Private Addressing and Network Address Translation

 

Private Addresses.  Private addresses are reserved IP addresses to be used internally within an organization's network.  These addresses are not to be used on the open Internet and therefore must be mapped to a company's external registered address when sending anything on the Internet.

The available private addresses are in the following table.

 

Ranges of Private IP Addresses
10.0.0.0  to  10.255.255.255
172.16.0.0  to  172.31.255.255
192.168.0.0  to  192.168.255.255

 

Generally, some sort of network translation, such as Cisco's NAT, is used to convert the outside network address to an inside network address or vice-a-versa.  The following diagram gives a representation.

 

 

For example, in the diagram above, the internal SA - sender's address is 1.1.1.1.  When they send a request to some host on the internet, their firewall/gateway or access to the outside world router must convert the internal address to something that has meaning in the rest of the world.  This will imply using some approach to make certain the network address of the source of the request is used in addition to using something that can be converted back to determine the address of the original sender when a reply comes back.  Thus the host sees the SA as something different than what the sender does.

Obviously this conversion process needs to work both forwards and backwards.

The following table gives some terminology and descriptions.

 

Term Description
Inside Local IP Address The IP address assigned to a particular device or host on the inside of the network.  This address is either going to be globally unique but obsolete, allocated by RFC 1918 or randomly picked.
Inside Global IP Address A legitimate IP address, assigned by the NIC or ISP, that represents one or more inside local IP addresses to the outside world.  The address was allocated from globally unique space, typically provided by the ISP.
Outside Global IP Address The IP address that was assigned to a host on the outside network by its owner.  The address was allocated from a globally routable address space
Outside Local IP Address If the outside host is itself on another inside network this is the IP address this outside host (relative to the sender) has on its own inside network.

 

In order to implement this sort of approach a number of features must be available on the routers being used.  While I am about to list Cisco's NAT features, these should also somewhat represent what other companies implement.
  • Static Address Translation - establishes a one-to-one mapping between inside local and inside global addresses
  • Dynamic Source Address Translation - establishes a dynamic mapping between the inside local and inside global addresses.  This is accomplished by describing the local addresses to be translated, the pool of addresses from which to allocate global addresses and associating the two.  The router will create translations as needed.
  • Address Overloading - Conserves addresses within the inside global address pool by allowing source ports in the TCP connections or UDP conversations to be translated.  When different inside local addresses map to the same inside global address, each inside host's TCP or UDP port numbers are used to distinguish between them.
  • TCP Load Distribution - A dynamic form of destination translation that can be configured for some outside to inside traffic.  Once a mapping is defined, destination addresses matching an access list are replaced with an address from a rotary pool.

Routers are usually configured with fixed static IP addresses, while PCs and other hosts may be assigned dynamic addresses.

One example of an approach to internal IP addressing is Novell's IPX.  Each of their addresses contains two parts, the network number and the node number.  The network number is usually the typical IP address.  The node number may be the serial number of the machine or NIC card.

Steps for Designing Network Layer Addressing and Naming.  The following are the main steps outlined in Teare for designing network layer addressing and naming.

 

Step Descriptions

1. Design a Hierarchy for Addressing

Design a hierarchy for addressing as follows:
  • Autonomous systems
  • Areas
  • Networks
  • Subnetworks
  • End Stations

The hierarchy that you use will depend on the network layer protocol and routing protocol that you are using.

2. Design Route Summarization Summarization, also known as aggregation, allows one route to represent many routes, resulting in smaller routing tables.  Route summarization is discussed in detail earlier in this chapter.
3. Distribution of Administrative Authority Once the high level plan is made for the network, lower-level addressing and naming may be delegated.  For example, if the client has offices in Europe, Asia and North America the authority to name devices and assign addresses, within established guidelines, could be divided along these geographical lines.
4. Design a Method for Mapping Physical Locations to Network Numbers Assigning network numbers by geographical location will also aid in the summarization task.  For example, the client who has offices in North America, Europe and Asia could assign a range of addresses to each continent.  This would also likely include local organization's continental officers having the right to assign these numbers locally.  The summarized address for each continent would then encompass the entire range of addresses assigned to that continent.
5.  Identify Special Stations such as Routers and Servers with Special Node  IDs To facilitate troubleshooting, devices such as routers and servers should have fixed addresses.  For example, all routers could have an IP address with the node part in the range of 1 through 19, while all servers have the node part of their addresses in the  range 20 through 29.  Then, if during troubleshooting there is a problem with an address that has a node part of 25, it is immediately obvious that this address belongs to a server.
6.  Configure User Station Addresses For scalability, user station addresses should be assigned dynamically, rather than statically, if possible.  Dynamic address assignment allows the automatic assignment of addresses from a pool of addresses as user stations join the network: the addresses are released from the device back into the pool if the device leaves the network.  This simplifies the network administrator's task of changing IP addresses on user stations when users move to a new location, for example.
7.  If Necessary, Use Gateways to Map Private Addresses to External Addresses Private addresses are reserved IP addresses to be used only within a company's network.  These addresses are not to be used on the Internet so they must be mapped to an organization's external addresses when sending anything on the Internet.
8.  Name Servers, Routers, and User Stations Names should be meaningful to facilitate troubleshooting.  For example, if the company has offices in Europe, Asia and North America, the router and server names should all start with an abbreviation of the continent like EUR, ASIA and NA.  This could be suffixed with the last octet of the devices address - for example, EUR03 for a router.