Networking‎ > ‎

NAT stuff

RFC 4787 redefined the NAT types to be:
  • Endpoint independent
    • The public/exposed IP & port of the nat translation doesn't change for an endpoint regardless of where it goes; it appears to everything on the internet as the same public IP & port.
  • Address dependent
    • The public/exposed IP & port of the nat translation is the same for all connections from an endpoint to the same destination IP address (  Connections to a different IP address ( may use a different IP and/or port.
  • Address & Port Dependent
    • The public/exposed IP & port of the nat translation changes per TCP/UDP connection (flow).

Before this RFC, they were referred to (by STUN) as things like "Full Cone", "Restricted Cone", "Port Restricted Cone", and "Symmetric".  (RFC 4787 obsoleted those terms).

Ways of getting a connection from the outside to the inside without manual config in the NAT server / router / firewall:
  • UPnP IGD
  • Application awareness in firewalls (FTP DATA)
    • Breaks with things like SSL-encrypted FTP
  • STUN - Session Traversal Utilities for NAT
    • RFC 5389
    • Primary uses:
      • Determines the IP address and port allocated to it by a NAT
      • Checks connectivity between two endpoints
      • A keep-alive protocol to maintain NAT bindings. 
    • Basic operation: STUN client talks with a STUN server to determine what IP/port it is mapped to.
    • Issues
      • Does not work well when both ends are behind a nat
      • STUN server often gets a different mapping than clients (except in Endpoint independent NAT)
  • ICE -  Interactive Connectivity Establishment
    • RFC 5245
    • Basic operation: Gathers up all the IP addresses known to a host and sends them to the peer (rather than just one as with STUN). First good connection wins.  Very similar to STUN. 
    • More details:
  • TURN - Traversal Using Relay NAT
    • RFC 5766
    • Basic operation: Functions as a media relay / proxy.  May impose a heavy load on this server (since it's no longer P2P, all traffic is going thorough this 3rd server).  Also increases delay because of this extra hop.
    • Only used when both devices are behind a "address & port dependent" nat (about 25% of NATs), or where one endpoint doesn't support ICE.

Information from this page came from various RFCs and public sources out on the internet.