UNIX System Administration Handbook - Evi Nemeth [170]
NAT’s use of port number mapping allows several conversations to be multiplexed onto the same IP address so that a single external address can be shared by many internal hosts. In some cases, a site can get by with only one “real” IP address.
A site that uses NAT must still request address space from its ISP, but most of the addresses thus obtained are used for NAT mappings and are not assigned to individual hosts. If the site later wants to choose another ISP, only the border router and its NAT configuration need to change, not the configurations of the individual hosts.
Several router vendors implement NAT, including Cisco. It is also possible to have a UNIX box perform the NAT function, although we do not recommend this implementation for real companies. Both Red Hat and FreeBSD can do it.10
See the vendor-specific sections later in this chapter for details. For some reason, Linux calls NAT “IP masquerading.”
An incorrect NAT configuration can let private-address-space packets escape onto the Internet. The packets will get to their destinations, but answering packets won’t be able to get back. CAIDA,11
an organization that measures everything in sight about the backbone networks, finds that 0.1% to 0.2% of the packets on the backbone have either private addresses or bad checksums.
This sounds like a tiny percentage, and it is, but it represents about 20,000 packets every 10 minutes on a busy circuit at MAE-West (one of the major public exchanges at which different ISPs meet to exchange traffic). See www.caida.org for other interesting statistics and network measurement tools.
One disadvantage of NAT (or perhaps it’s an advantage) is that an arbitrary host on the Internet cannot connect directly to your site’s internal machines. Some implementations (e.g., Cisco PIX) let you configure “tunnels” that support direct connections for particular hosts.
Another problem is that some applications embed IP addresses in the data portion of packets; these applications are foiled or confused by NAT. Examples include some routing protocols, streaming programs such as RealVideo and SHOUTcast, some FTP commands such as PORT and PASV, ICQ instant messaging, and many games.
NAT hides interior structure. This secrecy feels like a security win, but the security folks say NAT doesn’t really help for security and certainly does not replace the need for a firewall. It also foils any attempt to measure the size or topology of the Internet.
IPv6 addressing
An IPv6 address is 128 bits long. These long addresses were originally intended to solve the problem of IP address exhaustion. Now that they’re here, however, they are being exploited to help with issues of routing, mobility, and locality of reference.
IP addresses have never been geographically clustered in the way that phone numbers or zip codes are. Now, with the proposed segmentation of the IPv6 address space, they will at least cluster to ISPs. The boundary between the network portion and the host portion of an IPv6 address is fixed at /64; the boundary between public topology and a site’s local topology is fixed at /48. Table 13.8 shows the various parts of an IPv6 address.
Table 13.8 The parts of an IPv6 address
Of these pieces, only the SLA ID and the INTERFACE ID belong to the host and its site. The other parts are provided by the upstream ISP. The SLA specifies a local subnet. The 64-bit interface ID identifies the host network interface. It typically contains the 48-bit MAC address with the hex digits 0xFFFE in the middle. A special bit in the MAC address (bit 6 of the first byte, numbering bits from the left, starting at 0) called the universal/local bit must be complemented (see RFC2373). This scheme allows hosts to be automatically numbered, which is a nice feature for the sysadmin since only the subnet needs to be managed.
In IPv6, the MAC address is seen at the IP layer, which has both good and bad implications. The brand and model of interface card are encoded in the first half of the MAC address, so hackers with code for a particular