1 - 3 - 4 - 6 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W
NAT
Click on the red underlined text to get to the source
...
This protocol is not a cure-all for the problems associated with NAT.
It does not enable incoming TCP connections through NAT ...
... NAT.
It does not enable incoming TCP connections through NAT. It allows
incoming UDP packets through NAT ...
... NAT. It allows
incoming UDP packets through NAT, but only through a subset of
existing NAT types. In particular, STUN ...
... UDP packets through NAT, but only through a subset of
existing NAT types. In particular, STUN does not enable incoming UDP
...
... STUN does not enable incoming UDP
packets through symmetric NATs (defined below), which are common in
large enterprises. STUN's discovery procedures are based on
...
... large enterprises. STUN's discovery procedures are based on
assumptions on NAT treatment of UDP; such assumptions may prove
invalid down the road as new NAT ...
... NAT treatment of UDP; such assumptions may prove
invalid down the road as new NAT devices are deployed. STUN does not
work when it is used to obtain an address ...
... work when it is used to obtain an address to communicate with a peer
which happens to be behind the same NAT. STUN does not work when the
STUN ...
...
Network Address Translators (NATs), while providing many benefits,
also come with many drawbacks. The most troublesome of those
drawbacks is the fact that they break many existing IP ...
... and make it difficult to deploy new ones. Guidelines have been
developed [8] that describe how to build "NAT friendly" protocols,
but many protocols simply cannot be constructed according to those
guidelines. Examples of such protocols include almost all peer-to-
...
... application layer functions
required for a particular protocol to traverse a NAT. Typically,
this involves rewriting application layer messages to contain
...
... NAT (or firewall), in order
to obtain NAT bindings and open or close pinholes. In this way, NATs
...
... to obtain NAT bindings and open or close pinholes. In this way, NATs
and applications can be separated once more, eliminating the need for
embedding ALGs ...
... and applications can be separated once more, eliminating the need for
embedding ALGs in NATs, and resolving the limitations imposed by
current architectures.
...
...
Unfortunately, MIDCOM requires upgrades to existing NAT and
firewalls, in addition to application components. Complete upgrades
...
... firewalls, in addition to application components. Complete upgrades
of these NAT and firewall products will take a long time, potentially
years. This is due, in part, to the fact that the deployers of NAT ...
... NAT and firewall products will take a long time, potentially
years. This is due, in part, to the fact that the deployers of NAT
and firewalls are not the same people who are deploying and using
...
... will be low in many cases. Consider, for example, an airport
Internet lounge that provides access with a NAT. A user connecting
to the NATed network may wish to use a peer-to-peer ...
... peer-to-peer service, but
cannot, because the NAT doesn't support it. Since the administrators
of the lounge are not the ones providing the service ...
... of the lounge are not the ones providing the service, they are not
motivated to upgrade their NAT equipment to support it, using either
an ALG, or MIDCOM ...
... and have a relationship with them which permits control. In many
configurations, this will not be possible. For example, many cable
access providers use NAT in front of their entire access network.
This NAT ...
... NAT in front of their entire access network.
This NAT could be in addition to a residential NAT purchased and
operated by the end user. The end user will probably not have a
...
... access network.
This NAT could be in addition to a residential NAT purchased and
operated by the end user. The end user will probably not have a
control relationship with the NAT ...
... NAT purchased and
operated by the end user. The end user will probably not have a
control relationship with the NAT in the cable access network, and
may not even know of its existence.
...
... 11]) and Voice over IP,
have developed tricks that allow them to operate through NATs without
changing those NATs. This document is an attempt to take some of
...
... have developed tricks that allow them to operate through NATs without
changing those NATs. This document is an attempt to take some of
those ideas, and codify them into an interoperable protocol that can
meet the needs of many applications.
...
...
The protocol described here, Simple Traversal of UDP Through NAT
(STUN), allows entities behind a NAT ...
... NAT
(STUN), allows entities behind a NAT to first discover the presence
of a NAT and the type of NAT ...
... STUN), allows entities behind a NAT to first discover the presence
of a NAT and the type of NAT, and then to learn the addresses
...
