Deterministic NAPT Overview for Next Gen Services
Under Next Gen Services with the MX-SPC3, you can configure both Deterministic NAPT44 and NAPT64 services. Next Gen Services deterministic NAPT services use an algorithm to allocate blocks of destination ports.
Next Gen Services deterministic NAPT44 service ensures that the original source IPv4 address and port always map to the same post-NAT IPv4 address and port range, and that the reverse mapping of a given translated external IPv4 address and port are always mapped to the same internal IPv4 address.
Next Gen Services deterministic NAPT64 service ensures that the original source IPv6 address and port always map to the same post-NAT IPv4 address and port range, and that the reverse mapping of a given translated external IPv4 address and port are always mapped to the same internal IPv6 address.
For detailed information on how to configure deterministic NAPT, see Configuring Deterministic NAPT for Next Gen Services.
Benefits of Deterministic NAPT
Eliminates the need for address translation logging because an IP address is always mapped to the same external IP address and port range, and the reverse mapping of a given translated external IP address and port are always mapped to the same internal IP address.
Understanding Deterministic NAPT Algorithms
The effectiveness of your implementation of deterministic NAPT depends on your analysis of your subscriber requirements. The block size you provide indicates how many ports will be made available for each incoming subscriber address from the range in the from clause specified in the applicable NAT rule. The allocation algorithm computes an offset value to determine the outgoing IP address and port. A reverse algorithm is used to derive the originating subscriber address.
In order to track subscribers without using logs, an ISP must use a reverse algorithm to derive a subscriber (source) addresses from a translated address.
The following variables are used in forward calculation (private subscriber IP address to public IP address) and reverse calculation (public IP address to private subscriber IP address):
Pr_Prefix—Any pre-NAT IPv4 subscriber address.
Pr_Port—Any pre-NAT protocol port.
Block_Size—Number of ports configured to be available for each Pr_Prefix.
If block-size is configured as zero, the method for computing the block size is computed as follows:
block-size = int(64512/ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)])
where 64512 is the maximum available port range per public IP address.
Base_PR_Prefix—First usable pre-NAT IPv4 subscriber address in a from clause of the NAT rule.
Base_PU_Prefix—First usable post-NAT IPv4 subscriber address configured in the NAT pool.
Pu_Port_Range_Start—First usable post-NAT port. This is 1024.
Pr_Offset—The offset of the pre-NAT IP address that is being translated from the first usable pre-NAT IPv4 subscriber address in a from clause of the NAT rule. PR_Offset = Pr_Prefix – Base_Pr_Prefix.
PR_Port_Offset—Offset of the pre-NAT IP address multiplied by the block size. PR_Port_Offset = Pr_Offset * Block_Size.
Pu_Prefix—Post-NAT address for a given Pr_Prefix.
Pu_Start_Port—Post-NAT start port for a flow from a given Pr_Prefix
Pu_Actual_Port—Post-NAT port seen on a reverse flow.
Nr_Addr_PR_Prefix — Number of usable pre-NAT IPv4 subscriber addresses in a from clause of the NAT rule.
Nr_Addr_PU_Prefix — Number of usable post-NAT IPv4 addresses configured in the NAT pool.
Rounded_Port_Range_Per_IP — Number of ports available for each post-NAT IP address. Rounded_Port_Range_Per_IP = ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)] * Block_Size.
Pu_Offset—Offset of the post-NAT IP address from the first usable post-NAT address. Pu_Offset = Pu_Prefix – Base_Pu_Prefix.
Pu_Port_Offset— Offset of the post-NAT port from 1024 added to the product of the offset of the post-NAT IP address and the number of ports available for each post-NAT IP address. Pu_Port_Offset = (Pu_Offset * Rounded_Port_Range_Per_IP) + (Pu_Actual_Port – Pu_Port_Range_Start).
