ebooksgratis.com

See also ebooksgratis.com: no banners, no cookies, totally FREE.

CLASSICISTRANIERI HOME PAGE - YOUTUBE CHANNEL
Privacy Policy Cookie Policy Terms and Conditions
Port address translation - Wikipedia, the free encyclopedia

Port address translation

From Wikipedia, the free encyclopedia

Port Address Translation (PAT) is a feature of a network device that translates TCP or UDP communications made between hosts on a private network and hosts on a public network. It allows a single public IP address to be used by many hosts on the private network, which is usually called a Local Area Network or LAN.

A PAT device transparently modifies IP packets as they pass through it. The modifications make all the packets which it sends to the public network from the multiple hosts on the private network appear to originate from a single host - the PAT device - on the public network.

 The tone or style of this article or section may not be appropriate for Wikipedia.
Specific concerns may be found on the talk page. See Wikipedia's guide to writing better articles for suggestions.(December 2007)

Note: Different vendors call PAT different names - those are : Hide-Mode NAT (Check Point), PAT (Cisco Systems), NAPT (RFC 3022), SNAT/MASQUERADE (Linux iptables), Internet Connection Sharing (Microsoft). PAT is the most common term and since Cisco are the largest supplier of internet infrastructure, particularly at the high end/backbone areas of the market, PAT as a term will probably come to dominate. Still, NAT is technically the correct term (see RFC1631 http://www.ietf.org/rfc/rfc2663.txt) since the primary purpose of NAT is to address the problem of IP Address depletion on the Internet.

Contents

[edit] Relationship between NAT and PAT

PAT is a subset of NAT. It is closely related to the concept of Network Address Translation, often called NAT.

In PAT, both the sender's private IP and port number are modified; the PAT device chooses the port numbers which will be seen by hosts on the public network.

In PAT there is generally only one publicly exposed IP address and incoming packets from the public network are routed to their destinations on the private network by reference to a table held within the PAT device which keeps track of public and private port pairs. This is often called connection tracking.

Some devices that offer 'NAT', such as broadband routers, actually offer PAT. For this reason, there is considerable confusion between the terms. The common use of NAT to include PAT devices suggests that PAT should be considered a type of NAT rather than a distinct technology.

[edit] Details of PAT

[edit] IP Packet Background

Every TCP packet contains both a source IP address and source port number as well as a destination IP address and destination port number.

For publicly accessible services such as web servers and mail servers the port number is important. For example, port 80 connects to the web server software and port 25 to a mail server's SMTP daemon. Additionally, the IP address of a public server is also important, similar in global uniqueness to a postal address or telephone number, it must be correctly known by all wishing to successfully communicate.

Thus server (public) IP addresses have worldwide significance and ports have significance that depend on the particular type of communication desired (e.g. web, email, FTP).

The significance of the IP address on an internal host however needs only to be limited to the organisational entity where it resides. Thus private addresses as given in RFC 1918 may be used. Additionally, the port number of a client application on a client host is significant only to that particular host. Consequently within an organisation any communicating client application can be uniquely identified by the combination of its host IP (organisational significance) and host port (host only significance).

[edit] An Analogy of PAT

A PAT device is like a post office that delivers box mail: outgoing envelopes are changed to appear to come from a post office box; incoming envelopes addressed to a valid post office box are changed to have the real street address of the box holder.

[edit] Translation of the Endpoint IP Address

With PAT all communication sent to or from external hosts actually contain the IP address and port information of the PAT device instead of internal host IPs or port numbers. This is achieved as outlined below:

  • When a computer on the inside network sends a packet to the outside network the PAT device replaces the inside IP address in the packet header’s source field (sender’s address) with the PAT device’s outside IP address. It then assigns the connection a port number from a pool of available ports, inserts this port number in the packet header source port field (much like the post office box number), and places the packet on the outside network. The PAT device then makes an entry in its translation table containing the inside IP address, inside source port, and outside port. Subsequent packets from the same connection on the inside IP address are translated to the same outside port number translation.
  • The computer receiving a data packet will move the source IP address and source port as the corresponding destination fields in any response it sends back. So, for packets arriving from the outside, the process operates on the packet header’s destination port (similar to the recipient’s post office box number). First, if the destination port number of the incoming packet is not found as an outside port in the translation table, the packet is simply dropped because the PAT device doesn’t know where to send it. Otherwise, the corresponding inside IP address and inside port number from the translation table replaces the destination IP address and the destination port number in the incoming packet header (similar to the translation from post office box number to street address). The packet is then placed on the inside network.

