NAT traversal
Encyclopedia
NAT traversal is a general term for techniques that establish and maintain Internet protocol
connections traversing network address translation
(NAT) gateways. Network address translation breaks end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the absence of secure encryption and authentication. NAT traversal techniques are typically required for client-to-client networking applications, especially peer-to-peer
and Voice over IP
(VoIP) deployments. Many techniques exist, but no single method works in every situation since NAT behavior is not standardized. Many NAT traversal techniques require assistance from a server
at a publicly-routable IP address. Some methods use the server only when establishing the connection, while others are based on relaying all data through it, which adds bandwidth costs and increases latency, detrimental to real-time voice and video communications.
Most NAT behavior-based techniques bypass enterprise security policies. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. From this point of view, the most promising IETF standards are Realm-Specific IP
(RSIP) and Middlebox
Communications (MIDCOM).
SOCKS
, the oldest NAT traversal protocol, is still widely available. In home or small office
settings, Universal Plug and Play
(UPnP) is supported by most small NAT gateways. NAT-T
is commonly used by IPsec
virtual private network
clients in order to have Encapsulating Security Payload packets traverse NAT.
facing the public Internet. The internal network devices communicate with hosts on the external network by changing the source address of outgoing requests to that of the NAT device and relaying replies back to the originating device. This leaves the internal network ill-suited to host servers, as the NAT device has no automatic method of determining the internal host for which incoming packets are destined. This is not a problem for home users behind NAT devices doing general web access and e-mail. However, applications such as peer-to-peer
file sharing, VoIP services and the online services of current generation video game console
s require clients to be servers as well, thereby posing a problem for users behind NAT devices, as incoming requests cannot be easily correlated to the proper internal host. Furthermore many of these types of services carry IP address and port number information in the application data, potentially requiring substitution or special traversal techniques for NAT traversal.
to work through a NAT, the following protocols need to be allowed through the NAT interface(s), eg. the LAN router:
or, in case of NAT-T
:
Often this is accomplished on home routers by enabling "IPsec Passthrough".
In Windows XP, NAT-T is enabled by default, but in XP with SP2, has been disabled by default for the case when the VPN server is also behind a NAT device, because of a rare and controversial security issue. IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.
One usage of NAT-T and IPsec is to enable opportunistic encryption
between systems. NAT-T allows systems behind NATs to request and establish secure connections on demand.
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
connections traversing network address translation
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
(NAT) gateways. Network address translation breaks end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the absence of secure encryption and authentication. NAT traversal techniques are typically required for client-to-client networking applications, especially peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
and Voice over IP
Voice over IP
Voice over Internet Protocol is a family of technologies, methodologies, communication protocols, and transmission techniques for the delivery of voice communications and multimedia sessions over Internet Protocol networks, such as the Internet...
(VoIP) deployments. Many techniques exist, but no single method works in every situation since NAT behavior is not standardized. Many NAT traversal techniques require assistance from a server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
at a publicly-routable IP address. Some methods use the server only when establishing the connection, while others are based on relaying all data through it, which adds bandwidth costs and increases latency, detrimental to real-time voice and video communications.
Most NAT behavior-based techniques bypass enterprise security policies. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. From this point of view, the most promising IETF standards are Realm-Specific IP
Realm-Specific IP
Realm-Specific IP is an Experimental IETF framework and protocol intended as an alternative to NAT in which the end-to-end integrity of packets is maintained.RSIP lets an RSIP host borrow one or more IP address from one or more RSIP gateway....
(RSIP) and Middlebox
Middlebox
A middlebox is a device in the Internet thatprovides transport policy enforcement. Examples of these devicesinclude firewalls, network address translators , signature management for intrusion detection...
Communications (MIDCOM).
SOCKS
SOCKS
SOCKS is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS5 additionally provides authentication so only authorized users may access a server...
, the oldest NAT traversal protocol, is still widely available. In home or small office
Small office/home office
Small office/home office, or SOHO, refers to the category of business or cottage industry which involves from 1 to 10 workers. SOHO can also stand for single office/home office....
settings, Universal Plug and Play
Universal Plug and Play
Universal Plug and Play is a set of networking protocols for primarily residential networks without enterprise class devices that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence...
(UPnP) is supported by most small NAT gateways. NAT-T
NAT-T
NAT-T is a method of enabling IPsec-protected IP datagrams to pass through network address translation . RFC 3947 defines the negotiation during the Internet key exchange phase and RFC 3948 defines the UDP encapsulation.An IP packet is modified while passing through a network address translator...
is commonly used by IPsec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
virtual private network
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
clients in order to have Encapsulating Security Payload packets traverse NAT.
The NAT traversal problem
NAT devices are installed to alleviate IPv4 address exhaustion by allowing the use of private IP addresses on home and corporate networks behind routers with a single public IP addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
facing the public Internet. The internal network devices communicate with hosts on the external network by changing the source address of outgoing requests to that of the NAT device and relaying replies back to the originating device. This leaves the internal network ill-suited to host servers, as the NAT device has no automatic method of determining the internal host for which incoming packets are destined. This is not a problem for home users behind NAT devices doing general web access and e-mail. However, applications such as peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
file sharing, VoIP services and the online services of current generation video game console
Video game console
A video game console is an interactive entertainment computer or customized computer system that produces a video display signal which can be used with a display device to display a video game...
s require clients to be servers as well, thereby posing a problem for users behind NAT devices, as incoming requests cannot be easily correlated to the proper internal host. Furthermore many of these types of services carry IP address and port number information in the application data, potentially requiring substitution or special traversal techniques for NAT traversal.
