rfc2663.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,454 行 · 第 1/5 页
TXT
1,454 行
defined above can do so without coordination with IANA or any other
Internet registry such as APNIC, RIPE and ARIN. The address space
can thus be used privately by many independent organizations at the
same time. However, if those independent organizations later decide
they wish to communicate with each other or the public Internet, they
will either have to renumber their networks or enable NAT on their
border routers.
2.9. Application Level gateway (ALG)
Not all applications lend themselves easily to translation by NAT
devices; especially those that include IP addresses and TCP/UDP ports
in the payload. Application Level Gateways (ALGs) are application
specific translation agents that allow an application on a host in
one address realm to connect to its counterpart running on a host in
different realm transparently. An ALG may interact with NAT to set up
state, use NAT state information, modify application specific payload
and perform whatever else is necessary to get the application running
across disparate address realms.
ALGs may not always utilize NAT state information. They may glean
application payload and simply notify NAT to add additional state
information in some cases. ALGs are similar to Proxies, in that, both
ALGs and proxies facilitate Application specific communication
between clients and servers. Proxies use a special protocol to
communicate with proxy clients and relay client data to servers and
vice versa. Unlike Proxies, ALGs do not use a special protocol to
communicate with application clients and do not require changes to
application clients.
3. What is NAT?
Network Address Translation is a method by which IP addresses are
mapped from one address realm to another, providing transparent
routing to end hosts. There are many variations of address
translation that lend themselves to different applications. However,
all flavors of NAT devices should share the following
characteristics.
Srisuresh & Holdrege Informational [Page 6]
RFC 2663 NAT Terminology and Considerations August 1999
a) Transparent Address assignment.
b) Transparent routing through address translation.
(routing here refers to forwarding packets, and not
exchanging routing information)
c) ICMP error packet payload translation.
Below is a diagram illustrating a scenario in which NAT is enabled on
a stub domain border router, connected to the Internet through a
regional router made available by a service provider.
\ | / . /
+---------------+ WAN . +-----------------+/
|Regional Router|----------------------|Stub Router w/NAT|---
+---------------+ . +-----------------+\
. | \
. | LAN
. ---------------
Stub border
Figure 1: A typical NAT operation scenario
3.1. Transparent Address Assignment
NAT binds addresses in private network with addresses in global
network and vice versa to provide transparent routing for the
datagrams traversing between address realms. The binding in some
cases may extend to transport level identifiers (such as TCP/UDP
ports). Address binding is done at the start of a session. The
following sub-sections describe two types of address assignments.
3.1.1. Static Address assignment
In the case of static address assignment, there is one-to-one address
mapping for hosts between a private network address and an external
network address for the lifetime of NAT operation. Static address
assignment ensures that NAT does not have to administer address
management with session flows.
3.1.2. Dynamic Address assignment
In this case, external addresses are assigned to private network
hosts or vice versa, dynamically based on usage requirements and
session flow determined heuristically by NAT. When the last session
using an address binding is terminated, NAT would free the binding so
that the global address could be recycled for later use. The exact
nature of address assignment is specific to individual NAT
implementations.
Srisuresh & Holdrege Informational [Page 7]
RFC 2663 NAT Terminology and Considerations August 1999
3.2. Transparent routing
A NAT router sits at the border between two address realms and
translates addresses in IP headers so that when the packet leaves one
realm and enters another, it can be routed properly. Because NAT
devices have connections to multiple address realms, they must be
careful to not improperly propagate information (e.g., via routing
protocols) about networks from one address realm into another, where
such an advertisement would be deemed unacceptable.
There are three phases to Address translation, as follows. Together
these phases result in creation, maintenance and termination of state
for sessions passing through NAT devices.
3.2.1. Address binding
Address binding is the phase in which a local node IP address is
associated with an external address or vice versa, for purposes of
translation. Address binding is fixed with static address assignments
and is dynamic at session startup time with dynamic address
assignments. Once the binding between two addresses is in place, all
subsequent sessions originating from or to this host will use the
same binding for session based packet translation.
New address bindings are made at the start of a new session, if such
an address binding didn't already exist. Once a local address is
bound to an external address, all subsequent sessions originating
from the same local address or directed to the same local address
will use the same binding.
The start of each new session will result in the creation of a state
to facilitate translation of datagrams pertaining to the session.
There can be many simultaneous sessions originating from the same
host, based on a single address binding.
