9.4. Deterministic NAT

Home Prev	cOS Stream 4.00.03 Administration Guide	Next

The Nat Pool Logging Problem

A problem with the normal usage of a NAT pool is that a log event message may have to be generated every time a user's IP address is translated by the NAT pool mechanism and their flow is allocated a port number and IP address. Logging of all new flows might be necessary because local legislation requires that a service provider can identify the actual IP address of a given user. The constant generation of log messages poses a storage problem when large numbers of users are constantly connecting and disconnecting and can be a costly issue.

The Deterministic Nat Solution

The Clavister NetShield Firewall provides a solution to this problem with a feature of NAT pools called Deterministic NAT. When this is enabled on a NATPool object, instead of logging being done, an algorithm can be used to find out which user was using a given port number and shared IP address.

Deterministic NAT Setup

In order to set up this feature, the following steps are needed:

Create a NATPool object as normal. This is described in Section 9.3, NAT Pools.
Set the Type property of this object to be Deterministic.
Change any of the NATPool properties related to deterministic NAT if the default values are not sufficient for the traffic load expected. These properties and their function are described later in this section.
Now use the NATPool object with an IPRule object.

Deterministic and Dynamic IP Mapping

The algorithm used for deterministic NAT will be configured to deal with a certain amount of concurrent flows. While the number of flows is below this level, the algorithm can be applied and no logging is necessary since the user IP can always be calculated. This state is referred to as deterministic assignment.

However, when the concurrent flows exceed the maximum expected, the algorithm can no longer be applied and normal logging of NAT allocation takes place. This state is referred to as dynamic assignment. As explained next, the tool used to calculate the user's IP address will indicate if the address was allocated dynamically and the log event messages must be examined.

Avoiding dynamic port assignment depends on whether the default parameters for the algorithm are sufficient for the demands of the traffic flows. If they are not then the administrator must change them and/or expand the IP address pool to deal with the expected traffic load. The configurable properties for deterministic NAT are explained later in this section.

Disabling Dynamic Assignment

One of the NAT pool properties discussed later is DynPoolRatio. When this is set to zero, dynamic mapping is disabled entirely. However, if deterministic mapping then runs out of IP/port combinations, the excess flows that cannot be mapped will be dropped and the following log message is generated:

prio=warning id=1091
event=deterministic_natpool_found_no_free_ports_for_ip name=det
internalip=192.168.12.32 blocksizedet=1 blocksizedyn=0 action=drop

Identifying the IP Address of a User

The following is the procedure for identifying a user:

Use the CLI command natpool -reverse command to calculate the IP address. This command requires the NATPool object used for the mapping, or an exact copy of it, as a parameter so it is important to have this object, or an exact copy of it, when the calculation is done.
The resulting output provides the IP address, unless the Internal IP Range is indicated as "Dynamic". If the assignment was dynamic then the IP address will have to determined by examining the log event messages.

An example of using the natpool -reverse command is given at end of this section in Example 9.7, “Calculating a Deterministic NAT User IP”.

NAT Pool Properties for Deterministic NAT

As mentioned, there are a number of properties of a NATPool object that control the functioning of the deterministic NAT pool mechanism. They are the following:

DynBlockAllocation

This property can be either of the following values:
1. InternalNetwork - This is the default value, and means that an internal IP that is outside the NAT pool's InternalNetwork will not get a mapping. Instead, the log message NATPool_DetNATDeniedIP will be generated and the flow will be dropped.
2. AnyIP - This setting means that an internal IP that is outside the InternalNetwork property of the NAT pool will still be mapped. However, the mapping of such an IP outside the range will always be dynamic (the algorithm will not be used) so the user IP must be looked up in the event message log. The IP rule associated with the IP pool would also need a SourceNetwork property setting that allowed the out-of-range IP.

CompressionRatio

This specifies how many internal IPs will be mapped to each external IP. It affects the deterministic mapping algorithm. The possible values are:
1. Auto - This is the default value and means the property is calculated as follows:
```
CompressionRatio = roundup (internal_ip_count / external_ip_count)
```
  The internal_ip_count and external_ip_count values are calculated from the IP pool properties InternalNetwork and ExternalIPPool respectively.
2. An integer between 1 and 65535 - This is the number of internal IPs mapped to each external IP and is used only if there is a need to customize the mapping.

