NAT traversal
Network address translation traversal is a computer networking technique of establishing and maintaining Internet Protocol connections across gateways that implement network address translation (NAT).
NAT traversal techniques are required for many network applications, such as peer-to-peer file sharing and voice over IP.[1]
Network address translation
This leaves the internal network ill-suited for hosting services, as the NAT device has no automatic method for determining the internal host for which incoming packets from the external network are destined. This is not a problem for general web access and email. However, applications such as
Network address translation technologies are not standardized. As a result, the methods used for NAT traversal are often proprietary and poorly documented. Many traversal techniques require assistance from servers outside of the masqueraded network. Some methods use the server only when establishing the connection, while others are based on relaying all data through it, which increases the bandwidth requirements and latency, detrimental to real-time voice and video communications.
NAT traversal techniques usually bypass enterprise security policies. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies.
Techniques
Various NAT traversal techniques have been developed:
- NAT Port Mapping Protocol (NAT-PMP) is a protocol introduced by Apple as an alternative to IGDP.
- Port Control Protocol (PCP) is a successor of NAT-PMP.
- UPnP Internet Gateway Device Protocol (UPnP IGD) is supported by many small NAT gateways in home or small officesettings. It allows a device on a network to ask the router to open a port.
- Interactive Connectivity Establishment (ICE) is a complete protocol for using STUN and/or TURN to do NAT traversal while picking the best network route available. It fills in some of the missing pieces and deficiencies that were not mentioned by STUN specification.
- Session Traversal Utilities for NAT (STUN) is a standardized set of methods and a network protocol for NAT hole punching. It was designed for UDP but was also extended to TCP.
- Traversal Using Relays around NAT (TURN) is a relay protocol designed specifically for NAT traversal.
- NAT hole punchingis a general technique that exploits how NATs handle some protocols (for example, UDP, TCP, or ICMP) to allow previously blocked packets through the NAT.
- Socket Secure (SOCKS) is a technology created in the early 1990s that uses proxy servers to relay traffic between networks or systems.
- Application-level gateway (ALG) techniques are a component of a firewall or NAT that provides configureable NAT traversal filters.[2] It is claimed that this technique creates more problems than it solves.[3]
Symmetric NAT
The recent proliferation of
IPsec
- port500
- Encapsulating Security Payload (ESP) – IP protocol number50
- Authentication Header(AH) – IP protocol number 51
- IPsec NAT traversal – UDP port 4500, if and only if NAT traversal is in use
Many routers provide explicit features, often called IPsec Passthrough.[citation needed]
In Windows XP, NAT traversal is enabled by default, but in Windows XP with Service Pack 2 it has been disabled by default for the case when the VPN server is also behind a NAT device, because of a rare and controversial security issue.[6] IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.[citation needed]
NAT traversal and IPsec may be used to enable opportunistic encryption of traffic between systems. NAT traversal allows systems behind NATs to request and establish secure connections on demand.
Hosted NAT traversal
Hosted NAT traversal (HNT) is a set of mechanisms, including media relaying and latching, that is widely used by communications providers for historical and practical reasons.
IETF standards documents
- RFC 1579 – Firewall Friendly FTP
- RFC 2663 – IP Network Address Translator (NAT) Terminology and Considerations
- RFC 2709 – Security Model with Tunnel-mode IPsec for NAT Domains
- RFC 2993 – Architectural Implications of NAT
- RFC 3022 – Traditional IP Network Address Translator (Traditional NAT)
- RFC 3027 – Protocol Complications with the IP Network Address Translator (NAT)
- RFC 3235 – Network Address Translator (NAT)-Friendly Application Design Guidelines
- RFC 3715 – IPsec-Network Address Translation (NAT) Compatibility
- RFC 3947 – Negotiation of NAT-Traversal in the IKE[clarification needed]
- RFC 5128 – State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)
- RFC 5245 – Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols
See also
References
- ^ "Firewall and NAT Traversal Explained". Eyeball Networks Inc. 2013-07-05. Archived from the original on 2013-10-19. Retrieved 2013-10-10.
- )
- ^ "Introduction to NAT". PJNATH Library. Retrieved 2016-05-30.
- ^ "Symmetric NAT Traversal using STUN".
- ^ "A New Method for Symmetric NAT Traversial in UDP and TCP" (PDF). Archived from the original (PDF) on 2017-02-02. Retrieved 2016-05-14.
- ^ "IPSec NAT Traversal is not recommended for Windows Server 2003 computers that are behind network address translators". Microsoft knowledge base #885348.[dead link]
- ^ Latching: Hosted NAT Traversal (HNT) for Media in Real-Time Communication, RFC 7362 2014-09-01
- ^ Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal, RFC 8445 2018-07-01
External links
- Problems and fact about modern day NAT traversal systems
- Autonomous NAT traversal – NAT to NAT communication without a third party
- Cornell University – Characterization and Measurement of TCP Traversal through NATs and Firewalls
- Columbia University – An Analysis of the Skype Peer-to-Peer Internet Telephony
- Peer to peer communication across Network Address Translators (UDP Hole Punching)