NAT traversal and IPsec
In order for IPsecIPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
to work through a NAT, the following protocols need to be allowed through the NAT interface(s), eg. the LAN router:
- Internet Key ExchangeInternet key exchangeInternet Key Exchange is the protocol used to set up a security association in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP...
(IKE) - User Datagram Protocol (UDP) port 500 - Encapsulating Security Payload (ESP) - IP protocol number 50
- Authentication Header (AH) - IP protocol number 51
or, in case of NAT-T
NAT-T
NAT-T is a method of enabling IPsec-protected IP datagrams to pass through network address translation . RFC 3947 defines the negotiation during the Internet key exchange phase and RFC 3948 defines the UDP encapsulation.An IP packet is modified while passing through a network address translator...
:
- IKE - UDP port 500
- IPsec NAT-T - UDP port 4500
Often this is accomplished on home routers by enabling "IPsec Passthrough".
In Windows XP, NAT-T is enabled by default, but in XP with SP2, has been disabled by default for the case when the VPN server is also behind a NAT device, because of a rare and controversial security issue. IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.
One usage of NAT-T and IPsec is to enable opportunistic encryption
Opportunistic encryption
Opportunistic Encryption refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.Opportunistic encryption can be used to...
between systems. NAT-T allows systems behind NATs to request and establish secure connections on demand.
IETF references
- RFC 1579 - Firewall Friendly FTP
- RFC 2663 - IP Network Address Translator (NAT) Terminology and Considerations
- RFC 2709 - Security Model with Tunnel-mode IPsec for NAT Domains
- RFC 2993 - Architectural Implications of NAT
- RFC 3022 - Traditional IP Network Address Translator (Traditional NAT)
- RFC 3027 - Protocol Complications with the IP Network Address Translator (NAT)
- RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines
- RFC 3715 - IPsec-Network Address Translation (NAT) Compatibility
- RFC 3947 - Negotiation of NAT-Traversal in the IKE
- RFC 5128 - State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)
NAT traversal protocols and techniques based on NAT behavior
- Session Traversal Utilities for NAT (STUN)
- Traversal Using Relay NATTraversal Using Relay NATTraversal Using Relays around NAT is a protocol that allows for an element behind a Network address translator or firewall to receive incoming data over TCP or UDP connections. It is most useful for elements behind symmetric NATs or firewalls that wish to be on the receiving end of a connection...
(TURN) - NAT-TNAT-TNAT-T is a method of enabling IPsec-protected IP datagrams to pass through network address translation . RFC 3947 defines the negotiation during the Internet key exchange phase and RFC 3948 defines the UDP encapsulation.An IP packet is modified while passing through a network address translator...
Negotiation of NAT-Traversal in the IKE - Teredo tunnelingTeredo tunnelingIn computer networking, Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network...
uses NAT traversal to provide IPv6IPv6Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
connectivity. - Session Border ControllerSession Border ControllerA session border controller is a device regularly deployed in Voice over Internet Protocol networks to exert control over the signaling and usually also the media streams involved in setting up, conducting, and tearing down telephone calls or other interactive media communications.SBC's original...
(SBC) - UDP hole punchingUDP hole punchingUDP hole punching is a commonly used technique employed in network address translator applications for maintaining User Datagram Protocol packet streams that traverse the NAT...
- TCP hole punchingTCP hole punchingTCP hole punching is a commonly-used NAT traversal technique, for sending 2-way messages between nodes in an Internet computer network. The term "NAT traversal" is a general term for techniques that establish and maintain TCP/IP network and/or TCP connections traversing network-address-translation ...
- ICMP hole punchingICMP hole punchingICMP hole punching is a technique employed in network address translator applications for maintaining Internet Control Message Protocol packet streams that traverse the NAT...
NAT traversal based on NAT control
- Realm-Specific IPRealm-Specific IPRealm-Specific IP is an Experimental IETF framework and protocol intended as an alternative to NAT in which the end-to-end integrity of packets is maintained.RSIP lets an RSIP host borrow one or more IP address from one or more RSIP gateway....
(RSIP) - MiddleboxMiddleboxA middlebox is a device in the Internet thatprovides transport policy enforcement. Examples of these devicesinclude firewalls, network address translators , signature management for intrusion detection...
Communications (MIDCOM) - SOCKSSOCKSSOCKS is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS5 additionally provides authentication so only authorized users may access a server...
- NAT Port Mapping ProtocolNAT Port Mapping ProtocolNAT Port Mapping Protocol is an Internet Engineering Task Force Internet Draft, introduced by Apple Computer as an alternative to the more common Internet Gateway Device Standardized Device Control Protocol implemented in many network address translation routers. It was introduced in June 2005...
(NAT PMP) - Internet Gateway Device (IGD) Protocol, defined by the Universal Plug and PlayUniversal Plug and PlayUniversal Plug and Play is a set of networking protocols for primarily residential networks without enterprise class devices that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence...
(UPnP) Forum. - Application Layer Gateway (ALG)
University research papers
- Autonomous NAT Traversal - NAT to NAT communication without a third party
- Cornell University - Characterization and Measurement of TCP Traversal through NATs and Firewalls
- Columbia University - An Analysis of the Skype Peer-to-Peer Internet Telephony
- Peer to peer communication across Network Address Translators (UDP Hole Punching)
- Internet By All Means - An article on how to maximize your chances to get around firewalls