Before NAT every device connected to the internet had its own IP address. That was how the internet was designed. This gives you great flexibility and visibility. If you have a firewall then it can filter traffic for each address, protocol, port etc individually if you want. Because the source address and port (if applicable, not all protocols have ports) and destination address and port do not change between the sender and the receiver it is much much easier to debug. And if you want to let a device look after its own security that is possible too: just tell the firewall not to filter anything on that address, or not use a firewall device at all. Your choice :)
Let's look at the simplest case of NAT: When you ISP only gives you one address you can only connect one device to the internet. This is not what most people want: they need to connect multiple devices. So that single device performs a masquerading trick so that to the outside world it looks like that single device is doing all the internet communication, while behind that device there can be multiple devices that think they have a normal connection to the internet while not really having one. The trick that that single device with a real internet address uses is NAT.
NAT can only do its 'multiplexing' for protocols that use port numbers. For protocols without port numbers a connection is defined by the addresses. As you only have one 'real' address you can only have one connection. For protocols with port numbers like UDP and TCP a connection is usually defined by both addresses and ports. So 37.77.56.75:12345 <-> 94.142.242.216:80
can be one connection and 37.77.56.75:23456 <-> 94.142.242.216:80
another.
If 37.77.56.75
was a NAT device (it's not, it is my own PC's address, I don't use NAT here) it could have an internal state table that remembers that 37.77.56.75:12345
corresponds to internal address 192.168.0.11:32431
. Outgoing packets get their original source address and port (192.168.0.11:32431
) replaced with the NAT device's own (37.77.56.75:12345
), and the reverse is done for incoming packets.
What often causes some confusion with NAT and (stateful) firewalling is that both of those functions need to remember state: who is talking to whom?
A stateful firewall also has to keep track of who is talking to whom. So both a NAT device and a firewall need to remember that there is a session 37.77.56.75:12345 <-> 94.142.242.216:80
. A NAT device also has to remember that 37.77.56.75:12345
is really 192.168.0.11:32431
. A firewall does some extra filtering and inspections to the traffic.
A NAT device without a firewall function will let unwanted traffic through if it happens to match something in its state table. A firewall will apply inspections to prevent that. But a firewall can also do that if the addresses of incoming and outgoing packets aren't changed: it doesn't need NAT to be able to perform its function.
NAT is considered a hack because it makes the internet more complex. Addresses and ports are being changed, a NAT device has to remember what the original addresses and ports were, it has to actually understand all transport protocols it is applying NAT to so it prevents new transport protocols from being deployed (nobody will use new transport protocols because no NAT device will support them, and NAT devices won't support them because nobody uses them) etc.
How does subnetting work for public IP addresses? For instance, if I'm running a datacenter, would owning 30.214.41.2/16 be equivalent to owning the ~65000 addresses between 30.214.41.2 and 30.215.41.2?
The subnet mask is always applied left-to-right, so no subnet that is /24 or less will ever have a non-zero start for the rightmost value. For your example:
30. 214. 41. 2
00011110 11010110 00101001 00000010 address
11111111 11111111 00000000 00000000 network mask (/16)
======== ======== ======== ======== (bitwise AND)
00011110 11010110 00000000 00000000 network
The network in this case is 30.214.0.0/16 and the host range is 30.214.0.1-30.214.255.254 (30.214.0.0 and 30.214.255.255 have special meanings.)
As a follow up, do ISPs use this as a convenience for routing purposes?
ISPs can use the fact that they have subnetted their address range to simplify routing tables. This is known as route summarization and is pretty important in keeping the Internet working, because instead of your ISP having to advertise every network block that they use in a contiguous range, they can advertise just one. There's more to it than this, but fortunately that's beyond the scope of this question (it's complex and I have forgotten most of the details!)
As an aside, if you needed more than 65534 hosts in your hypothetical network, you could obtain two /16 networks that were adjacent to each other (e.g. 10.214.0.0/16 and 10.215.0.0/16) and supernet those into a single network (10.214.0.0/15). It's more common at the smaller network allocations (/24 and smaller), but you should be aware of its existence.
Best Answer
You are about 49% right. There is not much preventing you from using an arbitrary IP address. This can be done like this:
ifconfig eth0 99.99.99.99 up
(this appears to be a not actually used, but public address owned by AT&T, so please don't try this at home).
The first problem is to connect your host to the Internet. In my home my router provides
192.168.178.1
as the gateway to the Internet (the actual address the router of your ISP may vary). You have to send your packets to this address, since there's no other way to the Internet. Unfortunately, this gateway only accepts packets from192.168.178/24
, which99.99.99.99
is not part of.That's the first 1% of the problem you might face. With some manual routing table tweaking you may overcome this by persuading your network to send your packets to this gateway anyway.
Once you overcome this first obstacle, your packets will probably (with some luck) actually reach their final destination and will be processed there. A great share of layer 4 protocols in the Internet are TCP connections, though. They require the famous 3-way-handshake: So after the first
SYN
packet reached its destination the target host responds with aSYN|ACK
package and sends it to the sender's address, which is99.99.99.99
.Now your packet has to deal with the real 50% challenge: How to find its way home? Unfortunately you have told no one except yourself that you expect
99.99.99.99
to be delivered to your own host. And that is the main problem you have.You may argue now, "Why can't I tell the Internet that I now have 99.99.99.99 on my computer?". Well actually, you could. You had to find a way for distributing this information to virtually the whole Internet (or at least all public Internet routers). Fortunately there is a means to do so. That's what we call BGP. It is run by a community of big boys that take care that a few rules are obeyed. This is more or less what we know as "buying and registering official IP addresses".
With some effort you could try and succeed to become one of the big boys and eventually become part of the community that runs the BGP infrastructure. If you managed to do so, you could actually tell the global BGP network to route 99.99.99.99 to your home. If you did so, you would have been expelled pretty quickly from that club, though, I dare to predict.
The short version of your question is it is easy to pretend you own a public IP address, but virtually nobody would take you seriously.