[ale] Clarification on networking topics

mike at trausch.us mike at trausch.us
Fri Oct 19 01:11:01 EDT 2012


(To preface: this is in the context of the meeting, along the same lines
as George's email from a couple hours ago.)

I know that some people were confused by the conversation about "double
NAT" and so forth.  I'll add what I know here, and if any questions
remain, feel free to bring them up!

A NAT is a very special type of network device.  It is essentially an
intentionally placed man-in-the-middle, and a very special case of
transparent proxy.  In effect, NAT accomplishes the same thing as SOCKS,
but slightly more transparently (when properly implemented).

Imagine that you have an IP address from your ISP; we'll call it "A".
Further, imagine that you have a network of 5 devices (computers,
smartphones, whatever), and each system on that network gets an IP
address ("B" through "F").  The devices on your network, though, are
getting addresses which are prescribed for use for private networking,
which is defined (for IPv4) in RFC 1918, "Address Allocation for Private
Subnets".  This means that your computers on the network are not allowed
to (directly) communicate with the Internet; in fact, your ISP will drop
any packets in RFC 1918 space that your edge router doesn't itself drop.

This means that some "magic" has to happen in order for you to
communicate with the Internet.  Enter the invention of the NAT.

The NAT takes a single (public, routeable) IP address and uses it for
all of your network's communications with the outside world.

An example of what happens, then, when you go to http://www.google.com/:

 1.  Your computer gets the DNS information to turn www.google.com into
     an IP address that exists on the public Internet.

 2.  Your computer then attempts to connect to that IP address.

 3.  The NAT sees the connection attempt and intercepts it.

 4.  Packets going to Google are rewritten to appear to have come from
     the NAT.  When Google replies, its packets will be addressed to
     the NAT itself, not your computer; the NAT also rewrites those
     packets as well.

As was mentioned in the meeting, this breaks several protocols; FTP and
SIP are two protocols which break horribly with a NAT in the way.  The
solution here is to use protocol helpers.  Protocol helpers are kernel
modules (in the case of the Linux NAT code) which understand layer 7, or
"application" protocols (see [0] for the OSI model which defines layer
7).  They will actually rewrite the protocol packets themselves so that
they appear to have also originated from the NAT; without those helpers,
the protocol breaks irreparably.

When one creates a situation where there are TWO NAT devices between a
computer and the Internet, there is even further breakage because now
you have two state machines in the way.  And some communications that
were possible but broken through a single NAT become absolutely
impossible with two NAT devices in the way.  This is obviously a problem.

A lot of people unintentionally create double NAT scenarios, and usually
with both NATs having the exact same /24 subnetwork.  This is, of
course, Very Bad™ and should never happen.

One simple way to ensure it is that you Never Ever™ have more than one
"router" (in this usage, I mean the commodity items labeled as such)
attached to your entire network via its "Internet" or "WAN" port.

Then you have two more things to worry about: The IP address and DHCP
server on the devices themselves.  You cannot have more than one device
on a network that has the same IP address.  If your router attached to
the Internet ("edge router") has the IP 192.168.1.1 on the LAN, then
your other routers need to be .2, .3, and so forth.  Also, you need to
disable the DHCP servers on all but a single one of the router devices,
because otherwise you have a very real network management mess on your
hands.

If this all sounds confusing, that is because it is.  You can avoid it
all by using only one router and building the rest of your network with
Ethernet switches and WiFi access points that do not take IP addresses
(they effectively act like Ethernet switches, then).  However, commodity
routers are very popular and it's almost impossible to find switches and
AP-only devices in the common stores, so...

Anyway, just my few thoughts, in case anyone was still interested in them.

	--- Mike

[0] http://en.wikipedia.org/wiki/OSI_model

-- 
A man who reasons deliberately, manages it better after studying Logic
than he could before, if he is sincere about it and has common sense.
                                   --- Carveth Read, “Logic”

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 726 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20121019/b50ba848/attachment.bin 


More information about the Ale mailing list