address and port used by the PC; to the IP address of the WAN interface
and an unused port number. This is also known as IP Masquerading.
In the following examples the IP addresses will be prefixed to indicate
Source/Destination address and have the port number indicated thus (42).
PC1 Host1 Host2 Host3 PC2 PC3
...101 ...102 ...101 ...102 ...103 ...104
| | | | | |
------------ ---------------------------
| 192.168.142. | 192.168.142.
| |
...001 ...001
+-------+ +-------+
| ENAT1 | | ENAT2 |
+-------+ +-------+
172.016.042.056 172.030.005.060
| |
/----------------------------------------\
| The Internet |
\----------------------------------------/
|
010.234.055.046
Host4
A Telnet (23) exchange between PC2 and Host4
PC2 to ENAT2 S192.168.142.103(456) D010.234.055.046(23)
ENAT2 to Host4 S172.030.005.060(753) D010.234.055.046(23)
Host4 to ENAT2 S010.234.055.046(23) D172.030.005.060(753)
ENAT2 to PC2 S010.234.055.046(23) D192.168.142.103(456)
A Telnet (23) exchange between PC3 and Host4
PC2 to ENAT2 S192.168.142.104(456) D010.234.055.046(23)
ENAT2 to Host4 S172.030.005.060(754) D010.234.055.046(23)
Host4 to ENAT2 S010.234.055.046(23) D172.030.005.060(754)
ENAT2 to PC2 S010.234.055.046(23) D192.168.142.104(456)
A Telnet (23) exchange between PC1 and Host2
PC1 to ENAT1 S192.168.142.101(120) D172.030.005.060(23)
ENAT1 to ENAT2 S172.016.042.056(522) D172.030.005.060(23)
ENAT2 to Host2 S172.016.042.056(522) D192.168.142.101(23)
Host2 to ENAT2 S192.168.142.101(23) D172.016.042.056(522)
ENAT2 to ENAT1 S172.030.005.060(23) D172.016.042.056(522)
ENAT1 to PC1 S172.030.005.060(23) D192.168.142.101(120)
Note, the port number for the service (23) remains intact. From client
to server its in the destination address, and in the source address when
its server to client.
This implies that ENAT systems have a look-up table which maps
service(port number) to the local host that provides that service. It
also means that for each service there can only be ONE host that is on
an ENAT connected network that can be used to provided a given service
to the external networks. In the above example all Telnet requests
(from the Internet) to the ENAT2 site will go to Host2.
ENAT with DNS
In the case where the protocol can imbed the source and destination
addresses within the data packets, for example FTP. Simple address
translation has problems See RFC 1631 [ref. 1], as such it is not
recommended by the author.
One option that can overcome the problems with simple address
translation is to use DNS, a phantom segment and proxy servers. The
proxy servers work at the application level and only pass data between
input and output in this way the problem of imbedded address information
is avoided. In the explanation below I will continue to describe Telnet
secessions for simplicity and continuity.
L1 L2 Ln P1 P2 P3 Pn
| | | : : : :
---------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~
| :
+-------------+
| ENAT |
+-------------+
|
/----------------------------------------\
| The Internet |
\----------------------------------------/
| | | | |
R1 R2 R3 R4 Rn
Where L1 to Ln Local Hosts L1 IP Address 192.168.142.101
P1 to Pn Phantom Hosts P1 IP Address 172.024.000.001
R1 to Rn Remote Hosts R1 IP Address 010.234.055.201
ENAT WAN IP Address 172.016.042.056
A sample secession L1 to R1
Local Host L1 makes a DNS request for the IP address of Remote Host R1.
The ENAT system forwards the request to the Internet. When the address
has been resolved, the ENAT system returns the Phantom IP address P1 to
host L1 and keeps the true IP address of R1 in a look-up table.
The packet flow becomes:
L1 to ENAT(P1) S192.168.142.101(567) D172.024.000.001(23)
ENAT(WAN) to R1 S172.016.042.056(753) D010.234.055.201(23)
R1 to ENAT(WAN) S010.234.055.201(23) D172.016.042.056(753)
ENAT(P1) to L1 S172.024.000.001(23) D192.168.142.101(567)
In practice this is two telnet secessions L1 to ENAT(P1) and ENAT(WAN)
to R1.
L1 to ENAT(P1) S192.168.142.101(567) D172.024.000.001(23)
ENAT(P1) to L1 S172.024.000.001(23) D192.168.142.101(567)
and
ENAT(WAN) to R1 S172.016.042.056(753) D010.234.055.201(23)
R1 to ENAT(WAN) S010.234.055.201(23) D172.016.042.056(753)
The ENAT system works as a proxy server between the Phantom and WAN
interfaces. The following examples show that an ENAT system could
handle multiple secessions without breaking the protocol.
L2 to R1
L2 to ENAT(P2) S192.168.142.102(567) D172.024.000.002(23)
ENAT(WAN) to R1 S172.016.042.056(777) D010.234.055.201(23)
R1 to ENAT(WAN) S010.234.055.201(23) D172.016.042.056(777)
ENAT(P2) to L2 S172.024.000.002(23) D192.168.142.102(567)
L1 to R3
L1 to ENAT(P3) S192.168.142.101(555) D172.024.000.003(23)
ENAT(WAN) to R3 S172.016.042.056(888) D010.234.055.203(23)
R3 to ENAT(WAN) S010.234.055.203(23) D172.016.042.056(888)
ENAT(P3) to L1 S172.024.000.003(23) D192.168.142.101(555)
ICMP
The ICMP messages that handle flow control to an affected interface will
remain unchanged. Pings will needed to be spoofed by the ENAT system.
Upon receiving a users ping the ENAT system will send out a ping of its
own and will only send a reply to the users ping when it has had its own
ping returned.
DNS Only
If the ENAT system is restricted to using DNS. Then most of the code
that is needed to turn a Unix system (for example) into a ENAT system
will be at the application level. The two main areas of system level
programming will be the phantom segment driver and the modified DNS
server.
References
[1] P. Francis, K. Egevang, "The IP Network Address
Translator (Nat)", RFC 1631.
[2] Droms, R., "Dynamic Host Configuration Protocol", RFC
1541, Bucknell University, October 1993.
Security Considerations
Security issues are not discussed in this memo.
Author's Address
Mike Hurn
11 Blackstone Ave
Eldene
Swindon
SN3 6DN
England
Phone: +44 (0)1793 523759
EMail: mikeh@bcs.org.uk