NAT Traversal: Difference between revisions

Full Cone NAT

A private host (PH) sends an initial request to A. As a result, the NAT router opens a public endpoint. Every connection to any remote host from PH's port A will be mapped to the same port A' at the NAT router. If PH uses port B, the mapping will be B' and not A'.
Now NAT's endpoint is availiable to all remote hosts. Every host may send a message from any source port to NAT's endpoint.

Restricted Cone NAT

The behavior of Restricted Cone NATs is nearly the same as Full Cone NATs, except that not every other host may send a message to the public endpoint. Depending on the implementation, NAT router rejects the packet or simply drops it.
In case the PH sends a message to another remote host, this host will be able to give an answer. Whether the same NAT endpoint is used or not depends on the port PH uses for sending the message (see above).

Port Restricted Cone NAT

This type of NAT implements a stronger restriction then Restricted NAT. The restriction now focusses on the target port (and the target host since it is a higher restriction).

Symmetric NAT

Here are the highest restrictions. In opposition to cone NATs, every target host and port will be mapped to another endpoint. While Cone NATs use the same endpoint for every PH's source port, Symmetric NAT uses different endpoints. One endpoint mapps to exactly one (IP,Port_R,Port_PH)-Tuple. Port_R means remote port, Port_PH means private host's source port.

Hole punching deals with the problem two clients behind NAT routers have when they want to establish direct connections. Here, a client A cannot establish a connection with client B, because B is behind a NAT and vice versa. However, using a slightly modified STUN server enables both clients to obtain the public NAT endpoint addresses and the clients' private addresses.

Now hole punching can be tried: both clients send messages to one another. Now, the following happens: client A's message is the first one. It will be rejected or dropped at B's NAT. Hence, A's NAT opened a public endpoint for A's connection. Now, B sends his message. This message will be forwarded by A's NAT. As a result, both NATs have open endpoints; direct communication is established.

One special case is when A and B send their messages synchronously. Here, both messages will reach their targets.

The watchful reader already noticed: What about Symmetric NAT? That's the problem case hole punching cannot handle. We require public endpoint addresses obtained by STUN; so here is the failure. Symmetric NAT assigns different endpoints to different communication partners, so connection attempts from other servers than the STUN server automatically fail.

Since hole punching works for two clients behind different NATs, we now focus on a special case when two clients are behind the same NAT. Remember the restrictions to STUN protocol: the clients may find out they are behind the same NAT, but they actually do not know whether they are in the same private network (--> cascaded NATs).
Now the clients can try normal hole punching. If this works or not depends on the NAT's ability of doing so-called hairpin translation. Since clients from private network try to connect to NAT's public addresses, the NAT may deny this communication. In the best case, the NAT will translate the request internally by opening a direct route to the NATed client. Also possible were to send the request to the internet and receive it like a normal request, but this is inefficient.
To achieve the best performance, clients may try to connect to the private address obtained from STUN server. If the clients are located in the same subnet, this will work. By the way, this is a possible method for traversing symmetric NATs.