Network address translation traversal is a computer networking technique of establishing and maintaining

Internet Protocol The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet. IP ...

connections across gateways that implement

network address translation Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic Router (computing), routing device. The te ...

(NAT). NAT traversal techniques are required for many network applications, such as

peer-to-peer file sharing Peer-to-peer file sharing is the distribution and sharing of digital media using peer-to-peer (P2P) networking technology. P2P file sharing allows users to access media files such as books, music, movies, and games using a P2P software program th ...

and

voice over IP Voice over Internet Protocol (VoIP), also known as IP telephony, is a set of technologies used primarily for voice communication sessions over Internet Protocol (IP) networks, such as the Internet. VoIP enables voice calls to be transmitted as ...

Network address translation

Network address translation Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic Router (computing), routing device. The te ...

typically uses

private IP address In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv4 ...

es on private networks with a single public

IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...

for the router facing the

Internet The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...

. The network address translator changes the source address in network protocols for outgoing requests from that of an internal device to its external address, so that internal devices can communicate with hosts on the external network, while relaying replies back to the originating device. This leaves the internal network ill-suited for hosting services, as the NAT device has no automatic method for determining the internal host for which incoming packets from the external network are destined. This is not a problem for general web access and email. However, applications such as

peer-to-peer Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network, forming a peer-to-peer network of Node ...

file sharing,

VoIP Voice over Internet Protocol (VoIP), also known as IP telephony, is a set of technologies used primarily for voice communication sessions over Internet Protocol (IP) networks, such as the Internet. VoIP enables voice calls to be transmitted as ...

services, and

video game console A video game console is an electronic device that Input/output, outputs a video signal or image to display a video game that can typically be played with a game controller. These may be home video game console, home consoles, which are generally ...

s require clients to be servers as well. Incoming requests cannot be easily correlated to the proper internal host. Furthermore, many of these types of services carry IP address and port number information in the application data, potentially requiring substitution with

deep packet inspection Deep packet inspection (DPI) is a type of data processing that inspects in detail the data (Network packet, packets) being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep ...

. Network address translation technologies are not standardized. As a result, the methods used for NAT traversal are often proprietary and poorly documented. Many traversal techniques require assistance from servers outside of the masqueraded network. Some methods use the server only when establishing the connection, while others are based on relaying all data through it, which increases the bandwidth requirements and latency, detrimental to real-time voice and video communications. NAT traversal techniques usually bypass enterprise security policies. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies.

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...

standards based on this security model are Realm-Specific IP (RSIP) and middlebox communications (MIDCOM).

Techniques

Various NAT traversal techniques have been developed: *

NAT Port Mapping Protocol NAT Port Mapping Protocol (NAT-PMP) is a network protocol for establishing network address translation (NAT) settings and port forwarding configurations automatically without user effort. The protocol automatically determines the external IPv4 a ...

(NAT-PMP) is a protocol introduced by Apple as an alternative to IGDP. *

Port Control Protocol Port Control Protocol (PCP) is a computer networking protocol that allows hosts on IPv4 or IPv6 networks to control how the incoming IPv4 or IPv6 packets are translated and forwarded by an upstream router that performs network address translat ...

(PCP) is a successor of NAT-PMP. *

UPnP Universal Plug and Play (UPnP) is a set of networking protocols on the Internet Protocol (IP) that permits networked devices, such as personal computers, printers, Gateway (telecommunications), Internet gateways, Wi-Fi access points and mobile de ...

Internet Gateway Device Protocol Internet Gateway Device (UPnP IGD) Control Protocol is a protocol based on Universal Plug and Play, UPnP for mapping Port (computer networking), ports in network address translation (NAT) setups, supported by some NAT-enabled Router (computing), ...

(UPnP IGD) is supported by many small NAT gateways in home or small office settings. It allows a device on a network to ask the router to open a port. *

Interactive Connectivity Establishment Interactive Connectivity Establishment (ICE) is a technique used in computer networking to find ways for two computers to talk to each other as directly as possible in peer-to-peer networking. This is most commonly used for interactive media such ...

(ICE) is a complete protocol for using STUN and/or TURN to do NAT traversal while picking the best network route available. It fills in some of the missing pieces and deficiencies that were not mentioned by STUN specification. *

Session Traversal Utilities for NAT STUN (Session Traversal Utilities for NAT; originally Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) is a standardized set of methods, including a network protocol, for traversal of network address transl ...

(STUN) is a standardized set of methods and a network protocol for NAT hole punching. It was designed for UDP but was also extended to TCP. *

Traversal Using Relays around NAT Traversal Using Relays around NAT (TURN) is a protocol that assists in traversal of network address translators (NAT) or firewalls for multimedia applications. It may be used with the Transmission Control Protocol (TCP) and User Datagram Protocol ...

(TURN) is a relay protocol designed specifically for NAT traversal. *

NAT hole punching Hole punching (or sometimes punch-through) is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To ...

is a general technique that exploits how NATs handle some protocols (for example, UDP, TCP, or ICMP) to allow previously blocked packets through the NAT. **

UDP hole punching UDP hole punching is a commonly used technique employed in network address translation (NAT) applications for maintaining User Datagram Protocol (UDP) packet streams that traverse the NAT. NAT traversal techniques are typically required for clien ...

