Dynamic NAT Collisions
Because dynamic NAT translates a large set of addresses into a smaller set of addresses, the addresses could be translated to the same address, in which case the translations are said to collide.
Address collisions occur if the Screen cannot translate the address uniquely. An address collision causes the connection to cease. Address collisions occur if all the following conditions are met:
-
Two systems using NAT must connect to the same destination service (the same remote address and the same remote port number using the same protocol).
For example, this condition is met if two systems using NAT establish a web connection to www.sun.com.
-
The two systems must choose the same local port number to make the connection.
Because most systems select from a set of at least 32 000 different local port numbers, the chance of this happening is usually small. If, however, multiple systems boot at the same time (such as after a power failure), this condition can be met more frequently because of likelihood of systems with the same operating systems assigning local port numbers starting at the same number. This is a transient condition because different events between the two systems will likely cause the local port number selection to differ over time.
-
The NAT code must choose to translate the two connections using the same translated address.
Expressed as a probability, the chance of this happening for two systems is equal to 1/M where M is the number of addresses in the Translated Source field. For example, if the Translated Source field contains an address object that represents 10 addresses, the probability of NAT choosing the same translated source address for two systems would be 1/10 or 10 percent.
The probability of a collision is:
Translation collisions cause service to be denied to a network user. Translation collisions occur when network software cannot complete the address translation process because two or more packets are not uniquely identified. Each packet must have a destination IP address, a destination port, source IP address, a source port, and protocol if it is to be delivered. These elements are processed as a 5-tuple of information of the form: (desaddr, dest port, srcaddr, src port, proto), which is part of the packet header.
A 5-tuple is unique as long as at least one of the five pieces of data that it contains differs from the others with which it is being compared. Since each piece of data has a large number of possible values, the number of possible permutations for the 5-tuple is enormous. Therefore--an unlikely scenario--for a translation collision to occur, multiple internal machines using the same registered IP address must try to gain access to the same registered address at the same destination port number and from the same source port number, all at the same time.
Suppose a user at the unregistered address U5, shown in Figure 7-1, attempts to go to a web page at the registered destination address 192.4.15.37 at destination port 80 from source port 34080 through the registered address R5. Another user at U6 can do the same to the same address and destination port through source port 34070, or go to a different web page through source port 34080.
TABLE 7-3 shows the translation of unregistered addresses, Un, to registered addresses, Rn.
Table 7-3 Two Dynamic Addresses|
Registered IP Address |
Destination IP Address |
Destination Port |
Source Port |
Protocol |
|---|---|---|---|---|
|
R4 |
192.4.15.37 |
80 |
34080 (on U5) |
tcp |
|
R4 |
192.4.15.37 |
80 |
34070 (on U6) |
tcp |
|
R4 |
192.4.15.44 |
80 |
34080 (on U7) |
tcp |
If a user at unregistered address U7 attempts to go to a web page at the registered destination IP address 192.4.15.44 at destination port 80 from source port 34080 using registered address R4, a translation collision will occur. The user at U7 would have to use another source port to have a unique 5-tuple and avoid a translation collision, which would happen automatically during a subsequent attempt to connect.
Situations such as power failures typically result in translation collisions. When power is restored, all hosts on a network come up at the same time and try to reestablish network connections. Each host's operating system resets its source port counter to a low number. It may take time for the counters on each machine to cycle up to higher and more randomized port numbers (which are more likely to produce unique 5-tuples). In the interim, translation collisions may cause network service to be denied temporarily. Internal hosts must continue trying to establish network connections until the NAT rules resolve the translation collisions.
Note -
Ports 0 through 1024 are reserved for well-known port assignments and are controlled by the IANA. To avoid conflicts, the Solaris operating environment uses ports that range approximately from 32768 through 65535. Different implementations of TCP/IP in various operating environments have different rules and limits for their optional (ephemeral) port choices.
- © 2010, Oracle Corporation and/or its affiliates