rfc2663.txt

NAT协议完整源代码

   border routers.

2.9. Application Level gateway (ALG)

   Not all applications lend themselves easily to translation by NAT
   devices; especially those that include IP addresses and TCP/UDP ports
   in the payload. Application Level Gateways (ALGs) are application
   specific translation agents that allow an application on a host in
   one address realm to connect to its counterpart running on a host in
   different realm transparently. An ALG may interact with NAT to set up
   state, use NAT state information, modify application specific payload
   and perform whatever else is necessary to get the application running
   across disparate address realms.

   ALGs may not always utilize NAT state information. They may glean
   application payload and simply notify NAT to add additional state
   information in some cases. ALGs are similar to Proxies, in that, both
   ALGs and proxies facilitate Application specific communication
   between clients and servers. Proxies use a special protocol to
   communicate with proxy clients and relay client data to servers and
   vice versa. Unlike Proxies, ALGs do not use a special protocol to
   communicate with application clients and do not require changes to
   application clients.

3. What is NAT?

   Network Address Translation is a method by which IP addresses are
   mapped from one address realm to another, providing transparent
   routing to end hosts. There are many variations of address
   translation that lend themselves to different applications.  However,
   all flavors of NAT devices should share the following
   characteristics.








Srisuresh & Holdrege         Informational                      [Page 6]

RFC 2663           NAT Terminology and Considerations        August 1999


          a) Transparent Address assignment.
          b) Transparent routing through address translation.
             (routing here refers to forwarding packets, and not
             exchanging routing information)
          c) ICMP error packet payload translation.

   Below is a diagram illustrating a scenario in which NAT is enabled on
   a stub domain border router, connected to the Internet through a
   regional router made available by a service provider.

       \ | /                  .                               /
   +---------------+  WAN     .           +-----------------+/
   |Regional Router|----------------------|Stub Router w/NAT|---
   +---------------+          .           +-----------------+\
                              .                      |        \
                              .                      |  LAN
                              .               ---------------
                        Stub border

        Figure 1: A typical NAT operation scenario

3.1. Transparent Address Assignment

   NAT binds addresses in private network with addresses in global
   network and vice versa to provide transparent routing for the
   datagrams traversing between address realms. The binding in some
   cases may extend to transport level identifiers (such as TCP/UDP
   ports). Address binding is done at the start of a session. The
   following sub-sections describe two types of address assignments.

3.1.1. Static Address assignment

   In the case of static address assignment, there is one-to-one address
   mapping for hosts between a private network address and an external
   network address for the lifetime of NAT operation.  Static address
   assignment ensures that NAT does not have to administer address
   management with session flows.

3.1.2. Dynamic Address assignment

   In this case, external addresses are assigned to private network
   hosts or vice versa, dynamically based on usage requirements and
   session flow determined heuristically by NAT. When the last session
   using an address binding is terminated, NAT would free the binding so
   that the global address could be recycled for later use. The exact
   nature of address assignment is specific to individual NAT
   implementations.




Srisuresh & Holdrege         Informational                      [Page 7]

RFC 2663           NAT Terminology and Considerations        August 1999


3.2. Transparent routing

   A NAT router sits at the border between two address realms and
   translates addresses in IP headers so that when the packet leaves one
   realm and enters another, it can be routed properly. Because NAT
   devices have connections to multiple address realms, they must be
   careful to not improperly propagate information (e.g., via routing
   protocols) about networks from one address realm into another, where
   such an advertisement would be deemed unacceptable.

   There are three phases to Address translation, as follows. Together
   these phases result in creation, maintenance and termination of state
   for sessions passing through NAT devices.

3.2.1. Address binding

   Address binding is the phase in which a local node IP address is
   associated with an external address or vice versa, for purposes of
   translation. Address binding is fixed with static address assignments
   and is dynamic at session startup time with dynamic address
   assignments. Once the binding between two addresses is in place, all
   subsequent sessions originating from or to this host will use the
   same binding for session based packet translation.

   New address bindings are made at the start of a new session, if such
   an address binding didn't already exist. Once a local address is
   bound to an external address, all subsequent sessions originating
   from the same local address or directed to the same local address
   will use the same binding.

   The start of each new session will result in the creation of a state
   to facilitate translation of datagrams pertaining to the session.
   There can be many simultaneous sessions originating from the same
   host, based on a single address binding.

3.2.2. Address lookup and translation

   Once a state is established for a session, all packets belonging to
   the session will be subject to address lookup (and transport
   identifier lookup, in some cases) and translation.

   Address or transport identifier translation for a datagram will
   result in the datagram forwarding from the origin address realm to
   the destination address realm with network addresses appropriately
   updated.






