Network Address Translation (NAT) is a technique that has arisen in response to the shortage of globally routable IPv4 addresses. It allows a single IP address to provide connectivity for a large number of hosts. The usual deployment of NAT involves a network of hosts using one of the private address ranges mentioned in the Section 1.1 earlier in this chapter, routing traffic to a gateway or proxy with a private IP address on the inside of the network, and a real IP address on the outside facing the Internet. For outgoing traffic, this gateway replaces the private IP address with its public IP address and uses port numbers to remember the private IP address to which replies should be directed.

For incoming traffic, the gateway looks up the port numbers in a table, the original private IP address is determined and the packet is forwarded to the host in the private network. The details of traditional NAT are discussed in RFC 3022.

Because of the economics of IPv4 addresses, NAT has proven extremely popular with small businesses and home users. While one cannot strictly speaking sell IP addresses, ISPs commonly attach a charge for routing and other services to make these addresses useful. This cost is often prohibitive for many users of the SOHO persuasion. NAT has provided a way to connect an entire office to the Internet using a single, cheap dialup connection - it might even be cheerful if you're lucky.

NAT has also been used^[3] by some organizations as a form of protection against having to change the addresses of their network. This renumbering of a network might be required because of a change of ISP, or because the organization was using IP addresses unsuitable for use on the general Internet. Renumbering in the IPv4 world is quite a tricky process and the use of private addresses has actually made renumbering more common, as distinct groups can, and often will be using the same private address range, creating problems if they merge. As we will see later, IPv6 goes to some effort to make renumbering less painful.

NAT is a mixed blessing. It has certainly reduced the demand for IPv4 addresses. However, certain protocols cannot operate over NAT without special treatment, particularly those ones that embed addresses of endpoints within the protocol; the canonical example of this being FTP, and another important one being IPsec, of which more later.

NAT is also a more complex and CPU-intensive operation than simply forwarding traffic. Even in the post-dot-com days, the growth of Internet traffic is outstripping the increase in CPU speeds, and so the cost of performing NAT at high speeds is greater than the cost of a faster (but dumber) router. A network reliant on NAT may find that its growth is limited, not by the cost of network capacity, but by the cost of the NAT device.

NAT also hinders hosts on the Internet making incoming connections to hosts in the private network, as there is no easy way to create suitable state on the gateway to allow this. Some consider this a feature, as it acts as a simple form of stateful firewalling. Others consider it a violation of the end-to-end principle of the Internet—the idea that any host should be able to talk to any other host. This end-to-end principle has been important in the creation of new applications on the Internet, so the general view is that NAT is currently a useful and necessary evil in the IPv4 world.