Algorithm Usage–Assume the following configurations:
- Pr_Offset = Pr_Prefix – Base_Pr_Prefix
- Pr_Port_Offset = Pr_Offset * Block_Size
- Rounded_Port_Range_Per_IP = ceil[(Nr_Addr_PR_Prefix/Nr_Addr_PU_Prefix)] * Block_Size
- Pu_Prefix = Base_Public_Prefix + floor(Pr_Port_Offset / Rounded_Port_Range_Per_IP)
- Pu_Start_Port = Pu_Port_Range_Start + (Pr_Port_Offset % Rounded_Port_Range_Per_IP)
Using the sample configuration and assuming a subscriber flow sourced from 10.1.1.250:5000:
- Pr_Offset = 10.1.1.250 – 10.1.0.1 = 505
- Pr_Port_Offset = 505 * 249 = 125,745
- Rounded_Port_Range_Per_IP = ceil[(65, 533/254)] * 249 = 259 * 249 = 64,491
- Pu_Prefix = 203.0.113.1 + floor(125,745 /64,491) = 203.0.113.1 +1 = 203.0.113.2
- Pu_Start_Port = 1,024 + (125,745 % 64,491) = 62278
10.1.1.250 is translated to 203.0.113.2.
The starting port is 62278. There are 249 ports available to the subscriber based on the configured block size. The available port range spans ports 62278 through 62526 (inclusive).
The specific flow 10.1.1.250:5000 randomly assigns any of the ports in its range because random allocation was specified.
- Pu_Offset = Pu_Prefix – Base_Pu_Prefix
- Pu_Port_Offset = (Pu_Offset * Rounded_Port_Range_Per_IP) + (Pu_Actual_Port – Pu_Port_Range_Start)
- Subscriber_IP = Base_Pr_Prefix + floor(Pu_Port_Offset / Block_Size)
The reverse translation is determined as follows. Assume a flow returning to 203.0.113.2:62278.
- Pu_Offset = 203.0.113.2 – 203.0.113.1 = 1
- Pu_Port_Offset = (1 * 64,491) + (62,280 - 1024) = 125,747
- Subscriber_IP = 10.1.0.1 + floor(125,747 / 249) = 10.1.0.1
+ 505 = 10.1.1.250
In reverse translation, only the original private IP address can be derived, and not the original port in use. This is sufficiently granular for law enforcement requirements.
When you have configured deterministic NAPT, you can use the show services nat deterministic-nat internal-host and show services nat deterministic-nat nat-port-block commands to show forward and reverse mapping. However, mappings will change if you reconfigure your deterministic port block allocation block size or the from clause for your NAT rule. In order to provide historical information on mappings, we recommend that you write scripts that can show specific mappings for prior configurations.
Deterministic NAPT Restrictions
When you configure deterministic NAPT, be aware of the following:
For IPv6 deterministic NAT64 host address configuration, we support the last 32-bit (4 byte) change of the IPv6 host prefix. This means we only can configure /96 prefix masks for IPv6 address, which supports a maximum address number of 232 for one IPv6 prefix. The host address is specified at the [services nat source pool p1 port deterministic host] configuration hierarchy.
Usually, the number of address in host-range should be more than the number of address in pool.
We don’t recommend the host address number be configured to exceed the total port block resource number because some hosts may not receive a port block resource successfully.
The minimum block size for deterministic NAT is 1. If you configure a smaller block size, the commit fails. If the block size is configured to 0, the block size will be automatically calculated based on host number and translated address number. If the calculated block size is less than 1, the commit fails.
For Next Gen Services deterministic NAPT, you can configure a mix of IPv4 and IPv6 host addresses together in a NAT pool in either a host address or an address name list, However. the total host prefix number cannot exceed 1000.
You cannot configure an address range or DNS name in a host address book name.
The configured host address prefix and host address book name are merged together if its prefixes are overlapped. You can use the show services nat source deterministic operational command to show the merged prefixes.
We recommend, you keep subscriber host addresses consistent with multiple rule’s matching the source address prefix, if the same deterministic NAT pool is used across multiple rules; otherwise, traffic from hosts which are not configured in the NAT pool, even it matches the NAT rule, may not allocate the port successfully.
For Next Gen Services NAPT services, the total number of host addresses configured must be greater than or equal to the deterministic NAT port blocks available.