What Is Network Address Translation (NAT) and How Does It Work?

It's ironic how one of the biggest threats to the Internet was a product of of nobody predicting how popular it would be.

Until recently, the predominant way to assign IP addresses to computers was with the IPv4 system. This allowed the creation of roughly 4.3 billion possible IP addresses, a significant portion of which were shared out to regional Internet authorities in blocks of 16.8 million.

Quite early on, it became all to apparent that there wouldn't be enough supply to satiate the immense demand. With the exhaustion of the IP address supply looking inevitable, people looked for ways to 'share' IP addresses with more than one system. Thus, Network Address Translation was born (NAT), and the Internet was saved.

What is Network Address Translation?

For a computer to communicate with the Internet as a whole, it must have an IP address. Using the IPv4 system, these are unique, 32-bit numbers that are broken up into four different binary octets. It doesn't matter whether it's a server, or a computer, or an Xbox. If it doesn't have an IP address, it's not getting online.

But, there simply isn't enough IP addresses to go around to give each host their own address. So, in order to make better use of the extremely limited address space available, we use Network Address Translation.

Network Address Translation allows a single device to sit between a local area network and the Internet, and forward traffic to the appropriate host. You probably know this as your router. The advantage of this is multiple computers can share the same IP public address.

This single device (usually a router, switch, or hardware firewall) modifies IP packet headers on the fly, ensuring that the contents of the packet get to the intended destination.

However, it comes with a downside, as it becomes exponentially harder for hosts outside the local network to communicate with servers that are located behind the router.

There are multiple ways in which Network Address Translation can work, with the three of the most common being Dynamic NAT, Static NAT, and Overloading.

Dynamic NAT

With Dynamic NAT, a router will maintain a list of public IP addresses. When a host behind the network needs to transmit or receive, the router will select one of the public IP addresses that is not currently in use, and forward any packets accordingly. As a result, this means a host's IP address can change at any given moment.

But crucially, it means a large pool of hosts can share a significantly smaller pool of IP addresses. This was vital, given the impending exhaustion of the available pool of IPv4 addresses.

Overloading

A common way of performing network address translation is through something called 'Overloading', where multiple internal IP addresses are mapped to a single public IP address.

This is done by giving each internal host a corresponding port. For instance, suppose you've got three computers on an internal network, and a public IP address of 212.18.123.123. Each of those internal computers could theoretically be accessible via 212.18.123.123:2001, 212.18.123.123:2002 and 212.18.123.123:2003.

This is commonly known as Port Address Translation (PAT), Single-Address NAT, and port-level multiplexed NAT.

Static NAT

Finally, let's talk about Static NAT.

Internal networks, like your home or office network, do not use the same IP addressing system that's used on the public Internet. Any networked device effectively has two IP addresses. The first is a private one, and that's only reachable from within that network. The second is the one that's externally accessible.

Static NAT makes it possible to create a direct, one-to-one link between a private IP address and a static, public IP address.

This, of course, will do nothing to mitigate against IPv4 address exhaustion. But that's beside the point. If you want to expose a web server to the Internet, for example, you're going to want to ensure that its IP address stays the same. Static NAT allows you to do that.

But What About IPv6?

The world is rapidly transitioning from IPv4, with its savagely limited addressing space, to IPv6, which can support a theoretical total of 2^128 IP addresses.

To adequately express the enormity of that, that's the equivalent of 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456.

That's a lot of IP addresses.

So, with that in mind, do we need Network Address Translation any more, given that there's a glut of available IP addresses that will almost certainly never be exhausted?

Well, NAT comes with some other key benefits. Perhaps the most obvious is the fact that it inadvertently acts as a 'firewall' to any systems behind the router. Any services running from within that network (be that a private file server, or a private web server running a Wiki) are inaccessible outside of that network.

Simply put, NAT drastically improves the security of any system behind it.

Conclusion

NAT is an ostensibly dry technology, that's almost impenetrable to understand. But don't let that fool you. Without it, the Internet would look radically different.

Got any thoughts? Let me know. Drop me a comment below, and we'll chat.

Image credit: IPv6-IPv4 by Abode of Chao