NAT traversal

Last updated February 21, 2024

Network address translation traversal is a computer networking technique of establishing and maintaining Internet Protocol connections across gateways that implement network address translation (NAT).

Network address translation

Network address translation typically uses private IP addresses on private networks with a single public IP address for the router facing the Internet. The network address translator changes the source address in network protocols for outgoing requests from that of an internal device to its external address, so that internal devices can communicate with hosts on the external network, while relaying replies back to the originating device.

This leaves the internal network ill-suited for hosting services, as the NAT device has no automatic method for determining the internal host for which incoming packets from the external network are destined. This is not a problem for general web access and email. However, applications such as peer-to-peer file sharing, VoIP services, and video game consoles require clients to be servers as well. Incoming requests cannot be easily correlated to the proper internal host. Furthermore, many of these types of services carry IP address and port number information in the application data, potentially requiring substitution with deep packet inspection.

Network address translation technologies are not standardized. As a result, the methods used for NAT traversal are often proprietary and poorly documented. Many traversal techniques require assistance from servers outside of the masqueraded network. Some methods use the server only when establishing the connection, while others are based on relaying all data through it, which increases the bandwidth requirements and latency, detrimental to real-time voice and video communications.

NAT traversal techniques usually bypass enterprise security policies. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. IETF standards based on this security model are Realm-Specific IP (RSIP) and middlebox communications (MIDCOM).

Techniques

Various NAT traversal techniques have been developed:

NAT Port Mapping Protocol (NAT-PMP) is a protocol introduced by Apple as an alternative to IGDP.
Port Control Protocol (PCP) is a successor of NAT-PMP.
UPnP Internet Gateway Device Protocol (UPnP IGD) is supported by many small NAT gateways in home or small office settings. It allows a device on a network to ask the router to open a port.
Interactive Connectivity Establishment (ICE) is a complete protocol for using STUN and/or TURN to do NAT traversal while picking the best network route available. It fills in some of the missing pieces and deficiencies that were not mentioned by STUN specification.
Session Traversal Utilities for NAT (STUN) is a standardized set of methods and a network protocol for NAT hole punching. It was designed for UDP but was also extended to TCP.
Traversal Using Relays around NAT (TURN) is a relay protocol designed specifically for NAT traversal.
NAT hole punching is a general technique that exploits how NATs handle some protocols (for example, UDP, TCP, or ICMP) to allow previously blocked packets through the NAT.
Socket Secure (SOCKS) is a technology created in the early 1990s that uses proxy servers to relay traffic between networks or systems.
Application-level gateway (ALG) techniques are a component of a firewall or NAT that provides configureable NAT traversal filters.^[2] It is claimed that this technique creates more problems than it solves.^[3]

Symmetric NAT

The recent proliferation of symmetric NATs has reduced NAT traversal success rates in many practical situations, such as for mobile and public WiFi connections. Hole punching techniques, such as STUN and ICE, fail in traversing symmetric NATs without the help of a relay server, as is practiced in TURN. Techniques that traverse symmetric NATs by attempting to predict the next port to be opened by each NAT device were discovered in 2003 by Yutaka Takeda at Panasonic Communications Research Laboratory^[4] and in 2008 by researchers at Waseda University.^[5] Port prediction techniques are only effective with NAT devices that use known deterministic algorithms for port selection. This predictable yet non-static port allocation scheme is uncommon in large scale NATs such as those used in 4G LTE networks and therefore port prediction is largely ineffective on those mobile broadband networks.

IPsec

IPsec virtual private network clients use NAT traversal in order to have Encapsulating Security Payload packets traverse NAT. IPsec uses several protocols in its operation which must be enabled to traverse firewalls and network address translators:

Internet Key Exchange (IKE) – User Datagram Protocol (UDP) port 500
Encapsulating Security Payload (ESP) – IP protocol number 50
Authentication Header (AH) – IP protocol number 51
IPsec NAT traversal – UDP port 4500, if and only if NAT traversal is in use

Many routers provide explicit features, often called IPsec Passthrough.^{[ citation needed ]}

In Windows XP, NAT traversal is enabled by default, but in Windows XP with Service Pack 2 it has been disabled by default for the case when the VPN server is also behind a NAT device, because of a rare and controversial security issue.^[6] IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.^{[ citation needed ]}

NAT traversal and IPsec may be used to enable opportunistic encryption of traffic between systems. NAT traversal allows systems behind NATs to request and establish secure connections on demand.

