NAT traversal

From Wikipedia, the free encyclopedia

NAT traversal is an algorithm designed to solve a common problem in TCP/IP networking: that of establishing connections between hosts in private TCP/IP networks that use NAT devices.

This problem is typically faced by developers of client-to-client networking applications, especially in peer-to-peer and VoIP activities. NAT-T is commonly used by IPsec VPN clients in order to have ESP packets go through NAT.

Many techniques exist, but no technique works in every situation since NAT behavior is not standardized. Many techniques require a public server on a well-known globally-reachable IP address. Some methods use the server only when establishing the connection (such as STUN), while others are based on relaying all the data through it (such as TURN), which adds bandwidth costs and increases latency, detrimental to conversational VoIP applications.

Most NAT behavior-based techniques fail to preserve enterprise security policies and break end-to-end transparency. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. To that extent, the most promising IETF standards are Realm-Specific IP (RSIP) and Middlebox Communications (MIDCOM). SOCKS, as the oldest NAT control protocol, remains valid and is widely available, while Universal Plug and Play (UPnP) is attractive for home/SOHO use because it might be widely supported by vendors of small gateways.

Contents 1 The NAT traversal problem 2 NAT traversal and IPsec 3 See also 3.1 NAT traversal protocols and techniques based on NAT behavior 3.2 NAT traversal based on NAT control 3.3 NAT traversal combining several techniques 4 External links 4.1 IETF references 4.2 University research papers 4.3 Weblinks

[edit] The NAT traversal problem

NAT devices allow internal networks to communicate with external networks using a limited number of external IP Addresses by changing the source address of outgoing requests and listening for replies. This leaves the internal network ill-suited to act as a server, as the NAT device has no way of determining the internal host for which incoming packets are destined. On the Internet, this problem has not generally been relevant to home users behind NAT devices, as they either do not need to act as servers or can use static NAT mappings to correlate incoming requests to internal hosts. However, applications such as P2P file sharing (such as BitTorrent or Gnutella clients) or VoIP networks (such as Skype) require clients to act like servers, thereby posing a problem for users behind NAT devices, as incoming requests cannot be correlated to the proper internal host.

[edit] NAT traversal and IPsec

In order for IPsec to work through a NAT, the following need to be allowed on the firewall:

• Internet Key Exchange (IKE) - User Datagram Protocol (UDP) port 500
• IPsec NAT-T - UDP port 4500
• Encapsulating Security Payload (ESP) - Internet Protocol (IP) 50

Often this is accomplished on home routers by enabling "IPsec Passthrough".

The default behavior of Windows XP SP2 was changed to no longer have NAT-T enabled by default, because of a rare and controversial security issue. This prevents most home users from using IPsec without making adjustments to their settings. To enable NAT-T for systems behind NATs to communicate with other systems behind NATs, the following registry key needs to be added and set to a value of 2: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule[1]

IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.

One usage of NAT-T and IPsec is to enable opportunistic encryption between systems. NAT-T allows systems behind NATs to request and establish secure connections on demand.

[edit] See also

[edit] NAT traversal protocols and techniques based on NAT behavior

• Simple Traversal of UDP over NATs (STUN)
• Traversal Using Relay NAT (TURN)
• NAT-T Negotiation of NAT-Traversal in the IKE
• Teredo tunneling uses NAT traversal to provide IPv6 connectivity.
• Session Border Controller (SBC)
• UDP hole punching

[edit] NAT traversal based on NAT control

• Realm-Specific IP (RSIP)
• Middlebox Communications (MIDCOM)
• SOCKS
• NAT Port Mapping Protocol (NAT PMP)
• Universal Plug and Play (UPnP)
• Application Layer Gateway (ALG)

[edit] NAT traversal combining several techniques

• Interactive Connectivity Establishment (ICE)

[edit] External links

[edit] IETF references

• RFC 1579 - Firewall Friendly FTP
• RFC 2663 - IP Network Address Translator (NAT) Terminology and Considerations
• RFC 2709 - Security Model with Tunnel-mode IPsec for NAT Domains
• RFC 2993 - Architectural Implications of NAT
• RFC 3027 - Protocol Complications with the IP Network Address Translator (NAT)
• RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines
• RFC 3947 - Negotiation of NAT-Traversal in the IKE
• RFC 5128 - State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)
• zConf.com - Understanding NAT Traversal

[edit] University research papers

• Cornell University - Characterization and Measurement of TCP Traversal through NATs and Firewalls
• Columbia University - An Analysis of the Skype Peer-to-Peer Internet Telephony
• Peer to peer communication across Network Address Translators (UDP Hole Punching):

[edit] Weblinks

• NAT-Traversal Test