Check out the new USENIX Web site. next up previous
Next: AVES Up: Heterogeneous Address Space Connectivity Problem Previous: Heterogeneous Address Space Connectivity Problem


NAT and Its Limitation

It is helpful to understand the capability and limitation of NAT, but as we shall see, NAT can only provide uni-directional connectivity to the IP Internet. Figure 2 illustrates a typical scenario where a network is constructed using the reusable-IP address space and is attached to the IP Internet via a NAT gateway, $R$.

Figure 2: Out-bound connectivity via NAT gateway
\begin{figure}\centering\begin{tabular}{c}
\psfig{figure=figures/nat.eps,width=3.1in,clip=}\end{tabular}\end{figure}

Assume $R$ only owns a single IP address. Consider the case where a reusable-IP host $B$ (the initiator) is connecting to an IP host $A$ (the responder). A reusable-IP address that belongs to host $X$ is denoted $IP_X'$, and an IP address that belongs to host $Y$ is denoted $IP_Y$. Assume $B$ already knows the IP address of $A$.[*] $B$ simply initiates the connection by sending a packet to $A$. Suppose this is a TCP connection, and the packet sent by $B$ has a source port number $P_B$ and a destination port number $P_A$. We denote this packet by $[IP_B',P_B
\rightarrow IP_A,P_A]$ (the transport protocol is omitted for simplicity). The goal of NAT is to represent $B$ in the IP Internet by $R$. As this packet is forwarded by $R$, $R$ replaces $IP_B'$ by its own IP address $IP_R$, and $P_B$ by an available port number on $R$, say, $P_R$. The resulting packet is $[IP_R,P_R \rightarrow IP_A,P_A]$ and is forwarded out of the reusable-IP network. When a corresponding response packet $[IP_A,P_A
\rightarrow IP_R,P_R]$ is received by $R$, $R$ simply replaces the destination address by $IP_B'$ and the destination port number by $P_B$. Since each 16-bit port number on $R$ can be reused for different transport protocols, roughly 65,000 TCP and 65,000 UDP connections can be simultaneously active from initiating reusable-IP hosts to every port of every responding IP host even though $R$ only has one IP address.

In contrast, if $A$ is the initiator and $B$ is the responder, the situation becomes very different. Because the only IP address owned by the reusable-IP network is $IP_R$, a DNS application level gateway [26] for in-bound NAT must resolve the name lookup for $B$ to $IP_R$. Unfortunately, since $IP_R$ can only refer to one reusable-IP host at any given time, with one IP address, NAT can only provide general in-bound connectivity to one responder in the entire reusable-IP network at a time. Since having one IP address is typical, NAT cannot provide acceptable in-bound connectivity.


next up previous
Next: AVES Up: Heterogeneous Address Space Connectivity Problem Previous: Heterogeneous Address Space Connectivity Problem