... NAT to first discover the presence
of a NAT and the type of NAT, and then to learn the addresses
bindings ...
... bindings allocated by the NAT. STUN requires no changes to NATs, and
works with an arbitrary number of NATs in tandem between the
...
... STUN requires no changes to NATs, and
works with an arbitrary number of NATs in tandem between the
application entity and the public Internet ...
... NAT Variations ...
...
It is assumed that the reader is familiar with NATs. It has been
observed that NAT treatment of UDP ...
... It is assumed that the reader is familiar with NATs. It has been
observed that NAT treatment of UDP varies among implementations. The
four treatments observed in implementations are:
...
... four treatments observed in implementations are:
Full Cone: A full cone NAT is one where all requests from the
same internal IP address and port ...
... address.
Restricted Cone: A restricted cone NAT is one where all requests
from the same internal IP address and port ...
... Port Restricted Cone: A port restricted cone NAT is like a
restricted cone NAT, but the restriction includes port numbers ...
... port restricted cone NAT is like a
restricted cone NAT, but the restriction includes port numbers.
Specifically, an external host ...
... port P.
Symmetric: A symmetric NAT is one where all requests from the
same internal IP address and port ...
... host.
Determining the type of NAT is important in many cases. Depending on
what the application wants to do, it may need to take the particular
behavior into account.
...
... +--------------+ Public Internet
................| NAT 2 |.......................
+--------------+
...
...
+--------------+ Private NET 2
................| NAT 1 |.......................
+--------------+
...
... private network 1. This network connects to private
network 2 through NAT 1. Private network 2 connects to the public
Internet through NAT ...
... NAT 1. Private network 2 connects to the public
Internet through NAT 2. The STUN server resides on the public
Internet.
...
... Binding requests are used to determine the bindings allocated by
NATs. The client sends a Binding Request to the server, over UDP ...
...
The trick is using STUN to discover the presence of NAT, and to learn
and use the bindings they allocate.
...
... STUN servers in order to allow its customers to use its
application through NAT). Of course, a client can determine the
address ...
... The STUN Binding Request is used to discover the presence of a NAT,
and to discover the public IP address and port ...
... IP address and port mappings generated by
the NAT. Binding Requests are sent to the STUN server using UDP ...
... Binding Request arrives at the STUN server, it may have passed
through one or more NATs between the STUN client and the STUN ...
... will be the mapped address created by the NAT closest to the server.
The STUN server copies that source IP address ...
... port
of the STUN request. For all of the NAT types above, this response
will arrive at the STUN client ...
... client is behind one or more NATs. In the case of a full-
cone NAT, the IP address and port in the body of the STUN ...
...
Of course, the host may not be behind a full-cone NAT. Indeed, it
doesn't yet know what type of NAT it is behind. To determine that,
...
... host may not be behind a full-cone NAT. Indeed, it
doesn't yet know what type of NAT it is behind. To determine that,
the client uses additional STUN ...
... port in the response are different from those
in the first response, the client knows it is behind a symmetric NAT.
To determine if it's behind a full-cone NAT, the client ...
... client knows it is behind a symmetric NAT.
To determine if it's behind a full-cone NAT, the client can send a
STUN ...
... is behind a port restricted cone NAT or just a restricted cone NAT.
It should be noted that the configuration in Figure 1 is not the only
...
... port" flags are useful for
determining whether the client is behind a restricted cone NAT or
restricted port cone NAT ...
... NAT or
restricted port cone NAT. They instruct the server to send the
Binding Responses from a different source IP address ...
... port where the response was sent from. It is useful for detecting
twice NAT configurations.
The sixth attribute is the USERNAME ...
... Firewall that allows UDP out, and responses have to come back to
the source of the request (like a symmetric NAT, but no
translation. We call this a symmetric UDP Firewall ...
...
o Restricted cone or restricted port cone NAT
Which of the six scenarios applies can be determined through the flow ...
... Internet (or, at least, its behind a firewall that behaves
like a full-cone NAT, but without the translation). If no response
is received, the client knows its behind a symmetric UDP ...
