CG-NAT (Carrier-grade NAT) on the EcoSGE platform

Basic features

EcoNAT supports various types of address translation at the same time: CG-NAT / PAT, Basic NAT, 1: 1 static translation.

Carrier-grade NAT (CG-NAT) 

The main and most modern type of network address translation is CG-NAT (IETF RFC 6888), which allows sharing public IPv4 addresses between multiple subscribers.

The main feature of CG-NAT is Full Cone NAT, an approach that combines the use of Endpoint Independent Mapping (EIM) and Endpoint Independent Filtering (EIF) technologies. Local ports from which subscriber initiate the traffic are translated into global ports. Any external systems can establish connections with the subscriber only through these translated global TCP/UDP ports. Due to Full Cone NAT, the solution compares favorably with traditional types of NAT/PAT and provides maximum CG-NAT transparency for various applications, including mobile, P2P, games, etc.

Port Block Allocation (PBA)

To reduce the amount of statistics that need to be transmitted to external systems, the Port Block Allocation (PBA) technology is used on EcoNAT devices. When applying this approach, the ports for translation are allocated to subscribers not by one but by continuous blocks. The maximum number of blocks for one subscriber is adjustable. In this case, only two log entries are added for the entire port block: when allocating a port block and when deallocating that block.

IP pairing

To ensure the best possible CG-NAT transparency, all subscriber connections that belong to the same global pool are translated to the same IP address.

Basic NAT (BNAT)

In addition to CG-NAT, the EcoNAT devices support Basic NAT (BNAT) mode in which a temporary public IPv4 address is allocated for a subscriber and only addresses are transmitted (ports remain unchanged). This address translation mode has two options: transparent, allowing incoming external connections to a given address on any ports, and closed, allowing external connections only to ports, connections from which are initiated by a subscriber.

Static NAT (1:1)

In addition to CG-NAT and BNAT, the option of address translation, when each subscriber IP address is administratively assigned to a public IP address. Thus, the operator can implement the provision of the “static public IP address” service.

Advantages and other features

High performance

The throughput of EcoNAT solution reaches 160 Gbps per unit, surpassing foreign analogues.

The connection creation rate is 8 million/sec with block logging or 2.5 million/sec with logging of each session. The total number of processed connections reaches 150 million. This is the best result on the market.

Smart Wire™

The EcoNAT device is transparent for all types of service traffic, including BGP, OSPF, ISIS, STP, LACP, BFD routing protocols.

Multiple broadcast types support

EcoNAT devices support the simultaneous operation of various types of address translation. At the same time, it is possible to configure up to 32 simultaneously operating NAT pools, which may differ in the type of translation, ranges of public IPv4 addresses, limits on the number of connections for subscribers, and ranges of UDP and TCP ports allocated during translation.

The criteria for allocating a pool are Access Control Lists (ACLs) associated with each pool. ACLs are analyzed in order of pool priority and can include both source and destination IP address of packet. This solution can be used to participate in peer-to-peer networks with overlapping ranges of IP addresses.

The hairpinning mechanism allows subscribers connected via EcoNAT to interact with each other’s public addresses without sending packets outside the device.

Application Layer Gateway (ALG)

Modern protocols are developed to work through NAT systems, however, some widely used protocols (such as FTP, PPTP, RTSP, SIP) require special processing when address translation is used. To support the work of subscribers using these protocols, EcoNAT implements Application Layer Gateway (ALG) functionality.

Aging

During prolonged inactivity (the period depends on the pool settings and connection status), unused connections are closed, freeing up ports. Thus, additional saving of address space is possible.

User quotas

For each pool, EcoNAT allows to set limits on the number of ports and connections for the subscriber individually. Together with hot reconfiguration and multiple pools support, this feature allows the operator to flexibly distribute IPv4 resources between corporate and private subscribers.

Translation Logging

EcoNAT devices allow you to export information about all translations and subscriber connections (Local_IP, Local_Port, Global_IP, Global_Port, Destination_IP, Destination_Port, Protocol) using the standard Syslog and Netflow v9 interfaces. When using the Port Block Allocation (PBA) mechanism, the amount of exported information is reduced tenfold.

Management

EcoNAT devices are equipped with a convenient command line interface (CLI) that allows you to change device settings, work with a structured configuration file, and monitor the system operation parameters.

To access the device, a dedicated management network interface (access to the device via SSH) or a console port (RS-232C) is used. Device users are identified locally or by TACACS+.

Information on equipment status is available via SNMP (v1/v2c). Syslog and SNMP Trap protocols are used to export system and event messages.