NAT traversal
From Wikipedia, the free encyclopedia
NAT traversal is a general term for techniques that establish and maintain TCP/IP network connections traversing network address translation (NAT) gateways.
NAT traversal techniques are typically required for client-to-client networking applications, especially peer-to-peer and Voice-over-IP (VoIP) deployments. Many techniques exist, but no single method works in every situation since NAT behavior is not standardized. Many techniques require assistance from a computer server at a publicly-routable IP address. Some methods use the server only when establishing the connection (such as STUN), while others are based on relaying all data through it (such as TURN), which adds bandwidth costs and increases latency, detrimental to real-time voice and video communications.
Network address translation breaks end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the absence of secure encryption and authentication. Most NAT behavior-based techniques bypass enterprise security policies. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. From this point of view, the most promising IETF standards are Realm-Specific IP (RSIP) and Middlebox Communications (MIDCOM).
SOCKS, the oldest NAT traversal protocol, is still widely available. In home/SOHO settings, Universal Plug and Play (UPnP) is supported by most small NAT gateways. NAT-T is commonly used by IPsec VPN clients in order to have ESP packets traverse NAT.
Contents |
[edit] The NAT traversal problem
NAT devices are installed to alleviate the exhaustion of the IPv4 address space by allowing the use of private IP addresses on home and corporate networks (internal networks) behind routers with a single public IP address facing the public Internet. The internal network devices are enabled to communicate with hosts on the external network by changing the source address of outgoing requests to that of the NAT device and relaying replies back to the originating device. This leaves the internal network ill-suited to host servers, as the NAT device has no automatic method of determining the internal host for which incoming packets are destined. This problem has not generally been relevant to home users behind NAT devices for general web access and e-mail. However, applications such as P2P file sharing (such as BitTorrent or Gnutella clients), VoIP networks (such as Skype) and the online services of current generation video game consoles (such as the Xbox 360's Xbox Live or the PS3's PlayStation Network) require clients to act like servers, thereby posing a problem for users behind NAT devices, as incoming requests cannot be easily correlated to the proper internal host.
[edit] NAT traversal and IPsec
In order for IPsec to work through a NAT, the following protocols need to be allowed on the firewall:
- Internet Key Exchange (IKE) - User Datagram Protocol (UDP) port 500
- Encapsulating Security Payload (ESP) - Internet Protocol (IP) 50
or, in case of NAT-T:
- IPsec NAT-T - UDP port 4500
Often this is accomplished on home routers by enabling "IPsec Passthrough".
The default behavior of Windows XP SP2 was changed to no longer have NAT-T enabled by default, because of a rare and controversial security issue[citation needed]. This prevents most home users from using IPsec without making adjustments to their computer configuration. To enable NAT-T for systems behind NATs to communicate with other systems behind NATs, the following registry key needs to be added and set to a value of 2: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule[1]
IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.
One usage of NAT-T and IPsec is to enable opportunistic encryption between systems. NAT-T allows systems behind NATs to request and establish secure connections on demand.
[edit] IETF references
- RFC 1579 - Firewall Friendly FTP
- RFC 2663 - IP Network Address Translator (NAT) Terminology and Considerations
- RFC 2709 - Security Model with Tunnel-mode IPsec for NAT Domains
- RFC 2993 - Architectural Implications of NAT
- RFC 3022 - Traditional IP Network Address Translator (Traditional NAT)
- RFC 3027 - Protocol Complications with the IP Network Address Translator (NAT)
- RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines
- RFC 3715 - IPsec-Network Address Translation (NAT) Compatibility
- RFC 3947 - Negotiation of NAT-Traversal in the IKE
- RFC 5128 - State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)
[edit] See also
[edit] NAT traversal protocols and techniques based on NAT behavior
- Simple Traversal of UDP over NATs (STUN)
- Traversal Using Relay NAT (TURN)
- NAT-T Negotiation of NAT-Traversal in the IKE
- Teredo tunneling uses NAT traversal to provide IPv6 connectivity.
- Session Border Controller (SBC)
- UDP hole punching
- TCP hole punching
[edit] NAT traversal based on NAT control
- Realm-Specific IP (RSIP)
- Middlebox Communications (MIDCOM)
- SOCKS
- NAT Port Mapping Protocol (NAT PMP)
- Internet Gateway Device (IGD) Protocol, defined by the Universal Plug and Play (UPnP) Forum.
- Application Layer Gateway (ALG)
[edit] NAT traversal combining several techniques
[edit] University research papers
- Cornell University - Characterization and Measurement of TCP Traversal through NATs and Firewalls
- Columbia University - An Analysis of the Skype Peer-to-Peer Internet Telephony
- Peer to peer communication across Network Address Translators (UDP Hole Punching):