Port triggering

Last updated

Port triggering is a configuration option on a NAT-enabled router that controls communication between internal and external host machines in an IP network. It is similar to port forwarding in that it enables incoming traffic to be forwarded to a specific internal host machine, although the forwarded port is not open permanently and the target internal host machine is chosen dynamically. [1] [2] [3]

Contents

Description

When two networks communicate through a NAT-router, the host machines on the internal network behave as if they have the IP address of the NAT-router from the perspective of the host machines on the external network. Without any traffic forwarding rules, it is impossible for a host machine on an external network (host B) to open a connection to a host machine in the internal network (host A). This is because the connection can only be targeted to the IP of the NAT-router, since the internal network is hidden behind NAT. With port triggering, when some host A opens a connection to a host B using a predefined port or ports, then all incoming traffic that the router receives on some predefined port or ports is forwarded to host A. This is the 'triggering' event for the forwarding rule. The forwarding rule is disabled after a period of inactivity. [2]

Port triggering is useful for network applications where the client and server roles must be switched for certain tasks, such as authentication for IRC chat and file downloading for FTP file sharing.

Example

As an example of how port triggering operates, when connecting to IRC (Internet Relay Chat), it is common to authenticate a username with the Ident protocol via port 113.

When connecting to IRC, the client computer typically makes an outgoing connection on port 6667 (or any port in the range 6660–7000), causing the IRC server to attempt to verify the username given by making a new connection back to the client computer on port 113. When the computer is behind NAT, the NAT device silently drops this connection because it does not know to which computer behind the NAT it should send the request to connect. These two transport-level connections are necessary for the application-level connection to the IRC server to succeed (see Internet protocol suite). Since the second TCP/IP connection is not possible, the attempted connection to the IRC server will fail.

In the case of port triggering, the router is configured so that when an outbound connection is established on any port from 6660 to 7000, it should allow inbound connections to that particular computer on port 113. This gives it more flexibility than static port forwarding because it is not necessary to set it up for a specific address on your network, allowing multiple clients to connect to IRC servers through the NAT-router. Security is also gained, in the sense that the inbound port is not left open when not actively in use.

Disadvantages

Port triggering has the disadvantage that it binds the triggered port to a single client at a time. As long as the port is bound to that particular client, port triggering is effectively unavailable to all other clients. In FTP file sharing, for example, this means that no two clients can download files from an FTP server running on "active mode" simultaneously. For IRC, even though the authentication step happens very quickly, the port triggering timeout may still prevent other clients from logging into IRC servers. Port triggering is unsuitable for servers behind a NAT router because it relies on the local computer to make an outgoing connection before it can receive incoming ones. On some routers it is possible to have more than one client use port triggering and port forwarding, but not simultaneously. [ clarification needed ]

See also

Related Research Articles

Email client Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

Network address translation Protocol facilitating connection of one IP address space to another

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to avoid the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the networks address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

Proxy server Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.

XMPP Communications protocol for message-oriented middleware

Extensible Messaging and Presence Protocol is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML, it enables the near-real-time exchange of structured data between two or more network entities. Designed to be extensible, the protocol offers a multitude of applications beyond traditional IM in the broader realm of message-oriented middleware, including signalling for VoIP, video, file transfer, gaming and other uses.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

Direct Client-to-Client (DCC) is an IRC-related sub-protocol enabling peers to interconnect using an IRC server for handshaking in order to exchange files or perform non-relayed chats. Once established, a typical DCC session runs independently from the IRC server. Originally designed to be used with ircII it is now supported by many IRC clients. Some peer-to-peer clients on napster-protocol servers also have DCC send/get capability, including TekNap, SunshineUN and Lopster. A variation of the DCC protocol called SDCC, also known as DCC SCHAT supports encrypted connections. An RFC specification on the use of DCC does not exist.

An IRCd, short for Internet Relay Chat daemon, is server software that implements the IRC protocol, enabling people to talk to each other via the Internet. It is distinct from an IRC bot that connects outbound to an IRC channel.

Client-to-client protocol (CTCP) is a special type of communication between Internet Relay Chat (IRC) clients.

Port forwarding

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

A BNC is a piece of software that is used to relay traffic and connections in computer networks, much like a proxy. Using a BNC allows a user to hide the original source of the user's connection, providing privacy as well as the ability to route traffic through a specific location. A BNC can also be used to hide the true target to which a user connects.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

In computer networks, a tunneling protocol is a communications protocol that allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

LogMeIn Hamachi Virtual private network application

LogMeIn Hamachi is a virtual private network (VPN) application written by Alex Pankratov in 2004. It is capable of establishing direct links between computers that are behind network address translation ("NAT") firewalls without requiring reconfiguration ; in other words, it establishes a connection over the Internet that emulates the connection that would exist if the computers were connected over a local area network ("LAN").

Network address translation traversal is a computer networking technique of establishing and maintaining Internet protocol connections across gateways that implement network address translation (NAT).

Hole punching is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal address and port information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side.

Network load balancing is the ability to balance traffic across two or more WAN links without using complex routing protocols like BGP.

Application-level gateway is a security component that augments a firewall or NAT employed in a computer network. It allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer "control/data" protocols such as FTP, BitTorrent, SIP, RTSP, file transfer in IM applications, etc. In order for these protocols to work through NAT or a firewall, either the application has to know about an address/port number combination that allows incoming packets, or the NAT has to monitor the control traffic and open up port mappings dynamically as required. Legitimate application data can thus be passed through the security checks of the firewall or NAT that would have otherwise restricted the traffic for not meeting its limited filter criteria.

The Ident Protocol, specified in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connection. One popular daemon program for providing the ident service is identd.

Port Control Protocol (PCP) is a computer networking protocol that allows hosts on IPv4 or IPv6 networks to control how the incoming IPv4 or IPv6 packets are translated and forwarded by an upstream router that performs network address translation (NAT) or packet filtering. By allowing hosts to create explicit port forwarding rules, handling of the network traffic can be easily configured to make hosts placed behind NATs or firewalls reachable from the rest of the Internet, which is a requirement for many applications.

References

  1. "Port Triggering". www.webopedia.com.
  2. 1 2 "Port Triggering on Routers". sbkb.cisco.com. Archived from the original on 2018-06-28. Retrieved 2017-12-31.
  3. "Difference between Port Forwarding and Port Triggering". www.linksys.com.