NAT traversal
Network address translation traversal is a computer networking technique of establishing and maintaining Internet protocol connections across gateways that implement network address translation.
NAT traversal techniques are required for many network applications, such as peer-to-peer file sharing and Voice over IP.
Network address translation
NAT devices allow the use of private IP addresses on private networks behind routers with a single public IP address facing the Internet. The internal network devices communicate with hosts on the external network by changing the source address of outgoing requests to that of the NAT device and relaying replies back to the originating device.This leaves the internal network ill-suited for hosting servers, as the NAT device has no automatic method of determining the internal host for which incoming packets are destined. This is not a problem for general web access and email. However, applications such as peer-to-peer file sharing, VoIP services, and video game consoles require clients to be servers as well. Incoming requests cannot be easily correlated to the proper internal host. Furthermore, many of these types of services carry IP address and port number information in the application data, potentially requiring substitution with deep packet inspection.
Network address translation technologies are not standardized. As a result, the methods used for NAT traversal are often proprietary and poorly documented. Many traversal techniques require assistance from servers outside of the masqueraded network. Some methods use the server only when establishing the connection, while others are based on relaying all data through it, which increases the bandwidth requirements and latency, detrimental to real-time voice and video communications.
NAT traversal techniques usually bypass enterprise security policies. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. IETF standards based on this security model are Realm-Specific IP and middlebox communications.
Techniques
The following NAT traversal techniques are available:- Socket Secure is a technology created in the early 1990s that uses proxy servers to relay traffic between networks or systems.
- Traversal Using Relays around NAT is a relay protocol designed specifically for NAT traversal.
- NAT hole punching is a general technique that exploits how NATs handle some protocols to allow previously blocked packets through the NAT.
- * UDP hole punching
- * TCP hole punching
- Session Traversal Utilities for NAT is a standardized set of methods and a network protocol for NAT hole punching. It was designed for UDP but was also extended to TCP.
- Interactive Connectivity Establishment is a complete protocol for using STUN and/or TURN to do NAT traversal while picking the best network route available. It fills in some of the missing pieces and deficiencies that were not mentioned by STUN specification.
- UPnP Internet Gateway Device Protocol is supported by many small NAT gateways in home or small office settings. It allows a device on a network to ask the router to open a port.
- NAT-PMP is a protocol introduced by Apple as an alternative to IGDP.
- PCP is a successor of NAT-PMP.
- Application-level gateway is a component of a firewall or NAT that allows for configuring NAT traversal filters. It is claimed by numerous people that this technique creates more problems than it solves.
Symmetric NAT
IPsec
clients use NAT traversal in order to have Encapsulating Security Payload packets traverse NAT. IPsec uses several protocols in its operation which must be enabled to traverse firewalls and network address translators:- Internet Key Exchange User Datagram Protocol port 500
- Encapsulating Security Payload IP protocol number 50
- Authentication Header IP protocol number 51
- IPsec NAT traversal UDP port 4500, if and only if NAT traversal is in use
In Windows XP, NAT traversal is enabled by default, but in Windows XP with Service Pack 2 it has been disabled by default for the case when the VPN server is also behind a NAT device, because of a rare and controversial security issue. IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.
NAT traversal and IPsec may be used to enable opportunistic encryption of traffic between systems. NAT traversal allows systems behind NATs to request and establish secure connections on demand.
Hosted NAT traversal
Hosted NAT traversal is a set of mechanisms, including media relaying and latching, used by intermediaries. The IETF advises against using latching over the Internet and recommends ICE for security reasons.IETF standards documents
- RFC 1579 Firewall Friendly FTP
- RFC 2663 IP Network Address Translator Terminology and Considerations
- RFC 2709 Security Model with Tunnel-mode IPsec for NAT Domains
- RFC 2993 Architectural Implications of NAT
- RFC 3022 Traditional IP Network Address Translator
- RFC 3027 Protocol Complications with the IP Network Address Translator
- RFC 3235 Network Address Translator -Friendly Application Design Guidelines
- RFC 3715 IPsec-Network Address Translation Compatibility
- RFC 3947 Negotiation of NAT-Traversal in the IKE
- RFC 5128 State of Peer-to-Peer Communication across Network Address Translators
- RFC 5245 Interactive Connectivity Establishment : A Protocol for Network Address Translator Traversal for Offer/Answer Protocols