What is Network Address Translation (NAT) ?
As the number of devices accessing the internet has grown exponentially over the years, the supply of available IPv4 addresses has not been able to keep pace. We now find ourselves on the brink of depletion, with the pool of unique IPv4 addresses nearing exhaustion. This shortage is not only a result of the sheer volume of devices connecting to the internet but also due to the allocation practices that were prevalent during the early stages of the internet’s development.
To tackle this challenge, Network Address Translation (NAT) is stepping in as a solution. By allowing multiple devices within a private network to share a single public IP address, NAT effectively optimizes address usage.
NAT (Network Address Translation)
Network Address Translation is a process that involves a NAT router translating private IP addresses used internally into a single public IP address when communicating with external networks. It serves as a bridge between the private IP addresses used within a private network and the public IP address assigned by an Internet Service Provider (ISP) to the router that connects the private network to the internet.
Various types of NAT are supported in Vector Packet Processing (VPP) to cater to different use cases and requirements. Here’s a breakdown of the three NAT types in VPP, including Deterministic NAT, Endpoint-Dependent NAT44, and Endpoint-Independent NAT44.
Deterministic NAT
Deterministic NAT in VPP provides predictable and consistent translation mappings between internal and external IP addresses and ports. It ensures that the same internal IP and port will always be translated to the same external IP and port. The primary goal of deterministic NAT is to maintain stable communication and session state for specific internal and external hosts.
Key Characteristics:
- Predictable and consistent mappings between internal and external IP addresses and ports.
- Ideal for applications or scenarios that require stable communication between specific internal and external hosts.
- Useful in load balancers or scenarios where session state needs to be maintained.
- Limited flexibility in address utilization due to static mapping, which may result in inefficient use of IP addresses and ports when multiple devices are involved.
In summary, deterministic NAT offers predictability and consistency in translation mappings, making it ideal for maintaining stable communication and session state. However, its rigidity in address utilization may be a limitation in scenarios with a large number of devices needing external connectivity. It is best suited for specific use cases where consistent external communication is a priority.
Endpoint-Dependent NAT44
Endpoint-Dependent NAT44, is a dynamic NAT type in VPP. It allows multiple internal hosts to share a single public IP address. The translation is based on both the source IP address and the source port number of the internal host. This type of NAT allows for more flexible address utilization as multiple internal hosts can share a single external IP address.
Key Characteristics:
- Dynamic translation based on source IP address and source port number.
- Allows multiple internal hosts to share a single public IP address.
- Supports better address utilization compared to deterministic NAT.
- Well-suited for scenarios where a larger number of internal devices require external connectivity.
In summary, Endpoint-Dependent NAT44 is a dynamic NAT type in VPP that enables multiple internal hosts to share a single public IP address. This type of NAT performs translation based on both the source IP address and the source port number of the internal host, allowing for more flexible address utilization. It is well-suited for scenarios with a larger number of internal devices needing external connectivity, as it optimizes address usage and supports efficient communication between the private network and the internet.
Endpoint-Independent NAT44
Endpoint-Independent NAT44, is the most permissive type of NAT in VPP. It allows multiple internal hosts to share a single public IP address, similar to Endpoint-Dependent NAT44. However, the key difference is that the translation is based solely on the source IP address, disregarding the source port number. This means that any internal host can use any source port when communicating externally, and the NAT translation will still occur.
Key Characteristics:
- Dynamic translation based only on the source IP address (ignores source port).
- Multiple internal hosts can share a single public IP address.
- Provides the most flexible address utilization among the three NAT types in VPP.
- Suitable for scenarios with a large number of internal devices needing external connectivity and where source port preservation is not a strict requirement.
In summary, Endpoint-Independent NAT44 is the most permissive NAT type in VPP, allowing multiple internal hosts to share a single public IP address. Unlike Endpoint-Dependent NAT44, it performs translation based solely on the source IP address, disregarding the source port number. This offers the highest level of address utilization flexibility among the NAT types in VPP, making it suitable for scenarios with numerous internal devices requiring external connectivity. Endpoint-Independent NAT44 is an excellent choice when source port preservation is not a strict requirement.
NAT in StoneWork
You can find NAT configuration examples in StoneWork, our high-performance, all-in-one routing platform, on github here.
StoneWork used as a multi-tenant router uses NAT for separating customer subnets and inner subnets. NAT will handle traffic to the server by changing the source IP addresses. The NAT also redirects traffic to the customer’s VRF.