Hosted NAT traversal

Hosted NAT traversal (HNT) is a set of mechanisms, including media relaying and latching, that is widely used by communications providers for historical and practical reasons.^[7] The IETF advises against using latching over the Internet and recommends ICE for security reasons.^[8]

IETF standards documents

RFC 1579 – Firewall Friendly FTP
RFC 2663 – IP Network Address Translator (NAT) Terminology and Considerations
RFC 2709 – Security Model with Tunnel-mode IPsec for NAT Domains
RFC 2993 – Architectural Implications of NAT
RFC 3022 – Traditional IP Network Address Translator (Traditional NAT)
RFC 3027 – Protocol Complications with the IP Network Address Translator (NAT)
RFC 3235 – Network Address Translator (NAT)-Friendly Application Design Guidelines
RFC 3715 – IPsec-Network Address Translation (NAT) Compatibility
RFC 3947 – Negotiation of NAT-Traversal in the IKE^{[ clarification needed ]}
RFC 5128 – State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)
RFC 5245 – Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols

Related Research Articles

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

In computing, Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained.

In computing, a stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering, is a security feature often used in non-commercial and business networks.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

STUN is a standardized set of methods, including a network protocol, for traversal of network address translator (NAT) gateways in applications of real-time voice, video, messaging, and other interactive communications.

In computer networking, Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but have no native connection to an IPv6 network. Unlike similar protocols such as 6to4, it can perform its function even from behind network address translation (NAT) devices such as home routers.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

<span class="mw-page-title-main">LogMeIn Hamachi</span> Virtual private network application

LogMeIn Hamachi is a virtual private network (VPN) application developed and released in 2004 by Alex Pankratov. It is capable of establishing direct links between computers that are behind network address translation (NAT) firewalls without requiring reconfiguration. Like other VPNs, it establishes a connection over the Internet that emulates the connection that would exist if the computers were connected over a local area network (LAN).

UDP hole punching is a commonly used technique employed in network address translation (NAT) applications for maintaining User Datagram Protocol (UDP) packet streams that traverse the NAT. NAT traversal techniques are typically required for client-to-client networking applications on the Internet involving hosts connected in private networks, especially in peer-to-peer, Direct Client-to-Client (DCC) and Voice over Internet Protocol (VoIP) deployments.

Traversal Using Relays around NAT (TURN) is a protocol that assists in traversal of network address translators (NAT) or firewalls for multimedia applications. It may be used with the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). It is most useful for clients on networks masqueraded by symmetric NAT devices. TURN does not aid in running servers on well known ports in the private network through a NAT; it supports the connection of a user behind a NAT to only a single peer, as in telephony, for example.

Interactive Connectivity Establishment (ICE) is a technique used in computer networking to find ways for two computers to talk to each other as directly as possible in peer-to-peer networking. This is most commonly used for interactive media such as Voice over Internet Protocol (VoIP), peer-to-peer communications, video, and instant messaging. In such applications, communicating through a central server would be slow and expensive, but direct communication between client applications on the Internet is very tricky due to network address translators (NATs), firewalls, and other network barriers.

A middlebox is a computer networking device that transforms, inspects, filters, and manipulates traffic for purposes other than packet forwarding. Examples of middleboxes include firewalls, network address translators (NATs), load balancers, and deep packet inspection (DPI) devices.

Hole punching is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal address and port information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side.