Srisuresh & Holdrege         Informational                      [Page 8]

RFC 2663           NAT Terminology and Considerations        August 1999


3.2.3. Address unbinding

   Address unbinding is the phase in which a private address is no
   longer associated with a global address for purposes of translation.
   NAT will perform address unbinding when it believes that the last
   session using an address binding has terminated.  Refer section 2.6
   for some heuristic ways to handle session terminations.

3.3. ICMP error packet translation

   All ICMP error messages (with the exception of Redirect message type)
   will need to be modified, when passed through NAT. The ICMP error
   message types needing NAT modification would include Destination-
   Unreachable, Source-Quench, Time-Exceeded and Parameter-Problem.  NAT
   should not attempt to modify a Redirect message type.

   Changes to ICMP error message will include changes to the original IP
   packet (or portions thereof) embedded in the payload of the ICMP
   error message. In order for NAT to be completely transparent to end
   hosts, the IP address of the IP header embedded in the payload of the
   ICMP packet must be modified, the checksum field of the same IP
   header must correspondingly be modified, and the accompanying
   transport header. The ICMP header checksum must also be modified to
   reflect changes made to the IP and transport headers in the payload.
   Furthermore, the normal IP header must also be modified.

4.0. Various flavors of NAT

   There are many variations of address translation that lend themselves
   to different applications. NAT flavors listed in the following sub-
   sections are by no means exhaustive, but they do capture the
   significant differences that abound.

   The following diagram will be used as a base model to illustrate NAT
   flavors. Host-A, with address Addr-A is located in a private realm,
   represented by the network N-Pri. N-Pri is isolated from external
   network through a NAT router. Host-X, with address Addr-X is located
   in an external realm, represented by the network N-Ext.  NAT router
   with two interfaces, each attached to one of the realms provides
   transparent routing between the two realms. The interface to the
   external realm is assigned an address of Addr-Nx and the interface to
   private realm is assigned an address of Addr-Np.  Further, it may be
   understood that addresses Addr-A and Addr-Np correspond to N-Pri
   network and the addresses Addr-X and Addr-Nx correspond to N-Ext
   network.






Srisuresh & Holdrege         Informational                      [Page 9]

RFC 2663           NAT Terminology and Considerations        August 1999


                                  ________________
                                 (                )
                                (   External       )    +--+
                               (  Address Realm     )-- |__|
                                (     (N-Ext)      )   /____\
                                 (________________)    Host-X
                                        |              (Addr-X)
                                        |(Addr-Nx)
                           +--------------+
                           |              |
                           |  NAT router  |
                           |              |
                           +--------------+
                             |(Addr-Np)
                             |
                     ----------------
                    (                )
        +--+       (     Private      )
        |__|------(    Address Realm   )
       /____\      (     (N-pri)      )
       Host-A       (________________)
       (Addr-A)

             Figure 2: A base model to illustrate NAT terms.

4.1. Traditional NAT (or) Outbound NAT

   Traditional NAT would allow hosts within a private network to
   transparently access hosts in the external network, in most cases.
   In a traditional NAT, sessions are uni-directional, outbound from the
   private network. This is in contrast with Bi-directional NAT, which
   permits sessions in both inbound and outbound directions. A detailed
   description of Bi-directional NAT may be found in section 4.2.

   The following is a description of the properties of realms supported
   by traditional NAT. IP addresses of hosts in external network are
   unique and valid in external as well as private networks. However,
   the addresses of hosts in private network are unique only within the
   private network and may not be valid in the external network. In
   other words, NAT would not advertise private networks to the external
   realm. But, networks from the external realm may be advertised within
   the private network.  The addresses used within private network must
   not overlap with the external addresses. Any given address must
   either be a private address or an external address; not both.







Srisuresh & Holdrege         Informational                     [Page 10]

RFC 2663           NAT Terminology and Considerations        August 1999


   A traditional NAT router in figure 2 would allow Host-A to initiate
   sessions to Host-X, but not the other way around. Also, N-Ext is
   routable from within N-Pri, whereas N-Pri may not be routable from
   N-Ext.

   Traditional NAT is primarily used by sites using private addresses
   that wish to allow outbound sessions from their site.

   There are two variations to traditional NAT, namely Basic NAT and
   NAPT (Network Address Port Translation). These are discussed in the
   following sub-sections.

4.1.1. Basic NAT

   With Basic NAT, a block of external addresses are set aside for
   translating addresses of hosts in a private domain as they originate
   sessions to the external domain. For packets outbound from the
   private network, the source IP address and related fields such as IP,
   TCP, UDP and ICMP header checksums are translated. For inbound
   packets, the destination IP address and the checksums as listed above
   are translated.

   A Basic NAT router in figure 2 may be configured to translate N-Pri
   into a block of external addresses, say Addr-i through Addr-n,
   selected from the external network N-Ext.

4.1.2. Network Address Port Translation (NAPT)