Network address translators: effects on security protocols and applications in the TCP/IP stack

Jia-Ning Luo, Yu-Lun Huang, Fu-Shen Ho, Shiuh-Pyng Shieh
2000 IEEE Internet Computing  
O ne proposed method for mitigating the address shortage problem in IPv4 is to use network address translators (NATs) to allow address reuse. The basic idea is to transparently map a wide set of private network addresses and corresponding TCP/UDP ports to a small set of globally unique public network addresses and ports. NAT devices provide a way to handle IP address depletion incrementally-without changing hosts and routers-until more long-term approaches like IPv6 can be implemented. Existing
more » ... Internet security protocols must be re-examined, however, to see how they function within this new network environment. We begin with a description of the four NAT environments and a discussion of their limitations. We then examine the relationships between NAT devices and popular Internet security protocols and applications at each layer of the TCP/IP stack to see if they can survive with NAT devices. Figure 1 shows a NAT router with two interfaces. The device provides transparent routing between an intranet (using private IP addresses such as and the Internet (using public IP addresses such as Host addresses in the private network are unique only within the network, so the router converts unregistered internal addressing schemes to registered addresses before forwarding packets to public networks. NAT ENVIRONMENTS There are four common NAT environments defined in RFC 2663. With traditional NAT, hosts within private networks can unidirectionally access remote hosts in external networks. External network hosts, however, cannot initiate session requests to hosts inside private networks. A bidirectional NAT server (also called two-way NAT), allows both inbound and outbound sessions. Once a connection is established in either direction, the NAT server maps the private network address statically or dynamically to a globally unique address. Bidirectional NAT assumes that fully qualified domain names for hosts in private and public networks are end-to-end unique. A DNS application-level gateway (ALG) must there-42 NOVEMBER • DECEMBER 2000
doi:10.1109/4236.895015 fatcat:oj4ezfybv5aspgaq7ys6yigo4a