Example: a host at IP address 192.168.0.2 on the private network may ask for a connection to a remote host on the public network giving the source address and port as 192.168.0.2:15345. The PAT device (which we assume has a public IP of 1.2.3.4) might for example translate this source address:port pair to 1.2.3.4:16529 and make an entry in its internal table that port 16529 is now in use by 192.168.0.2 on the private network. When a packet is received from the public network by the PAT device for address 1.2.3.4:16529 the packet is forwarded to the host on 192.168.0.2 with the port destination changed to 15345.

If you have a stand alone machine and you want to connect that machine to the Internet then you would use PAT because you are connecting to an outside network (you are going out of your network.

PAT can only translate/replace IP addresses and ports for its internal hosts. As a consequence of its function it effectively hides the true endpoint IP address and port of the internal hosts. However, PAT must of course leave the public IP address and port information of the external host unmodified.

[edit] Visibility of Operation

The PAT operation is typically transparent to both the internal and external hosts.

Typically the internal host is aware of the true IP address and TCP or UDP port of the external host. Typically the PAT device may function as the default gateway for the internal host. However the external host is only aware of the public IP address for the PAT device and the particular port being used to communicate on behalf of a specific internal host.

[edit] Location in Network

The PAT device usually sits at the network perimeter where one side connects to the external network, usually the public Internet; and on the other side is internal network, usually with private IP addressing.

[edit] Uses of PAT

Firewall systems and multi-port broadband network access devices (e.g. ADSL routers, cable modems) tend to use PAT. In the configuration of those devices, the outside network is the Internet and the inside network is the LAN.

[edit] An Example of PAT

For example, an SMB or SME network perimeter device such as an ADSL router may use PAT to translate connections to TCP port 80 to a user configured port 6008 of an internal network host. This operation may allow the user to have a web server running on an internal host on port 6008, whereas the actual HTTP port 80 of that internal host may be used for other internal hosts to access an intranet web server which an external host may have no conduit to (due to the absence of a specific configuration on the PAT device).

[edit] Advantages of PAT

  • PAT's main advantage is that multiple internal hosts can share a single IP address for communication, conserving precious IPv4 addresses.
  • Hosts on the private network don't have to expose their private IP addresses to the public network, making attacks from the public network less likely.

[edit] Disadvantages of PAT

Only a single public service e.g. port 80 HTTP, can be exposed per public IP address. Thus an organisation using PAT and a single IP cannot easily run more than one of the same type of public service behind a PAT e.g. two public web servers using the default port 80.

Obviously if many hosts on the private network make many connections to the public network, the PAT device may not have sufficient room in its internal table to keep track of the connections or it may simply run out of unused ports.

[edit] See also

[edit] External links


aa - ab - af - ak - als - am - an - ang - ar - arc - as - ast - av - ay - az - ba - bar - bat_smg - bcl - be - be_x_old - bg - bh - bi - bm - bn - bo - bpy - br - bs - bug - bxr - ca - cbk_zam - cdo - ce - ceb - ch - cho - chr - chy - co - cr - crh - cs - csb - cu - cv - cy - da - de - diq - dsb - dv - dz - ee - el - eml - en - eo - es - et - eu - ext - fa - ff - fi - fiu_vro - fj - fo - fr - frp - fur - fy - ga - gan - gd - gl - glk - gn - got - gu - gv - ha - hak - haw - he - hi - hif - ho - hr - hsb - ht - hu - hy - hz - ia - id - ie - ig - ii - ik - ilo - io - is - it - iu - ja - jbo - jv - ka - kaa - kab - kg - ki - kj - kk - kl - km - kn - ko - kr - ks - ksh - ku - kv - kw - ky - la - lad - lb - lbe - lg - li - lij - lmo - ln - lo - lt - lv - map_bms - mdf - mg - mh - mi - mk - ml - mn - mo - mr - mt - mus - my - myv - mzn - na - nah - nap - nds - nds_nl - ne - new - ng - nl - nn - no - nov - nrm - nv - ny - oc - om - or - os - pa - pag - pam - pap - pdc - pi - pih - pl - pms - ps - pt - qu - quality - rm - rmy - rn - ro - roa_rup - roa_tara - ru - rw - sa - sah - sc - scn - sco - sd - se - sg - sh - si - simple - sk - sl - sm - sn - so - sr - srn - ss - st - stq - su - sv - sw - szl - ta - te - tet - tg - th - ti - tk - tl - tlh - tn - to - tpi - tr - ts - tt - tum - tw - ty - udm - ug - uk - ur - uz - ve - vec - vi - vls - vo - wa - war - wo - wuu - xal - xh - yi - yo - za - zea - zh - zh_classical - zh_min_nan - zh_yue - zu -