Dynamic NAT Collisions
Because dynamic NAT translates a large set of addresses into a smaller set of addresses, the addresses could be translated to the same address and port numbers, in which case the translations are said to collide.
Note -
The chance of such a collision is very small.
Address collisions occur if the Screen cannot translate the address uniquely. An address collision causes the connection to cease. Address collisions occur if all the following conditions are met:
-
Two systems using NAT connect to the same destination service (the same remote address and the same remote port number using the same protocol).
For example, this condition is met if two systems using NAT establish a web connection to www.sun.com.
-
The two systems choose the same local port number to make the connection.
Because most systems select from a set of at least 32 000 different local port numbers, the chance of this happening is usually small.
-
The NAT code chooses to translate the two connections using the same translated address.
Expressed as a probability, the chance of this happening for two systems is equal to 1/M where M is the number of addresses in the Translated Source field. For example, if the Translated Source field contains an address object that represents 10 addresses, the probability of NAT choosing the same translated source address for two systems would be 1/10 or 10 percent.
The probability of a collision is equal to the probability of two systems connecting to the same remote service times the probability of two systems choosing the same local port divided by the number of addresses in Translated Destination.
Translation collisions cause service to be denied to a network user. Translation collisions occur when network software cannot complete the address translation process because two or more packets are not uniquely identified. Each packet must have a destination IP address, a destination port, source IP address, a source port, and protocol if it is to be delivered. These elements are processed as a 5-tuple of information of the form (desaddr, dest port, srcaddr, src port, proto), which is part of the packet header.
A 5-tuple is unique as long as at least one of the five pieces of data that it contains differs from the others with which it is being compared. Since each piece of data has a large number of possible values, the number of possible permutations for the 5-tuple is enormous. Therefore, for a translation collision to occur, multiple internal machines using the same registered IP address must try to gain access to the same registered address at the same destination port number and from the same source port number, all at the same time.
Suppose a user at the unregistered address U5, shown in Table 7-3, attempts to go to a web page at the registered destination address 192.4.15.37 at destination port 80 from source port 34080 through the registered address R5. Another user at U6 can do the same to the same address and destination port through source port 34070, or go to a different web page through source port 34080.
The table below shows the translation of unregistered addresses, Un, to registered addresses, Rn.
Table 7-3 Two Dynamic Addresses|
Registered IP Address |
Destination IP Address |
Destination Port |
Source Port |
Protocol |
|---|---|---|---|---|
|
R4 |
192.4.15.37 |
80 |
34080 (on U5) |
tcp |
|
R4 |
192.4.15.37 |
80 |
34070 (on U6) |
tcp |
|
R4 |
192.4.15.44 |
80 |
34080 (on U7) |
tcp |
If a user at unregistered address U7 attempts to go to a web page at the registered destination IP address 192.4.15.44 at destination port 80 from source port 34080 using registered address R4, a translation collision will occur. The user at U7 would have to use another source port to have a unique 5-tuple and avoid a translation collision, which would happen automatically during a subsequent attempt to connect.
Situations such as power failures typically result in translation collisions. When power is restored, all hosts on a network come up at the same time and try to reestablish network connections. Each host's operating system resets its source port counter to a low number. The counters on each machine may take time to cycle up to higher and more randomized port numbers (which are more likely to produce unique 5-tuples). In the interim, translation collisions may cause network service to be denied temporarily. Internal hosts must continue trying to establish network connections until the NAT rules resolve the translation collisions.
Note -
Ports 0 through 1024 are reserved for well-known port assignments and are controlled by the IANA. To avoid conflicts, the Solaris operating environment uses ports that range approximately from 32768 through 65535. Different implementations of TCP/IP in various operating environments have different rules and limits for their optional (ephemeral) port choices.
- © 2010, Oracle Corporation and/or its affiliates