Network Address Translation (RFC1631 [IP Network Address Translator, Request For Comments 1631, http://www.ietf.org/rfc/rfc1631.txt]) defines a gateway function, by which the gateway bi-directionally translates an IP address range between its two sides. Network Address Translation (“NAT”) has many uses, most of them beyond the scope of this document.
NAT may be one-to-one, in which case each IP address on one “side” is translated into one IP address on the other, and vice versa. A specific type of NAT is the Network/Port Address Translation (“NPAT”, sometimes also called “PAT” or Masquerading). In this mode, the gateway maps many IP addresses on one “side” (typically “inside”) into one IP address (or a few of them) on the other (“outside”). The mapping is done by allocating unique TCP or UDP ports for each connection/conversation, maintaining a state table for all connections going through the gateway to preserve this mapping for returning packets. Such a per-connection mapping entry is usually removed from the tables when it either (a) terminates or (b) times out. In this mode, a high number of hosts (IP addresses) may exist behind one gateway performing NPAT, and their network traffic will be seen on the other side of the translating device (usually “The World”) as coming from a single IP address (or a few of them). In a sense, their connections are multiplexed into one IP address
While somewhat inaccurate, in the consumer/non-technical realm, the term NAT is widely used to denote NPAT. In the discussion below, we will use the term NAT primarily to indicate NPAT.
The existence of NAT multiplexing on a network has been a challenge to network and security administrators, as it can potentially hide unauthorized hosts, or even entire networks, from network monitors, security systems and administrators. This threat can be made much more severe if the NAT gateway is also a wireless router or access point, since then the hidden hosts can be outside the organization's premises. Detection of such translating devices on a network has hence been an interesting and important problem, and attempts have been made to detect such translating hosts or devices [A Technique for Counting NATted hosts, Steven M. Bellovin, http://www.cs.columbia.edu/˜smb/papers/fnat.pdf], [Internet Protocol, Request for Comments 791, http://www.ietf.org/rfc/rfc791.txt. Those proposed techniques used passive analysis of network traffic.
Many devices in today's networks perform Network Address Translation (“NAT”), and particularly NPAT. Among such devices are consumer-type routers and gateways (including wireless gateways), end-user PC's (desktops or laptops) sharing a network connection, and more.
There is a need in the field of network security and management for improved methods of actively detecting NAT gateway devices on a network.