DynPoolRatio

This is an integer value between 0 and 100 and specifies the percentage of available ports that will be used for dynamic port block allocation. Note that this percentage of available ports are always reserved for dynamic allocation.

If this property is set to 0 (the default), dynamic allocation is disabled. In addition, the properties DynBlockAllocation, DynBlockSize and DynBlockAllocLimit will have no meaning since all mapping will be deterministic.

DynBlockSize

This specifies the size of each dynamic port block.
1. Auto - This is the default setting and means the size is calculated as follows:
```
DynBlockSize =
   rounddown( (total_ports - reserved_ports - CompressionRatio)
     * DynPoolRatio / CompressionRatio )
```
2. An integer between 1 and 65535 - This is the port block size and is used only if there is a need to customize the mapping.

DynBlockAllocLimit

This specifies the maximum number of dynamic port blocks that can be allocated for each internal IP. The default value is 1. Note that there can be multiple port blocks for dynamic mapping but only a single port block for deterministic mapping.

DetBlockSize

This specifies the number of external ports in each pre-allocated deterministic port block. This property is the key driver of the mapping mechanism if dynamic mapping is disabled. If dynamic mapping is enabled, this property and DynBlockSize should both be considered.
1. Auto - This is the default setting and means the size is calculated as follows:
```
DetBlockSize = rounddown(
  (total_ports – reserved_ports – dynamic_ports – CompressionRatio)
	  / CompressionRatio )
```
  Here, Total_ports is 65535 and Reserved_ports is 1023. Also:
```
Dynamic_Ports =
  rounddown( (total_ports – reserved_ports – CompressionRatio)
	  * DynPoolRatio )
```
2. An integer between 1 and 65535 - This is the number of external ports available and and is used only if there is a need to customize the mapping.

Calculating the User IP Manually

It is useful to describe examples of manually determining the user IP from a deterministic mapping. In practice, it should not be necessary to do these calculations manually because the natpool -reverse CLI command could be used to do it automatically. This description is included for completeness.

The formula for determining the index into the InternalIPPool is calculated as follows:

Index = rounddown( (ExternalPort-ReservedPorts)/DetBlockSize
   + CompressionRatio * ExternalIPIndex)

Where ExternalIPIndex is the index of the external IP in the configured ExternalIPPool assuming that the first position has an index value of 0.

The derived Index value can indicate if the mapping was deterministic (the internal IP can be determined mathematically) or dynamic (the internal IP must be looked up in the event message logs). The rules for deciding which should be used are the following:

Calculate the following:
```
(CompressionRatio + CompressionRatio * ExternalIPIndex)
```
If the Index is less than this value then the mapping was deterministic.
If the Index is greater or equal to this value then the mapping was dynamic.

The examples below are all based on the following NATPool object:

System:/> add NATPool my_dnatpool_example
			Type=deterministic
			ExternalIPPool=203.0.113.51-203.0.113.60
			InternalNetwork=192.0.2.0/24
			DynPoolRatio=10
			DynBlockAllocLimit=2

Example 1: Who had the external IP 203.0.113.51 : 4096 ?

Get the values for the following properties: CompressionRatio, DynPoolRatio, DetBlockSize, DynBlockSize.

If needed, calculate the DynPortQuantity:

DynPortQuantity =
  rounddown((TotalPorts-ReservedPorts-CompressionRatio)*DynPoolRatio)
                = rounddown((65535-1023-26)*0.1) = 6448

If needed, calculate the DetBlockSize:

DetBlockSize =
  rounddown((TotalPorts-ReservedPorts-DynBlockQuantity-CompressionRatio)
	  /CompressionRatio)
	     = rounddown((65535-1023-6448-26)/26) = 2232

Now calculate the internal IP Index value, assuming that the ExternalIPIndex is 0 (because 203.0.113.51 is the first usable IP in the ExternalIPPool):
```
Index = rounddown( (ExternalPort-ReservedPorts)/DetBlockSize
          + compressionRatio * ExternalIPIndex )
            = rounddown( (4096-1023)/2232 + 26*0)  = 1
```
Starting from 0, an Index of 1 is the second IP in the InternalNetwork, 192.0.2.1 (since 192.0.2.0 is the first IP).

