9.1. Overview

NAT is a method of remapping one IP address space into another by modifying network address information in IP packet headers while they are in transit across a traffic routing device. NAT allows ISP subscribers to be represented to the public Internet by a different IP address space than the one being used internally.

By taking advantage of transport layer port numbers, NAT also allows mapping many-to-one or many-to-few private to public IP addresses. It means that one or a few public IP addresses can represent many subscribers with private IP addresses. It is possible to use a single public IP address to represent up to 128 subscribers without affecting their Internet experience.

NAT also provides a level of security which is an essential part of any networking implementation. NAT essentially hides all the private IP addresses from the public Internet, providing an excellent additional security measure against hackers.

A device enabled with NAT traditionally has at least one interface connected to the inside network and one connected to the outside network. NAT is configured at the border or edge devices between an internal ISP network and a public network in a typical environment. NAT translates the private address into a globally unique public address when a packet leaves the internal network. NAT translates the public destination address back into a private address when a packet enters the internal network.

NAT supports two modes of operation – NAT44 and NAT64.

NAT44

NAT44 operation mode maps private IPv4 address space into public IPv4 address space.

A simplified network diagram for NAT44 is represented on the following figure:

digraph {
    bgcolor="transparent";
    node [shape=box, color="#000000", fontcolor="#000000"];
    edge [color="#000000", fontcolor="#000000"];
    rankdir = LR;

    "IPv4 device" -> NAT44 [label = "IPv4 access network"];
    NAT44 -> "IPv4 server" [label = "IPv4 Internet"];
}
digraph {
    bgcolor="transparent";
    node [shape=box, color="white", fontcolor="white"];
    edge [color="white", fontcolor="white"];
    rankdir = LR;

    "IPv4 device" -> NAT44 [label = "IPv4 access network"];
    NAT44 -> "IPv4 server" [label = "IPv4 Internet"];
}

In the internal ISP network, subscriber is represented by a private IPv4 address. When subscriber traffic leaves the network, NAT translates the private IPv4 address into a public IPv4 address.

NAT44 is implemented according to the following RFCs: RFC 4787, RFC 5382, RFC 5508, RFC 6888 and RFC 7857.

NAT64

NAT64 operation mode maps private IPv6 address space into public IPv4 address space. It allows an ISP to have an IPv6-only internal network while maintaining the ability to access IPv4-only Internet services for its subscribers.

A simplified network diagram for NAT64 is represented on the following figure:

digraph {
    bgcolor="transparent";
    node [shape=box, color="#000000", fontcolor="#000000"];
    edge [color="#000000", fontcolor="#000000"];
    rankdir = LR;

    "IPv6 device" -> "IPv6 server" [label = "IPv6 Internet"];
    "IPv6 device" -> DNS64 [label = "DNS AAAA request"];
    "IPv6 device" -> NAT64 [xlabel = "IPv6 access network"];
    DNS64 -> "DNS server" [label = "DNS AAAA request"];
    DNS64 -> "DNS server" [label = "DNS A request"];
    NAT64 -> "IPv4 server" [label = "IPv4 Internet"];

    subgraph {
        rank=same;
        "IPv6 server";
        "IPv4 server";
        "DNS server";
    }
}
digraph {
    bgcolor="transparent";
    node [shape=box,color="white", fontcolor="white"];
    edge [color="white", fontcolor="white"];
    rankdir = LR;

    "IPv6 device" -> "IPv6 server" [label = "IPv6 Internet"];
    "IPv6 device" -> DNS64 [label = "DNS AAAA request"];
    "IPv6 device" -> NAT64 [xlabel = "IPv6 access network"];
    DNS64 -> "DNS server" [label = "DNS AAAA request"];
    DNS64 -> "DNS server" [label = "DNS A request"];
    NAT64 -> "IPv4 server" [label = "IPv4 Internet"];

    subgraph {
        rank=same;
        "IPv6 server";
        "IPv4 server";
        "DNS server";
    }
}

When an IPv6 subscriber wants to access some Internet service, it first needs to know the IP address of this service. To find out the address, it sends a DNS AAAA request to a special network entity called DNS64.

The idea of DNS64 is to allow the subscriber to directly access IPv6-capable Internet services when possible. Therefore, it first redirects the AAAA request to a global DNS server to get an IPv6 address. If it gets a response, it redirects it back to the subscriber. If it doesn’t succeed, it sends an A request to a global DNS server to get an IPv4 address. If it succeeds, it generates a special IPv6 representation of an IPv4 address and sends it to the subscriber. For this special representation it prepends a Well-Known Prefix 64:ff9b::/96 to an IPv4 address, for example, 1.1.1.1 is mapped to 64:ff9b::1.1.1.1 or, in IPv6 representation, 64:ff9b::0101:0101. There’s more to read about how DNS64 works in RFC 6147.

When the subscriber wants to access an actual IPv6 service, it opens a connection directly to the service. When the subscriber wants to access an IPv4-only service, and it found out the special IPv6 representation using the procedure above, it opens a connection through the NAT64. When NAT64 receives a connection with destination address from the Well-Known Prefix, it translates the subscriber’s IPv6 address into a public IPv4 address. Also, it translates the destination IPv6 representation back to an IPv4 address. For example, when the subscriber with address 2001:DB8::1 opens a connection to 64:ff9b::0101:0101, NAT64 translates it into a connection from 203.0.113.1 to 1.1.1.1.

NAT64 is implemented according to RFC 6146.