3.2.2. Address lookup and translation
Once a state is established for a session, all packets belonging to
the session will be subject to address lookup (and transport
identifier lookup, in some cases) and translation.
Address or transport identifier translation for a datagram will
result in the datagram forwarding from the origin address realm to
the destination address realm with network addresses appropriately
updated.
Srisuresh & Holdrege Informational [Page 8]
RFC 2663 NAT Terminology and Considerations August 1999
3.2.3. Address unbinding
Address unbinding is the phase in which a private address is no
longer associated with a global address for purposes of translation.
NAT will perform address unbinding when it believes that the last
session using an address binding has terminated. Refer section 2.6
for some heuristic ways to handle session terminations.
3.3. ICMP error packet translation
All ICMP error messages (with the exception of Redirect message type)
will need to be modified, when passed through NAT. The ICMP error
message types needing NAT modification would include Destination-
Unreachable, Source-Quench, Time-Exceeded and Parameter-Problem. NAT
should not attempt to modify a Redirect message type.
Changes to ICMP error message will include changes to the original IP
packet (or portions thereof) embedded in the payload of the ICMP
error message. In order for NAT to be completely transparent to end
hosts, the IP address of the IP header embedded in the payload of the
ICMP packet must be modified, the checksum field of the same IP
header must correspondingly be modified, and the accompanying
transport header. The ICMP header checksum must also be modified to
reflect changes made to the IP and transport headers in the payload.
Furthermore, the normal IP header must also be modified.
4.0. Various flavors of NAT
There are many variations of address translation that lend themselves
to different applications. NAT flavors listed in the following sub-
sections are by no means exhaustive, but they do capture the
significant differences that abound.
The following diagram will be used as a base model to illustrate NAT
flavors. Host-A, with address Addr-A is located in a private realm,
represented by the network N-Pri. N-Pri is isolated from external
network through a NAT router. Host-X, with address Addr-X is located
in an external realm, represented by the network N-Ext. NAT router
with two interfaces, each attached to one of the realms provides
transparent routing between the two realms. The interface to the
external realm is assigned an address of Addr-Nx and the interface to
private realm is assigned an address of Addr-Np. Further, it may be
understood that addresses Addr-A and Addr-Np correspond to N-Pri
network and the addresses Addr-X and Addr-Nx correspond to N-Ext
network.
Srisuresh & Holdrege Informational [Page 9]
RFC 2663 NAT Terminology and Considerations August 1999
________________
( )
( External ) +--+
( Address Realm )-- |__|
( (N-Ext) ) /____\
(________________) Host-X
| (Addr-X)
|(Addr-Nx)
+--------------+
| |
| NAT router |
| |
+--------------+
|(Addr-Np)
|
----------------
( )
+--+ ( Private )
|__|------( Address Realm )
/____\ ( (N-pri) )
Host-A (________________)
(Addr-A)
Figure 2: A base model to illustrate NAT terms.
4.1. Traditional NAT (or) Outbound NAT
Traditional NAT would allow hosts within a private network to
transparently access hosts in the external network, in most cases.
In a traditional NAT, sessions are uni-directional, outbound from the
private network. This is in contrast with Bi-directional NAT, which
permits sessions in both inbound and outbound directions. A detailed
description of Bi-directional NAT may be found in section 4.2.
The following is a description of the properties of realms supported
by traditional NAT. IP addresses of hosts in external network are
unique and valid in external as well as private networks. However,
the addresses of hosts in private network are unique only within the
private network and may not be valid in the external network. In
other words, NAT would not advertise private networks to the external
realm. But, networks from the external realm may be advertised within
the private network. The addresses used within private network must
not overlap with the external addresses. Any given address must
either be a private address or an external address; not both.
Srisuresh & Holdrege Informational [Page 10]
RFC 2663 NAT Terminology and Considerations August 1999
A traditional NAT router in figure 2 would allow Host-A to initiate
sessions to Host-X, but not the other way around. Also, N-Ext is
routable from within N-Pri, whereas N-Pri may not be routable from
N-Ext.
Traditional NAT is primarily used by sites using private addresses
that wish to allow outbound sessions from their site.
There are two variations to traditional NAT, namely Basic NAT and
NAPT (Network Address Port Translation). These are discussed in the
following sub-sections.
4.1.1. Basic NAT
With Basic NAT, a block of external addresses are set aside for
translating addresses of hosts in a private domain as they originate
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?