13

Simple question and the answer is layer 3 of course, but can we say that PAT is working on layer 4 also because it deals with port numbers which is a layer 4 function?

Or is it only a layer 3 protocol?

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
aia87
  • 133
  • 1
  • 1
  • 4
  • "Network" is the keyword. The network layer. Most intriguing: how does this question get 6 upvotes? Hmmm.... (I'm not saying it's a terrible question, but it certainly ain't spectacular) – Ronnie Royston Oct 03 '17 at 00:04

4 Answers4

14

NAT works at layer 3 because it is modifying the IP header. If you use PAT you could argue that it is working at layer 4 as well because it MIGHT change the source port of the packet in case it is not unique.

Several internal addresses can be NATed to only one or a few external addresses by using a feature called Port Address Translation (PAT) which is also referred to as "overload", a subset of NAT functionality.

PAT uses unique source port numbers on the Inside Global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number could theoretically be as high as 65,536 per IP address.

PAT will attempt to preserve the original source port, if this source port is already allocated PAT will attempt to find the first available port number starting from the beginning of the appropriate port group 0-511, 512-1023 or 1024-65535.

If there is still no port available from the appropriate group and more than one IP address is configured, PAT will move to the next IP address and try to allocate the original source port again. This continues until it runs out of available ports and IP addresses.

So the port will only be modified in case it is not unique.

This link to Cisco is a pretty good overview of NAT.

Community
  • 1
Daniel Dib
  • 7,478
  • 34
  • 59
  • the thing is i got this question in a job interview written exam and i need to know if i simply over think this simple question ...nat is a layer 3 protocol no doubt but PAT and static port mapping are working with not just the ip ..i searched for a statement about saying that nat could be layer 4 protocol but no luck what do u think ? would you take that answer as a right or wrong answer ? http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml – aia87 Sep 08 '13 at 06:00
  • 5
    In an interview I would be looking for how a candidate is reasoning not only binary right or wrong. NAT is layer 3 but if you reasoned around PAT and layer 4 I would see that as good knowledge and not be concerned by looking a binary answer. – Daniel Dib Sep 08 '13 at 07:03
  • 3
    To complicate more, linux (etables) and some SP kit (ALU ISAM) support MAC address NAT. So pretty much could be anything. But certainly normally when people say NAT they mean NAPT/PAT. But fully agreed with @DanielDib candidate showing understanding of the concepts rather than memorized answers is better. – ytti Sep 08 '13 at 08:18
  • 3
    Additionally, some NAT has to work at layer 7 if the protocol being translated has addresses embedded; FTP is an example. – chrylis -cautiouslyoptimistic- Sep 08 '13 at 13:15
  • Even "basic NAT" requires modifications to layer 4 headers to be usable. – Peter Green Jan 11 '16 at 18:54
  • We can't say that's NAT/PAT is a layer 4 function otherwise it will not have access to the IP part (it doesn't exist yet). Is it a layer 3 function though? Yes and No. Yes because at this level all the information it needs is available (IP header, TCP/UDP header and even Application protocol data). No because it violates a core principle of the OSI model: "don't touch the payload". That being said, I consider NAT/PAT as the act of breaking the law for the good of all, in a perfect world we don't need NAT/PAT – Soulimane Mammar Feb 12 '22 at 06:57
8

Nat is a cross-layer process. It involves at least layers 3 (IP) and 4 (TCP, UDP, etc). In some cases it can also involve layer 7 (application).

A one to one NAT needs at minimum to modify the IP addresses (layer 3), IP checksums (layer 3) and TCP/UDP checksums (layer 4).

A one to many NAT needs at minum to modify the IP addresses (layer 3), IP checksums (layer 3), TCP/UDP ports (layer 4) and TCP/UDP checksums (layer 4).

Such a minimal NAT will break many things (for example active-mode ftp). Most NATs will therefore go beyond the basics and also perform translation and tracking of at least some IP addresses in application data (layer 7).

Peter Green
  • 12,935
  • 2
  • 20
  • 46
  • Why would one-to-one NAT need to modify TCP checksums? I thought in this case the whole TCP segment stays unmodified and only IP header is modified. Could you explain a bit further? – Weipeng Jan 06 '23 at 02:16
  • 1
    The TCP/UDP checksum calculations include a pseudo-header which contains certain critical information from the IP header, including the source and destination addresses. So if the addresses are modified, the TCP/UDP checksum must be recalculated, otherwise the recipiant will reject the packet as having a bad checksum. – Peter Green Jan 06 '23 at 13:44
  • Interesting! That means when the IP layer processes the TCP segment passed down from layer 4, it not only prepends its own IP header, it also goes into the TCP header and modify its checksum? Does this introduce some sort of coupling between two layers? – Weipeng Jan 06 '23 at 19:50
  • The fields in the pseudo header are the source address, destination address, protocol number and "TCP/UDP length", these are all known to the TCP/UDP implementation before passing the packet down to the IP implementation. – Peter Green Jan 06 '23 at 20:01
  • 1
    That said, layers are a conceptual model. implementers don't have to rigidly follow them. I suspect most implementations allocate space for the entire packet, including the IP header and posiblly also the L2 header, early in the process of packet generation to avoid unnessacery copies. – Peter Green Jan 06 '23 at 20:05
  • Ahh.. the desire to avoid unnecessary & expensive memory copies certainly makes a lot of sense! – Weipeng Jan 19 '23 at 20:56
1

Think about how this has to be consistent across packets from the same device... at least within sessions. You could argue, therefore, that you should place this at level 5 or even higher. Just because it reaches down to modify IP headers shouldn't disqualify it from consideration from the higher layers. Lower layers might not know anything about higher layers, but higher layers can know and manipulate the lower. Indeed, Layer 6 seems appropriate. From wikipedia:

Application-layer entities may use different syntax and semantics if the presentation service provides a big mapping between them.

Mapping between addresses, even if the addresses are at level 3 instead of level 7, seems a very presentation-layer thing to do.

Joel Coehoorn
  • 504
  • 1
  • 4
  • 12
  • There is no OS that has implemented separate layers 5 to 7. Simply put, layers 5 to 7 are implemented as a single application layer. – Ron Maupin Oct 02 '17 at 23:59
1

Nating works under layer3 & layer4 and even works under application layer to.

Sagar Uragonda
  • 835
  • 1
  • 16
  • 73