Example 2: Who had the external IP 203.0.113.52 : 4096 ?

Assuming the ExternalIPIndex is 1, calculate the internal IP Index:

Index =
   rounddown( (ExternalPort-ReservedPorts)/DetBlockSize
     + compressionRatio * ExternalIPIndex )
        = rounddown((4096-1023)/2232 + 26*1) = 27

The Index is 27 starting from 0 and this corresponds to the IP address 192.0.2.27.

Example 3: Who had the external IP 203.0.113.53 : 60000 ?

Calculate the internal IP Index, assuming this time the ExternalIPIndex to be 2:
```
Index =
   rounddown( (ExternalPort-ReservedPorts)/DetBlockSize
     + compressionRatio * ExternalIPIndex )
       = rounddown((60000-1023)/2232 + 26*2) = 78
```
Compare the result to the following:
```
(CompressionRatio+CompressionRatio*ExternalIPIndex) = 26+26*2 = 78
```
Since the result is greater than or equal to this, the flow was opened using a dynamic mapping. This means the dynamic logs need to be searched to find the internal IP address.

Displaying Deterministic NAT Status

The administrator can use the natpool <natpool-name> command to display the current status of a deterministic NAT pool. The -verbose option can be added to provide complete information. Below is an example:

System:/> natpool my_det_natpool -verbose 
External IP Pool                    : 203.0.113.51-203.0.113.60
Internal Network                    : 192.168.20.10-192.168.20.40
Deterministic Port Block Size       : 10
Dynamic Address Pool Ratio          : 10 % 
Dynamic Allocation Port Block Size  : 10
Compression Ratio                   : 1
Reserved Port Range                 : 1-1023

Highest flow count          (External IP)   : 15 (203.0.113.52)
Highest dynamic block count (External IP)   : 1 (203.0.113.52)
Highest dynamic block user  (Internal IP)   : (192.168.20.11)
Total TCP flow count        (NATPool)       : 15
Total UDP flow count        (NATPool)       : 0
Average TCP flows, deterministic blocks     : 10
Average UDP flows, deterministic blocks     : 0
Average TCP flows, dynamic blocks           : 5
Average UDP flows, dynamic blocks           : 0

               Deterministic NAT bindings:

External IP    Port Range  Internal IP Range  Flow Count
-------------  ----------  -----------------  ----------
203.0.113.51   1024-1033   192.168.20.10      0
203.0.113.51   1034-65535  <dynamic>          0
203.0.113.52   1024-1033   192.168.20.11      10
203.0.113.52   1034-65535  <dynamic>          5

In the above, the lines with <dynamic> in them represent the dynamic mappings. The other lines represent deterministic mappings.

An alternative way to find the mapping for a particular internal address, is to use the -internalip option:

System:/> natpool <natpool-name> -internalip=<int-ip_address>

An example of usage along with the resulting output is shown below:

System:/> natpool my_det_natpool -internalip=192.168.20.11

                     Deterministic NAT bindings:

External IP    Port Range  Range type       Internal IP    Flow Count
-------------  ----------  ---------------  -------------  ----------
203.0.113.52   1024-1033   <deterministic>  192.168.20.11  10
203.0.113.52   1034-1043   <dynamic>        192.168.20.11  5

cOS Stream will indicate if an internal address cannot be found:

System:/> natpool my_det_natpool -internalip=192.0.2.1
IP (192.0.2.1) not found on any ip range for the (my_det_natpool) NAT Pool.

