RFC (Request For Comments) 1918 of the IANA (Internet Assigned Number Authority) covers private networks and private addresses intended to remedy the limited number of IP addresses in version 4 of the IP standard. Routers of the public network, for example the Internet, cannot route to private addresses, which are assigned in particular ranges. This enables a large number of computer terminals to be connected to the same private network.
Terminals in the private network that need to communicate with computer terminals in the public network must do so via network boundary equipments, some of which are referred to as gateways and have an IP address in the public network and an IP address in the private network. They serve as agents of the terminals of the private network in respect of requests to the public network. They receive requests from a private terminal at their private IP address and forward those requests on the public network using their public IP address. When the response to a request reaches the gateway, the gateway forwards it to the private network terminal that submitted the request using its private address. RFC 3022 covers this NAT (Network Address Translation) mechanism.
Another kind of network boundary equipment associated with gateways and known as a firewall serves as a security entity controlling access to and from the Internet. Firewalls are the subject of more or less restrictive rules.
Certain types of application use proxies (proximity agents) specific to particular protocols, the best known being HTTP (HyperText Transfer Protocol) and FTP (File Transfer Protocol) proxies. These proxies receive requests from private network terminals and forward them over the public network in the name of the private network terminals. They may be placed behind gateways. Because they are obligatory points for communications conforming to a given protocol to pass through, particular services have been added to them, such as a cache mechanism in the case of HTTP proxies.
One of the main features of the NAT mechanism is that it is asymmetrical. An IP packet can pass freely from the private network to the public network. In contrast, a packet can pass from the public network to the private network only if a packet has previously taken the opposite route. Thus a private network terminal must take the initiative for any communication.
The underlying mechanism is based on the route concept. For an equipment performing a NAT operation, a route is a set of three “IP address-port” pairs. When a packet from the private network reaches the network boundary equipment, which stores the “IP address-port” pair of the computer terminal of the private network that sent the packet, that pair being called pair1. The destination “IP address-port” pair in the public network is called pair2 and the “IP address-port” pair of the public interface of the boundary network equipment via which the packet will be forwarded is called pair3. When a packet from the public network reaches the public interface, the network boundary equipment looks for a corresponding route, i.e. the route whose source corresponds to pair2 and whose destination corresponds to pair3 of a route previously elected. If there is a previously elected route, the packet is forwarded to pair1 of the elected route. If there is no previously elected route, the packet is not forwarded on the private network. Thus a packet arriving from the public network can be forwarded on the private network only if a packet from the private network has previously created a route for it. Hence the asymmetrical nature of the NAT mechanism.
This mechanism has many limitations that have become increasingly obvious as the diversity of applications on the Internet has increased and private networks have proliferated: private networks are no longer restricted to corporations, but are equally relevant to a large proportion of the general public, usually connected via ADSL.
Consider a help service, for example. Increasing numbers of computer terminals are now equipped with an onboard HTTP server used for the purposes of configuration. For example, it is not possible at present to obtain assistance by having a technician on a public network verify and correct a faulty equipment configuration via an HTTP connection. At best, a technician can ask the customer to redirect a port of a gateway to the equipment in question by the customer personally creating a route, an operation that is just as unfeasible for the customer as it would be for the customer to correct the configuration without help from the technician.
The rules governing firewalls range from the simplest to the most complicated, the simplest rules authorizing everything or nothing. To implement a more coherent security strategy, firewalls at present rely on application type. Authorizing an application to access the Internet in fact authorizes packets addressed to the port associated with that type of application to access the Internet (port 80 for HTTP, port 21 for FTP). Certain new applications, for example games, telephone, and videophone applications, use a multitude of ports, which are often assigned dynamically. Dynamic assignment prevents the definition of adequate rules. It becomes essential to allow all packets to pass or at best to open a complete range of ports, which is an unsatisfactory strategy from the security point of view.