Packet Mangling Is Not As Strange As It Sounds
There are probably a few dozen interpretations of what the phrase “packet mangling” may mean to different people. If you haven’t heard of it, it can be difficult to interpret what may sound like a somewhat negative experience — but, rest assured, there is nothing nefarious about this process.
In fact, we actually use packet mangling technology at OpenVPN, to the benefit of our users. Packet mangling refers to the intentional (and not malicious) practice of altering packet header data for useful purposes, of which there are many. For example, packet mangling is used with packet filtering and network address translation (NAT), and can happen before and after data packets are routed. In fact, packet mangling is a core function of the NAT process, in terms of controlling data packets routed around a private network and managing header information when data packets take off onto the public internet. Network administrators regularly mangle packets by modifying the source IP and destination IP in a packet header.
OpenVPN’s Product Manager, Johan Draaisma, explains further:
“Packet mangling might seem like it is malicious, but it is commonly used for many legitimate purposes. For example, OpenVPN Access Server can modify IP headers to make it seem like the traffic is coming from the Access Server rather than from the VPN clients themselves. This allows traffic from VPN clients to reach systems in the Access Server’s local network without having to modify the routing tables for those systems to make them aware of the existence of the VPN network. This is called network address translation and is almost certainly also being done by your home internet router, to allow your entire home network of devices to share the internet connection that your router has.”Johan Draaisma, OpenVPN Product Manager
Packet Mangling Basics
To delve into Johan’s quote a bit deeper, let’s review a diagram of a basic home network that has a public IP address and internet connection, as well as multiple private IP addresses on an internal network:
The diagram shows a many-to-one NAT setup, also known as masquerading. Here, many private IPs are translated into one public IP. There are other types of NAT configurations, such as one-to-one, one-to-many, and many-to-many, but here we focus on the concept of masquerading.
With a masquerading setup, your home router takes many private IPs and translates them into one public IP when accessing the Internet. However, when a request comes from the Internet to your home router, the request can’t reach the devices with the private IPs on your home network. This is good, basic security for your home network, and another important note is that it saves on public IP addresses, which have been in short supply for decades. Of course, nowadays IPv6 is available to address this shortage of IPv4 addresses, but IPv4 is still the addressing system used most at this time.
This diagram shows more detail on a masquerading setup, and this is where packet mangling comes into play. As part of the NAT process, an IP packet is mangled in the router’s mangle table by modifying the header’s source IP and destination IP addresses. So, when a laptop with the private IP 192.168.1.3 sends a request to the public IP 188.8.131.52, the router’s mangle table says something along the lines of, “Okay, I’m changing the private (source) IP 192.168.1.3 to be the router’s public IP 184.108.40.206”. The router also keeps track of this connection in another table. Then, the website at the public IP address 220.127.116.11 sends reply data back to the router on (destination IP) 18.104.22.168, and the router remembers the connection and mangles the destination IP address from 22.214.171.124 to be 192.168.1.3 so that the response is delivered to the originating laptop. All of which happens at a speed quite literally faster than lightning, a whole bunch of times.
The phrase itself does sound ominous; in this era of murder mystery podcasts and true crime documentaries, ‘mangling’ rarely ever comes in a positive context. But know that the process is a standard — and helpful! — part of any strong network security setup.