“The growth of the Internet will slow drastically, as the flaw in ‘Metcalfe’s law’ — which states that the number of potential connections in a network is proportional to the square of the number of participants — becomes apparent: most people have nothing to say to each other! By 2005 or so, it will become clear that the Internet’s impact on the economy has been no greater than the fax machine’s.”- Paul Krugman, June 1998
In the early days of the internet, every computer with an IP address was considered to be directly on the Internet, thus every computer had a globally unique IP address to send traffic to, regardless of where it was. The Internet, after all, was only going to be used by very specialized institutions; it would never be adopted by the general public. The 4,294,967,296 IPv4 addresses would be MORE than enough. Well, until it wasn’t.
Turns out, the general public WOULD want to use the Internet. And not only that, but they’d also start having multiple Internet-connected devices per person! We were on a path towards IP address exhaustion, where every possible IP address would be assigned. Two concepts were created to solve this.
A little privacy would be nice…
The first was the idea of private IP addresses. You may have noticed that no matter where you are, your computer is generally assigned an IP address that’s within a subnet of either 10/8, 172.16/12, or 192.168/16. These private address spaces, and the 17,891,328 IP addresses within them, were specifically reserved for use in private networks. Any organization could use those addresses however they saw fit. However, those addresses were also marked as non-routable on the public Internet. Internet routers are specifically programmed to discard any traffic that has a private source or destination IP address.
…but everyone enjoys some good publicity!
So now we have these reusable address spaces that are not allowed on the internet, and we need a way to allow those computers to access the internet. The solution to this is NAT or Network Address Translation. NAT is a process where a router can substitute a source or destination address before forwarding traffic. There are two main types of NAT. The first is one-to-one NAT also called static NAT or sometimes reflexive NAT. In this configuration, a specific public IP address is configured to be translated to and from a specific private IP address. When that private IP address sends traffic destined to the Internet, the NAT device will translate the packet‘s source IP from the original private IP to the public NAT IP before forwarding it on, and when it receives traffic destined for the NAT address, it will translate the destination IP from the public NAT IP back to the private IP. However, this wouldn’t solve the problem of IP address exhaustion if we required every private IP to be assigned a unique public NAT IP.
To avoid that, we use one-to-many NAT sometimes called NAT overload or port address translation (PAT). With this, multiple devices can be “hidden” behind the same shared NAT address. The NAT device will translate the private IP to a shared public IP while also translating the source port to a dynamically assigned ephemeral port. This means that two private IPs behind the same NAT can talk to the same public IP, and the NAT device will keep track of the conversations and their assigned ports to prevent the conversations from mixing/colliding. This is how your home, with its laptops, desktops, smart phones, smart TVs, IOT devices, etc. can all work while only being assigned a single public IP from your ISP, and how our clients can deploy any number of private servers without needing to be assigned the same number of public IP addresses.
NAT rules can be very specific. One private IP address could be translated different ways depending on the destination IP. They can be source NATs that translate based on the source IP or destination NATs that translate based on the destination IP. One-to-many NATs are source NATs, and one-to-one NATs can be source, destination, or both. There are also situations where you may do NAT within a network to translate private IPs. NAT is a very powerful tool that greatly increased the flexibility of IP networking.
So, when you are sending a packet to a server on the internet, once the NAT is done, the same ARP/reply/encapsulate/send/receive/decapsulate/process dance happens. At some point, the traffic hits a NAT device on the far end and the destination IP is translated to a private IP (which you will never know or see) which eventually received the packet and can reply.
Stephen Martin | stephenmartin.io 