Similarly, to find the mapping for a given external address, the -externalip option can be used:

System:/> natpool <natpool-name> -externalip=<ext-ip_address>

An example of usage along with the resulting output is shown below:

System:/> natpool my_det_natpool -externalip=203.0.113.52

                     Deterministic NAT bindings:

External IP    Port Range  Range type       Internal IP    Flow Count
-------------  ----------  ---------------  -------------  ----------
203.0.113.52   1024-1033   <deterministic>  192.168.20.11  10
203.0.113.52   1034-1043   <dynamic>        192.168.20.11  5

cOS Stream will indicate if an address is actually an internal IP:

System:/> natpool my_det_natpool -externalip=192.168.20.11
IP (192.168.20.11) is identified as internal.
Please use -internalip flag instead.

Example 9.6. Deterministic NAT Setup

This example closely follows Example 9.5, “Using NAT Pools” but uses deterministic NAT so that logging is kept to a minimum.

It creates a deterministic NAT pool with the external IPv4 address range 203.0.113.51 to 203.0.113.60 which is then used in a NAT IP rule for HTTP traffic coming from the protected network if1_net on the if1 interface. This traffic is destined for the public Internet which is connected to the if2 interface.

The default property values for the deterministic NAT pool mechanism are assumed.

Command-Line Interface

Create an address book object that specifies the IP range for the pool:

System:/> add Address IPAddress nat_pool_range
			Address=203.0.113.51-203.0.113.60

Create the NATPool object that is deterministic:

System:/> add NATPool my_det_natpool
			Type=Deterministic
			ExternalIPPool=nat_pool_range
			InternalNetwork=if1_net

Change the context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule to perform NAT:

System:/IPRuleSet/main> add IPRule
			SourceNetwork=if1_net
			SourceInterface=if1
			DestinationNetwork=all-nets-ip4
			DestinationInterface=if2
			Service=http
			Action=Allow
			SourceTranslation=NAT 
			SetSourceAddress=NATPool
			NATPool=my_det_natpool
			Name=lan_to_wan_det_nat

Restore the default CLI context:

System:/IPRuleSet/main> cc

To add a core route, change the context to be the main routing table:

System:/> cc RoutingTable main

Create the route to add the core route and specify proxy ARP:

System:/RoutingTable/main> add Route
			Interface=core
			Network=nat_pool_range
			ProxyArpInterfaces=if2

Restore the default CLI context:

System:/RoutingTable/main> cc

Note that when defining the route, the property ProxyArpAllInterfaces=Yes could have been used to enable proxy ARP on all interfaces.

Example 9.7. Calculating a Deterministic NAT User IP

This example shows how the IP address of a user, decided by the deterministic NAT pool described above in Example 9.6, “Deterministic NAT Setup”, can be calculated using the natpool CLI command.

Note that the NATPool object used with the -reverse option must be the same object that was used for the original mapping, or an exact copy of it.

Command-Line Interface

Create an address book object that specifies the IP range for the pool:

System:/> natpool -reverse my_det_natpool
			-externalip=203.0.113.51
			-externalport=2500

External IP Pool                    : 203.0.113.51-203.0.113.60
Internal Network                    : 192.0.2.0-192.0.2.255
Deterministic Port Block Size       : 1240
Dynamic Address Pool Ratio          : 50 %
Dynamic Allocation Port Block Size  : 1240
Compression Ratio                   : 26
Reserved Port Range                 : 0-1023

                 Deterministic NAT bindings:

External IP   Port Range  Internal IP Range
------------  ----------  -----------------
203.0.113.51  2264-3503   192.0.2.1

If port assignment was Dynamic and the address could only be found by looking at the event log, the output might look like the following:

natpool -reverse my_det_natpool
			-externalip=203.0.113.51
			-externalport=35000
					
External IP Pool                    : 203.0.113.51-203.0.113.60
Internal Network                    : 192.0.2.0-192.0.2.255
Deterministic Port Block Size       : 1240
Dynamic Address Pool Ratio          : 50 %
Dynamic Allocation Port Block Size  : 1240
Compression Ratio                   : 26
Reserved Port Range                 : 0-1023

                 Deterministic NAT bindings:

External IP   Port Range   Internal IP Range
------------  -----------  -----------------
203.0.113.51  33264-65535  <dynamic>