Internet protocol (IP) addresses encode the topological location of a point of network attachment and thus can reveal information about the topology of a network to peers outside the network. Revealing topological information constitutes security vulnerability, since the information can be useful in planning attacks against the network. Attackers may use this information to identify attack targets. For example, a denial-of-service attack against a server may more easily be executed via a host on the server's link, and such a host can typically be identified based on comparing its address to the address of the server in question. Depending on the security requirements of a network, the concealment of network topology may therefore be considered important.
The problem of revealing network-topological information is hard because the encoding of this information in IP addresses is a key component of Internet routing. Traditional methods to defend network security, such as firewalls and encryption mechanisms, do not solve the problem because they do not alter IP addresses. The only existing method to conceal the topology of networks is the address translation, also known as network address translation (NAT). Address translators separate the addresses used internally within a network from the addresses at which the network is externally reachable by peers on the Internet. They multiplex the set of internal addresses onto one, or a few, external addresses. Since only internal addresses, but no external addresses, encode topological information about the network, topological information is concealed from peers on the Internet.
As of today, address translation, as a means for network topology concealment, is only available for IP version 4 (IPv4). Although address translators have recently been proposed for IP version 6 (IPv6), these do not support network topology concealment because they copy the topologically significant information between internal and external addresses.
IPv4 address translators inspect port numbers from received packets when de-multiplexing packets received at an external address back onto the corresponding internal address. The mapping from a port number to an internal address is stateful, since the mapping between port numbers and internal addresses must be stored for each packet flow. The stateful address de-multiplexing of IPv4 address translators has disadvantages. First, hosts behind an address translator cannot be contacted from peers on the Internet because the external address at which they are reachable to the peers is not unique. In addition, packet flows that are initiated via an address translator must continue to traverse this address translator due to the state that address translators maintain. Rerouting to a different path in case of failure is impossible. Furthermore, address translators cannot process packet flows without changeable port numbers. This includes packet flows without port numbers, as well as packet flows where the port numbers are part of an encrypted or authenticated portion of the packets.
Due to these disadvantages, address translators are widely considered “harmful” and to be avoided where necessary. Unfortunately, there is as yet no alternative solution for network topology concealment.