TCP hole punching TCP NAT traversal and TCP hole punching (sometimes NAT punch-through) in computer networking occurs when two hosts behind a network address translation (NAT) are trying to connect to each other with outbound TCP connections. Such a scenario is pa ...

ICMP hole punching ICMP hole punching is a technique employed in network address translator (NAT) applications for maintaining Internet Control Message Protocol (ICMP) packet streams that traverse the NAT. NAT traversal techniques are typically required for client ...

* Socket Secure (SOCKS) is a technology created in the early 1990s that uses proxy servers to relay traffic between networks or systems. *

Application-level gateway An application-level gateway (ALG, also known as application-layer gateway, application gateway, application proxy, or application-level proxy) is a security component that augments a firewall or NAT employed in a mobile network. It allows custom ...

(ALG) techniques are a component of a firewall or NAT that provides configureable NAT traversal filters. It is claimed that this technique creates more problems than it solves.

Symmetric NAT

The recent proliferation of

symmetric NAT Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was initial ...

s has reduced NAT traversal success rates in many practical situations, such as for mobile and public

Wi-Fi Wi-Fi () is a family of wireless network protocols based on the IEEE 802.11 family of standards, which are commonly used for Wireless LAN, local area networking of devices and Internet access, allowing nearby digital devices to exchange data by ...

connections. Hole punching techniques, such as STUN and ICE, fail in traversing symmetric NATs without the help of a relay server, as is practiced in

TURN To turn is to rotate, either continuously like a wheel turns on its axle, or in a finite motion changing an object's orientation. Turn may also refer to: Sports and games * Turn (game), a segment of a game * Turn (poker), the fourth of five co ...

. Techniques that traverse symmetric NATs by attempting to predict the next port to be opened by each NAT device were discovered in 2003 by Yutaka Takeda at Panasonic Communications Research Laboratory and in 2008 by researchers at Waseda University. Port prediction techniques are only effective with NAT devices that use known deterministic algorithms for port selection. This predictable yet non-static port allocation scheme is uncommon in large scale NATs such as those used in

4G LTE In telecommunications, long-term evolution (LTE) is a standard for wireless broadband communication for cellular mobile devices and data terminals. It is considered to be a "transitional" 4G technology, and is therefore also referred to as 3 ...

networks and therefore port prediction is largely ineffective on those mobile broadband networks.

IPsec

virtual private network Virtual private network (VPN) is a network architecture for virtually extending a private network (i.e. any computer network which is not the public Internet) across one or multiple other networks which are either untrusted (as they are not con ...

clients use NAT traversal in order to have Encapsulating Security Payload packets traverse NAT. IPsec uses several protocols in its operation which must be enabled to traverse firewalls and network address translators: *

Internet Key Exchange In computing, Internet Key Exchange (IKE, versioned as IKEv1 and IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP.The Internet Key Exchange (IKE), RFC 2 ...

(IKE) User Datagram Protocol (UDP)

port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as Hamburg, Manch ...

500 * Encapsulating Security Payload (ESP) IP protocol number 50 * Authentication Header (AH) IP protocol number 51 * IPsec NAT traversal UDP port 4500, if and only if NAT traversal is in use Many routers provide explicit features, often called IPsec Passthrough. In Windows XP, NAT traversal is enabled by default, but in Windows XP with Service Pack 2 it has been disabled by default for the case when the VPN server is also behind a NAT device, because of a rare and controversial security issue. IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98. NAT traversal and IPsec may be used to enable

opportunistic encryption Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt communications channels, otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two ...

of traffic between systems. NAT traversal allows systems behind NATs to request and establish secure connections on demand.

Hosted NAT traversal

Hosted NAT traversal (HNT) is a set of mechanisms, including media relaying and latching, that is widely used by communications providers for historical and practical reasons. The

advises against using latching over the Internet and recommends ICE for security reasons.Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal, RFC 8445
2018-07-01

IETF standards documents

* Firewall Friendly FTP * IP Network Address Translator (NAT) Terminology and Considerations * Security Model with Tunnel-mode IPsec for NAT Domains * Architectural Implications of NAT * Traditional IP Network Address Translator (Traditional NAT) * Protocol Complications with the IP Network Address Translator (NAT) * Network Address Translator (NAT)-Friendly Application Design Guidelines * IPsec-Network Address Translation (NAT) Compatibility * Negotiation of NAT-Traversal in the IKE * State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs) * Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols

References

{{reflist

External links

Problems and fact about modern day NAT traversal systems

Autonomous NAT traversal – NAT to NAT communication without a third party

Cornell University – Characterization and Measurement of TCP Traversal through NATs and Firewalls

Columbia University – An Analysis of the Skype Peer-to-Peer Internet Telephony

Peer to peer communication across Network Address Translators (UDP Hole Punching)
Computer network security Network protocols Network address translation