An application-level gateway is a security component that augments a firewall or NAT employed in a mobile network. It allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer "control/data" protocols such as FTP, BitTorrent, SIP, RTSP, file transfer in IM applications. In order for these protocols to work through NAT or a firewall, either the application has to know about an address/port number combination that allows incoming packets, or the NAT has to monitor the control traffic and open up port mappings dynamically as required. Legitimate application data can thus be passed through the security checks of the firewall or NAT that would have otherwise restricted the traffic for not meeting its limited filter criteria.

The Skype protocol is a proprietary Internet telephony network used by Skype. The protocol's specifications have not been made publicly available by Skype and official applications using the protocol are closed-source.

TCP NAT traversal and TCP hole punching in computer networking occurs when two hosts behind a network address translation (NAT) are trying to connect to each other with outbound TCP connections. Such a scenario is particularly important in the case of peer-to-peer communications, such as Voice-over-IP (VoIP), file sharing, teleconferencing, chat systems and similar applications.

Realm-Specific IP was an experimental IETF framework and protocol intended as an alternative to network address translation (NAT) in which the end-to-end integrity of packets is maintained.

<span class="mw-page-title-main">ICMP hole punching</span> NAT technique in computer networking

ICMP hole punching is a technique employed in network address translator (NAT) applications for maintaining Internet Control Message Protocol (ICMP) packet streams that traverse the NAT. NAT traversal techniques are typically required for client-to-client networking applications on the Internet involving hosts connected in private networks, especially in peer-to-peer and Voice over Internet Protocol (VoIP) deployments.

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

Port Control Protocol (PCP) is a computer networking protocol that allows hosts on IPv4 or IPv6 networks to control how the incoming IPv4 or IPv6 packets are translated and forwarded by an upstream router that performs network address translation (NAT) or packet filtering. By allowing hosts to create explicit port forwarding rules, handling of the network traffic can be easily configured to make hosts placed behind NATs or firewalls reachable from the rest of the Internet, which is a requirement for many applications.

References

↑ "Firewall and NAT Traversal Explained". Eyeball Networks Inc. 2013-07-05. Archived from the original on 2013-10-19. Retrieved 2013-10-10.
↑ "NAT Traversal Techniques and Peer-to-Peer Applications". Helsinki University of Technology. CiteSeerX 10.1.1.103.1659 .{{cite journal}}: Cite journal requires |journal= (help)
↑ "Introduction to NAT". PJNATH Library. Retrieved 2016-05-30.
↑ "Symmetric NAT Traversal using STUN".
↑ "A New Method for Symmetric NAT Traversial in UDP and TCP" (PDF). Archived from the original (PDF) on 2017-02-02. Retrieved 2016-05-14.
↑ "IPSec NAT Traversal is not recommended for Windows Server 2003 computers that are behind network address translators". Microsoft knowledge base #885348.^{[ dead link ]}
↑ Latching: Hosted NAT Traversal (HNT) for Media in Real-Time Communication, RFC 7362 2014-09-01
↑ Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal, RFC 8445 2018-07-01

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[ntexpl-1] "Firewall and NAT Traversal Explained". Eyeball Networks Inc. 2013-07-05. Archived from the original on 2013-10-19. Retrieved 2013-10-10.

[techniquesHu-2] "NAT Traversal Techniques and Peer-to-Peer Applications". Helsinki University of Technology. CiteSeerX 10.1.1.103.1659 .{{cite journal}}: Cite journal requires |journal= (help)

[3] "Introduction to NAT". PJNATH Library. Retrieved 2016-05-30.

[draft-takeda-symmetric-nat-traversal-00-4] "Symmetric NAT Traversal using STUN".

[zieckey-study-code-5] "A New Method for Symmetric NAT Traversial in UDP and TCP" (PDF). Archived from the original (PDF) on 2017-02-02. Retrieved 2016-05-14.

[6] "IPSec NAT Traversal is not recommended for Windows Server 2003 computers that are behind network address translators". Microsoft knowledge base #885348.^{[ dead link ]}

[7] Latching: Hosted NAT Traversal (HNT) for Media in Real-Time Communication, RFC 7362 2014-09-01

[8] Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal, RFC 8445 2018-07-01

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]