Chapter 15. Network Address Translation

The concept of Network Address Translation (NAT) goes back to the origin of the feared IP address shortage. An IP address shortage was a distinct possibility because, historically, huge address blocks were assigned, which were underutilized or were assigned inefficiently, in the early days before the classless interdomain routing (CIDR) and variable-length subnet masking (VLSM) of today's Internet. Today's address-assignment policies are much stricter, and registration authorities now try to free underutilized address aggregates by demanding them back for reassignment. Historically, most addresses were assigned to North America and Europe. NAT improves aggregation and scalability of enterprise routing, too, so it contributes to keeping the global Internet routing table "relatively" small.

From a "workaround" for address exhaustion, NAT has evolved into a flexible vehicle for enterprises and Internet service providers (ISPs). Although NAT per se is not a security vehicle, it arguably improves privacy. An attacker usually does not know which and how many addresses remain hidden (masqueraded) behind corporate NAT gateways. One can attack only the outside addresses of these gateways or the address pools deployed for NAT.

This chapter discusses UNIX NAT approaches, frequently used terminology, and caveats in context with NAT-incapable protocols. The chapter concludes by looking at future developments with regard to IPv4 NAT.