NAT traversal
Encyclopedia : N : NA : NAT : NAT traversal
NAT Traversal refers to a solution to the common problem in TCP/IP networking of establishing connections between hosts in private TCP/IP networks which use NAT devices.
This problem is typically faced by developers of client-to-client networking applications especially in peer-to-peer and VoIP. NAT-T is commonly used by IPsec VPN clients in order to have ESP packets go through NAT.
Many techniques exist, but no technique works in every situation since NAT behavior is not standardized.
Many techniques require a public server on a well-known globally reachable IP address. Some methods use the server only when establishing the connection (such as STUN), while others are based on relaying all the data through it (such as TURN), which adds bandwidth costs and increases latency detrimental to conversational VoIP applications.
Most NAT behavior-based techniques fail to preserve enterprise security policies and break end-to-end transparency.
Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. To that extent, the most promissing IETF standards are Realm-Specific IP (RSIP) and Middlebox Communications (MIDCOM). SOCKS as the oldest NAT control protocol remains valid and is widely available while Universal Plug and Play (UPnP) is attractive for home/SOHO use because it might be widely supported by small gateways vendors.
- 1 The NAT Traversal Problem
- 2 NAT Traversal and IPsec
- 3 NAT Traversal Security Issues
- 4 Internal Links to NAT Traversal Techniques
- 5 NAT Traversal Protocols and Techniques based on NAT behavior
- 6 NAT Traversal based on NAT Control
- 7 NAT Traversal Combining Several Techniques
- 8 External Links
- 9 Other NAT Traversal IETF References
- 10 Universities
- 11 Checking NAT Behavior
- 12 Organizations, Portals
- 13 Other Research Papers (might requires registration, fees)
- 14 Open Source NAT traversal implementations
- 15 Some Vendor Links and White Papers (might be biased)
The NAT Traversal Problem
NAT devices allow internal networks to communicate with external networks using a limited number of external IP Addresses by changing the source address of outgoing requests and listening for replies. This leaves the internal network ill suited to act as a server as the NAT device has no way of determining which internal host the incoming packets are destined for. On the Internet this problem was not generally relevant to home users behind NAT devices as they either do not need to act as servers or can use static NAT mappings to correlate incoming requests to internal hosts. Applications such as P2P file sharing (like BitTorrent) or VoIP networks (like Skype) require clients to act like servers and pose a problem to users behind NAT devices as incoming requests can not be correlated to the proper interal host.NAT Traversal and IPsec
In order for IPsec to work through a NAT the following need to be allowed on the firewall:
- Internet Key Exchange (IKE) - User Datagram Protocol (UDP) port 500
- IPsec NAT-T - UDP port 4500
- Encapsulating Security Payload (ESP) - Internet Protocol (IP) protocol 50
The default behaviour of Windows XP SP2 was changed to no longer have NAT-T enabled by default because of a rare and controversial security issue. This prevents most home users from using IPsec without making adjustments to their settings. To enable NAT-T for systems behind NATs to communicate with systems behind NATs the following registry key needs to be added and set to a value of 2: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPsecAssumeUDPEncapsulationContextOnSendRule]
IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.
One usage of NAT-T and IPsec is to enable opportunistic encryption between systems. NAT-T allows systems behind NATs to request and establish secure connections on demand.
NAT Traversal Security Issues
Internal Links to NAT Traversal Techniques
NAT Traversal Protocols and Techniques based on NAT behavior
- Simple Traversal of UDP over NATs (STUN)
- Traversal Using Relay NAT (TURN)
- NAT-T Negotiation of NAT-Traversal in the IKE
- Teredo tunneling uses NAT traversal to provide IPv6 connectivity.
- Session Border Controller (SBC)
- UDP hole punching
- [nat-traverse] package (uses garbage UDP packets to open NAT ports).
NAT Traversal based on NAT Control
- Realm-Specific IP (RSIP)
- Middlebox Communications (MIDCOM)
- SOCKS
- NAT Port Mapping Protocol
- Universal Plug and Play (UPnP)
- Application Layer Gateway (ALG)
NAT Traversal Combining Several Techniques
External Links
Other NAT Traversal IETF References
- RFC 1579 - Firewall Friendly FTP
- RFC 2663 - IP Network Address Translator (NAT) Terminology and Considerations
- RFC 2709 - Security Model with Tunnel-mode IPsec for NAT Domains
- RFC 2993 - Architectural Implications of NAT
- RFC 3027 - Protocol Complications with the IP Network Address Translator (NAT)
- RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines
Universities
- [Cornell University - Characterization and Measurement of TCP Traversal through NATs and Firewalls]
- [Columbia University - An Analysis of the Skype Peer-to-Peer Internet Telephony]
- [MIT - Peer-to-Peer Communication Across Network Address Translators] [(PDF)]: Describes NAT transversal techniques for both TCP and UDP, and presents results of some experimental compatibility measurements.
Checking NAT Behavior
- [MIDCOM P2P Project NAT Check] - Check Your NAT for Compatibility with Peer-to-Peer Protocols
Organizations, Portals
Other Research Papers (might requires registration, fees)
Open Source NAT traversal implementations
Some Vendor Links and White Papers (might be biased)
- [Radvision Ltd.] NAT traversal protocol stack vendor
- [Radvision Ltd. - White Paper - H.323 Firewall/NAT Traversal]: describes H.460.17-19 standards which handle NAT traversal in H.323 networks
- [Newport Networks - White Paper - NAT traversal in Multimedia Networks]: examines different NAT traversal techniques. Provides an introduction to STUN, TURN, ALGs and Session Border Controllers -
- [Ditech Networks - VoIP NAT/Firewall Traversal]
- [NATPass(TM) - VoIP NAT Traversal using Session Border Controller]
- [IPsec in VoIP Networks] White Paper looks at the IPsec/NAT problem and how UDP encapsulation of IPsec solves it.
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.