Network address translation

To manage external internet access, Pan-Net provides SNATaaS - Source Network Address Translation as a Service - for mapping public and private IP addresses. A good practice is to assign private IPv4 addresses to device interfaces (or instances) and configure NAT to access internet. Even when a device needs to be visible on internet, a private IP address in combination with a static NAT function is used. The mapping is performed by OpenStack commands.

Contents

SNATaaS needs to be enabled by the project administrator. When activated, it provides a local network with outbound internet access, so that instances on it easily can be updated and maintained.

Fundamentals

Computers and devices behind a router can use private IP addresses to communicate with each other. The private IP addresses only need to be unique within the home network or LAN.

Having two different types of IP addresses makes it necessary to translate an IP address when a message crosses the boundary between the private and public domains. This is known as Network Address Translation (NAT) and in effect means that a one of the IP addresses in the packet header is over-written with another address.

The header of an IP packet contains source IP address and destination IP address which is used for routing. There are two types of NAT defined on whether the source or the destination IP address is being translated. In SNAT the source IP address is changed, which enables several hosts on a private network to access the public network. The NAT function is performed by a NAT gateway, which maintains a connection table that determines where to route returning packets. The other type is DNAT, where the destination IP address is changed and which allows multiple host on the public network to access a single host on a private network.

Whereas IP addresses are used in packet routing, most hosts are known by their associated domain name. It is therefore necessary to perform translation from domain name to IP address, and this function is performed by Domain Name Servers (DNS), often managed by ISPs.

NAT can be deployed in different ways:

  • Static NAT, maintains a permanent, one-to-one mapping between IP addresses, such as a public and private address. As a special case, OpenStack uses this principle for floating IP. It is also used for destination NAT (DNAT).

  • Dynamic NAT, maps addresses in temporary associations, where either the source IP (SNAT) or destination IP (DNAT) is mapped. Dynamic NAT is inefficient for one-to-one address mapping. Port Address Translation (PAT) or port forwarding is a type of dynamic NAT where the router changes the source port number (TCP of UDP) to enable a large number of concurrent connections. The address and port mappings are maintained as long as a session lasts.

In dynamic NAT, each public IP can be used for 128K translations (64K for TCP and 64K for UDP). This number is determined by the number of ports (the total number of ports being 65535). The 1024 ports are not used for PAT as they are defined for well known protocols or services and should not be used as source port. If more connections are required, additional private IP addresses must be allocated.

Each socket (IP address and the associated port) is temporarily allocated to a connection. After connection timeout, socket is released and can be reused by another flow.

Basic source NAT for internet access

Basic Source NAT (SNAT) functionality allows outbound internet access for any instance in a VPC. This is the typical scenario for a number of client instances connected over a private network.

Note that the only traffic allowed from outside hosts is traffic related to already established sessions initiated by a VPC instance on the private network.

The basic NAT has the following characteristics:

  • Based on dynamic NAT with port translation (PAT)

  • The IP association is temporary

  • A public IP address may be shared between several instances, not necessarily from the same VPC

  • For parallel outbound internet connections, multiple public IP addresses may be assigned (RFC-5128, chapter 2.3)

  • The user can block the NAT function for specific instances, if required

  • The basic NAT function does not block STUN and TURN, but the user has to provide these servers

Destination NAT (DNAT) for public access

DNAT provides conversion from a public into a private IP address, enabling access to an instance from internet. Access to instances is enabled but with high level of control and protection.

DNAT has the following characteristics:

  • Instances with applications are deployed in VPC using private IP addresses.

  • Static L4 NAT is configured and applied on the cloud. Access to instance will be allowed only using defined protocol (TCP, UDP or ICMP) and port number.

Beryllium implementation

The NAT function is realized in Contrail which creates a special service instance, that is a network namespace on a vRouter, as the SNAT gateway. The SNAT gateway is therefore not related to any VM instance. The SNAT implements rules to route traffic between its interfaces on the virtual network and the public network. 

Boron implementation

In the Boron SNATaaS, virtual machines with private IP addresses are connected to a Neutron gateway which performs the address mapping using iptables in dedicated IP namespaces. The gateway then assigns the public IP address to a port connected to the public sub-network.