|This article needs additional citations for verification. (April 2010)|
NAT traversal (sometimes abbreviated as NAT-T) is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation (NAT) gateways, which break end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the absence of secure encryption and authentication.
NAT traversal techniques are typically required for client-to-client networking applications. The majority of NAT traversal techniques fail to traverse Carrier-grade NATs which are typically Symmetric NATs.
NAT traversal is of importance for peer-to-peer and Voice over IP (VoIP) deployments. Many techniques exist, but no single method works in every situation since NAT behavior is not standardized. Many NAT traversal techniques require assistance from a server at a publicly routable IP address. Some methods use the server only when establishing the connection, while others are based on relaying all data through it, which adds bandwidth costs and increases latency, detrimental to real-time voice and video communications.
Most NAT behavior-based techniques bypass enterprise security policies. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. IETF standards based on this security model are Realm-Specific IP (RSIP) and middlebox communications (MIDCOM).
NAT devices are commonly used to alleviate IPv4 address exhaustion by allowing the use of private IP addresses on home and corporate networks behind routers with a single public IP address facing the public Internet. The internal network devices communicate with hosts on the external network by changing the source address of outgoing requests to that of the NAT device and relaying replies back to the originating device. This leaves the internal network ill-suited for hosting servers, as the NAT device has no automatic method of determining the internal host for which incoming packets are destined. This is not a problem for home users behind NAT devices doing general web access and e-mail. However, applications such as peer-to-peer file sharing, VoIP services and the online services of current generation video game consoles require clients to be servers as well, thereby posing a problem for users behind NAT devices, as incoming requests cannot be easily correlated to the proper internal host. Furthermore many of these types of services carry IP address and port number information in the application data, potentially requiring substitution or special traversal techniques for NAT traversal.
The following NAT traversal techniques are available:
- Socket Secure (SOCKS) is a technology created in the early 1990s that uses proxy servers to relay traffic between networks or systems.
- UPnP IGD is supported by many small NAT gateways in home or small office settings.
- Interactive Connectivity Establishment (ICE) is a technique used in VoIP, peer-to-peer communications, video, instant messaging, and other interactive media applications. It uses Session Traversal Utilities for NAT (STUN).
- Application-level gateway (ALG) is a component of a firewall or NAT that allows for configuring NAT traversal filters.
- Hole punching is a technique that exploits how NATs handle some protocols (for example, UDP, TCP, or ICMP) to allow previously blocked packets through the NAT.
Traversal across Symmetric NAT
The recent proliferation of symmetric NATs has reduced NAT traversal success rates in many practical situations like mobile and public WiFi internet connections. Hole punching techniques like STUN and ICE are unable to traverse symmetric NATs without the help of a relay server (e.g. TURN). Techniques that traverse symmetric NATs by attempting to predict the next port that will be opened by each NAT device were discovered in 2003 by Yutaka Takeda at Panasonic Communications Research Laboratory and in 2008 by researchers at Waseda University. Port prediction techniques are only effective with NAT devices which use known deterministic algorithms for port selection.
IPsec traversal across NAT
IPsec virtual private network clients use NAT traversal in order to have Encapsulating Security Payload packets traverse NAT. IPsec uses several protocols in its operation which must be enabled to traverse firewalls and network address translators:
- Internet Key Exchange (IKE) – User Datagram Protocol (UDP) port 500
- Encapsulating Security Payload (ESP) – IP protocol number 50
- Authentication Header (AH) – IP protocol number 51
- IPsec NAT traversal – UDP port 4500, when NAT traversal is in use
Many routers provide explicit features, often called IPsec Passthrough.
In Windows XP, NAT traversal is enabled by default, but in Windows XP with Service Pack 2 it has been disabled by default for the case when the VPN server is also behind a NAT device, because of a rare and controversial security issue. IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.
NAT traversal and IPsec may be used to enable opportunistic encryption of traffic between systems. NAT traversal allows systems behind NATs to request and establish secure connections on demand.
Hosted NAT Traversal
Hosted NAT Traversal (HNT) is set of mechanisms including media relaying and latching used by intermediaries. The IETF advises against using latching over the Internet and recommends ICE for security reasons.
- RFC 1579 – Firewall Friendly FTP
- RFC 2663 – IP Network Address Translator (NAT) Terminology and Considerations
- RFC 2709 – Security Model with Tunnel-mode IPsec for NAT Domains
- RFC 2993 – Architectural Implications of NAT
- RFC 3022 – Traditional IP Network Address Translator (Traditional NAT)
- RFC 3027 – Protocol Complications with the IP Network Address Translator (NAT)
- RFC 3235 – Network Address Translator (NAT)-Friendly Application Design Guidelines
- RFC 3715 – IPsec-Network Address Translation (NAT) Compatibility
- RFC 3947 – Negotiation of NAT-Traversal in the IKE
- RFC 5128 – State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)
- RFC 5245 – Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols
- Session Traversal Utilities for NAT (STUN)
- Traversal Using Relay NAT (TURN)
- NAT-T Negotiation of NAT-Traversal in the IKE
- Session Border Controller (SBC)
- UDP hole punching
- TCP hole punching
- ICMP hole punching
- Interactive Connectivity Establishment (ICE)
- NAT Port Mapping Protocol (NAT-PMP)
- Port Control Protocol (PCP)
- Internet Gateway Device Protocol (IGD)
- Application Layer Gateway (ALG)
- "Firewall and NAT Traversal Explained". Eyeball Networks Inc. 2013-07-05. Retrieved 2013-10-10.
- "NAT Traversal Techniques and Peer-to-Peer Applications". Helsinki University of Technology.
- "Symmetric NAT Traversal using STUN".
- "A New Method for Symmetric NAT Traversial in UDP and TCP".
- "IPSec NAT Traversal is not recommended for Windows Server 2003 computers that are behind network address translators". Microsoft knowledge base #885348.
- Latching: Hosted NAT Traversal (HNT) for Media in Real-Time Communication draft-ietf-mmusic-latching-04 2013-10-08
- Problems and fact about modern day NAT traversal systems
- NAT-Traversal Test
- Autonomous NAT traversal – NAT to NAT communication without a third party
- Cornell University – Characterization and Measurement of TCP Traversal through NATs and Firewalls
- Columbia University – An Analysis of the Skype Peer-to-Peer Internet Telephony
- Peer to peer communication across Network Address Translators (UDP Hole Punching)
- Internet By All Means – An article on how to maximize your chances to get around firewalls