In computer networking, in order for two devices to communicate, each of them needs to have an IP Address. This address uniquely identifies a device on the network to allow others to communicate with it. The most common addressing method in use today is IP version 4 (IPv4) and you can find it in use in almost all networks, be it your home network or in large enterprises.
With the developing technology, and with more and more devices communicating over the network this has caused a serious issue for IPv4 – the number of available addresses is finite. IPv4 addresses are 32-bit numbers meaning there are only around 4 billion available addresses. With the number of devices connected over the internet these days, we have long surpassed this number, meaning that there is no way to assign a unique address to each device. The next version of addressing, IPV6, is already available, but is not in widespread use because of different compatibility and security considerations. (For more information, see our Guide to Microsegmentation.)
So how can we still have all our devices connected and communicating with each other? The answer is Network Address Translation (NAT).
Reserved address spaces
In order to allow more time for the adoption of a new addressing protocol, a solution was needed to allow continued use of the IPv4 addressing scheme. As a first step to this, a few blocks of the available IP address range were reserved for special uses. Specifically, the ranges relevant in our case are:
- 192.168.0.0 – 192.168.255.255 – 216 addresses (~65 thousand)
- 172.16.0.0 – 172.31.255.255 – 220 addresses (~1 Million)
- 10.0.0.0 – 10.255.255.255 – 224 addresses (~16.8 Million)
Any IP addresses that fall within one of the above ranges is considered a private IP address. Some of these will most likely be familiar to you, these are the addresses that you would, in most cases, see for computers on your home or office networks.
The idea of these private networks is that there can be no direct communication between private networks, and this would allow the re-use of IP addresses in those networks. For instance, you can set the same IP address for your computer at home and for the one in the office, but they would not be able to directly communicate with each other.
Network Address Translation
Having reserved address ranges does help to have more devices with an IP address, but it does not solve the issue of communication between private networks. This is where Network Address Translation (NAT) steps in.
In order for private networks to communicate with each other or with the public internet, they need to be connected through a NAT device. In most cases, this is a router. The router is assigned a public IP address (usually received from your ISP) and also a private IP address within your private network.
Let’s see how this would work using a simple example:
For our case, Computer 1 wants to connect to the DNS service hosted on a server on the internet. The IP address for Computer 1 is a private address: 192.168.0.10 and the server has a public address 126.96.36.199. Computer 1 has a private IP address so it cannot communicate directly with the server so we need the following steps:
- Computer 1 sends out a packet to initiate the connection with the server. It sees that the server is not in the same network as it, so the packet is sent to the router for further processing.
- The router receives the packet and notes the details of the connection including the source IP address, port and the destination IP address and port. It then selects a free port number for this communication session to use. Let’s use port 12345 for our example. This mapping between the port number and the original communication is stored for reference later.
- The router sends out a new packet, replacing the source IP address with its public IP address and replacing the source port with 12345. This packet is sent from a public IP address so it has no issue arriving at the server.
- The server receives the packet and generates a reply. This reply is sent back to the public IP address of the router and to port 12345.
- When the router receives the reply, it looks up the port number 12345 from the server 188.8.131.52 and it sees the original session information that it stored in step 2.
- The router changes the destination IP address and port to the source IP address and port number that Computer 1 originally sent, and then sends the response to Computer 1 – completing the connection.
The method detailed above works well when you have a device in a private network that wants to communicate with the public internet, but if we try the other way around, we still have a problem. Let’s show this with an example:
In the above diagram, we have a server on the public internet trying to send data to Computer 1. It sends a packet to the public IP of the router, but the router does not know what to do from here. There are multiple servers on the other side of the router, but to which one does the router forward the packet?
This is where port forwarding rules come in. On the router, you can define a rule specifying, in example, to send all traffic on port 80 arriving at the routers public interface to port 80 on Computer 1. The router can now use this forwarding rule to handle the packet and know where to send it. In the case there are no rules defined, the router will discard the packet.
This ends up having an additional advantage of adding another layer of security to the network since any server that does not have a forwarding rule defined for it, cannot be directly accessed from outside the private network.
The Network Address Translation mechanism helps to bridge the gap in network routing until IPv6 can be fully implemented. In addition to this, it also adds another layer of security to networks allowing servers to be completely blocked off from access from the public internet, while still allowing them to communicate outwards if necessary.
Ready to improve your cloud costs and make the most of best-practice network optimization tools and techniques? Start for free.