NAT Traversal: Difference between revisions

From
Jump to navigation Jump to search
Line 30: Line 30:
<td>
<td>
<b>Full Cone NAT</b><br/><br/>
<b>Full Cone NAT</b><br/><br/>
A private host sends an initial request to A. As a result, the NAT router opens a public endpoint. Every connection to any remote host from PH's port A will be mapped to the same port A' at the NAT router.<br/>
A private host sends an initial request to A. As a result, the NAT router opens a public endpoint. Every connection to any remote host from PH's port A will be mapped to the same port A' at the NAT router. If PH uses port B, the mapping will be B' and not A'.<br/>
Now NAT's endpoint is availiable to all remote hosts. Every host may send a message from any source port to NAT's endpoint.
Now NAT's endpoint is availiable to all remote hosts. Every host may send a message from any source port to NAT's endpoint.
</td>
</td>
Line 43: Line 43:
<td>
<td>
<b>Restricted Cone NAT</b><br/><br/>
<b>Restricted Cone NAT</b><br/><br/>
The behavior of Restricted Cone NATs is nearly the same as Full Cone NATs, except that not every other host may send a message to the public endpoint. Depending on the implementation, NAT router rejects the packet or simply drops it.<br/>
A private host sends an initial request to A. As a result, the NAT router opens a public endpoint. Every connection to any remote host from PH's port A will be mapped to the same port A' at the NAT router.<br/>
In case the PH sends a message to another remote host, this host will be able to give an answer. Whether the same NAT endpoint is used or not depends on the port PH uses for sending the message (see above).
Now NAT's endpoint is availiable to all remote hosts. Every host may send a message from any source port to NAT's endpoint.
</td>
</td>
<td>
<td>
Line 56: Line 56:
<td>
<td>
<b>Port Restricted Cone NAT</b><br/><br/>
<b>Port Restricted Cone NAT</b><br/><br/>
This type of NAT implements a stronger restriction then Restricted NAT. The restriction now focusses on the target port (and the target host since it is a higher restriction).
A private host sends an initial request to A. As a result, the NAT router opens a public endpoint. Every connection to any remote host from PH's port A will be mapped to the same port A' at the NAT router.<br/>
Now NAT's endpoint is availiable to all remote hosts. Every host may send a message from any source port to NAT's endpoint.
</td>
</td>
<td>
<td>
Line 69: Line 68:
<td>
<td>
<b>Symmetric NAT</b><br/><br/>
<b>Symmetric NAT</b><br/><br/>
Here are the highest restrictions. In opposition to cone NATs, every target host and port will be mapped to another endpoint. While Cone NATs use the same endpoint for every PH's source port, Symmetric NAT uses different endpoints. One endpoint mapps to exactly one (IP,Port_R,Port_PH)-Tuple. Port_R means remote port, Port_PH means private host's source port.
Blub
</td>
</td>
<td>
<td>

Revision as of 23:27, 10 February 2006

Note: work in progress

Overview

NAT (Network Address Translation) is widely used to connect private networks to the internet. The main idea is to map several private IP addresses to only one public IP address. Having in mind that P2P network clients should be able to communicate with each other, one basic question comes into mind: how can internet hosts communicate with a host in a private network? We will first have a look at NAT itself and problems it brings. Then, we show how to traverse NATs by either changing router's configuration or by using other tricks.

Network Address Translation

A network address is simply the IP ( + Port number for UDP/TCP). A NAT router receives an incoming IP packet, saves the address in its NAT table, rewrites sender address to one of its public addresses and sends the packet to the destination address. Now, the NAT router accepts incoming packets on this public address (NAT endpoint). These packets are forwarded to the private host. The most important facts are:

  • The mapping depends on the sender's port number. If the private host uses two different outgoing port numbers, the NAT endpoints will differ.
  • The private host has to send first. Otherwise no incoming packets will be forwarded to the private host.

The behavior of the NAT router is not standardized. The only thing that works with every NAT router is simple request and answer. That means the remote host answers a request using the port number the client used for its request. Some NATs allow replies from other ports or even hosts, some use different endpoint mappings for every session.


According to their behavior, NATs can be classified into four types:

  • Full Cone
  • Restricted Cone
  • Port Restricted Cone
  • Symmetric

Full Cone NAT

A private host sends an initial request to A. As a result, the NAT router opens a public endpoint. Every connection to any remote host from PH's port A will be mapped to the same port A' at the NAT router. If PH uses port B, the mapping will be B' and not A'.
Now NAT's endpoint is availiable to all remote hosts. Every host may send a message from any source port to NAT's endpoint.

Figure 1: Full Cone NAT

Restricted Cone NAT

The behavior of Restricted Cone NATs is nearly the same as Full Cone NATs, except that not every other host may send a message to the public endpoint. Depending on the implementation, NAT router rejects the packet or simply drops it.
In case the PH sends a message to another remote host, this host will be able to give an answer. Whether the same NAT endpoint is used or not depends on the port PH uses for sending the message (see above).

Figure 2: Restricted Cone NAT

Port Restricted Cone NAT

This type of NAT implements a stronger restriction then Restricted NAT. The restriction now focusses on the target port (and the target host since it is a higher restriction).

Figure 3: Port Restricted Cone NAT

Symmetric NAT

Here are the highest restrictions. In opposition to cone NATs, every target host and port will be mapped to another endpoint. While Cone NATs use the same endpoint for every PH's source port, Symmetric NAT uses different endpoints. One endpoint mapps to exactly one (IP,Port_R,Port_PH)-Tuple. Port_R means remote port, Port_PH means private host's source port.

Figure 4: Symmetric NAT

router configuration

Port forwarding

UPnP

STUN

TURN

Hole punching

Text

NAT and Voice over IP

Refereces