... ADDRESS attribute in the response to test I, the client
knows that it is behind a NAT. It performs test II. If a response
is received, the client knows that it is behind a full-cone NAT ...
... NAT. It performs test II. If a response
is received, the client knows that it is behind a full-cone NAT. If
no response is received, it performs test I again, but this time,
does so to the address and port ...
... ADDRESS attribute are not the same as the ones from the
first test I, the client knows its behind a symmetric NAT. If the
address and port are the same, the client ...
... client is either behind a
restricted or port restricted NAT. To make a determination about
which one it is behind, the client initiates test III. If a response
...
... which one it is behind, the client initiates test III. If a response
is received, its behind a restricted NAT, and if no response is
received, its behind a port restricted NAT ...
... NAT, and if no response is
received, its behind a port restricted NAT.
This procedure yields substantial information about the operating
...
... This procedure yields substantial information about the operating
condition of the client application. In the event of multiple NATs
between the client and the Internet ...
... client and the Internet, the type that is discovered will
be the type of the most restrictive NAT between the client and the
Internet ...
... client and the
Internet. The types of NAT, in order of restrictiveness, from most
to least, are symmetric, port restricted cone, restricted cone, and
...
... /\ /\ |
Symmetric N / \ +--------+ N / \ V
NAT <--- / IP \<-----| Test |<--- /Resp\ Open
\Same/ | I | \ ? / Internet ...
... creates a
binding in the NAT. The response from the server contains a MAPPED-
ADDRESS attribute, providing the public address and port ...
... ADDRESS attribute, providing the public address and port on the NAT.
Call this Pa and Pp, respectively. The client then starts ...
... socket Y (which is possible if the old binding
expired, and the NAT allocated the same public address and port to
the new binding ...
... It is possible that the client can get inconsistent results each time
this process is run. For example, if the NAT should reboot, or be
reset for some reason, the process may discover a lifetime than is
...
... process above when it started up, to discover its environment. Now,
it wants to make a call. As part of the discovery process, it
determined that it was behind a full-cone NAT.
Consider further that this phone consists of two logically separated
...
... RTP [12]. Both are
behind the same NAT. Because of this separation of control and
media, we wish to minimize the communication required between them.
In fact, they may not even run on the same host ...
... timeout (UDP bindings in NATs are typically short; 30 seconds is
common). To deal with this, the application can periodically
retransmit the query ...
... It is possible that both participants in the multimedia session are
behind the same NAT. In that case, both will repeat this procedure
above, and both will obtain public address bindings. When one sends
...
... above, and both will obtain public address bindings. When one sends
media to the other, the media is routed to the NAT, and then turns
right back around to come back into the enterprise, where it is
translated to the private address ...
... address of the recipient. This is not
particularly efficient, and unfortunately, does not work in many
commercial NATs. In such cases, the clients may need to retry using
private addresses ...
... attacks if the traversed NAT is a full cone
NAT). Discovering open ports is already fairly trivial using port
...
... STUN request passes through the rogue router or
NAT, it rewrites the source address of the packet to be that of the
desired MAPPED-ADDRESS ...
... attacker is on the public Internet (that is, there are no NATs
between it and the STUN server), and the attacker ...
... If the attacker is on a private network (that is, there are NATs
between it and the STUN server), the attacker ...
... route to the private network. This is because the
NAT between the attacker and the STUN server will rewrite the source
address ...
... to the private network. Unfortunately, it is possible that a low
quality NAT would be willing to map an allocated public address to
another public address ...
... request to be an arbitrary public address. This kind of behavior
from NATs does appear to be rare.
...
... 2827 [7]). This is
particularly important for the NATs themselves. As Section 12.2.3
explains, NATs which do not perform this check can be used as
...
... particularly important for the NATs themselves. As Section 12.2.3
explains, NATs which do not perform this check can be used as
"reflectors" in DDoS attacks ...
... "reflectors" in DDoS attacks. Most NATs do perform this check as a
default mode of operation. We strongly advise people that purchase
NATs ...
... NATs do perform this check as a
default mode of operation. We strongly advise people that purchase
NATs to ensure that this capability is present and enabled.
Secondly, it is RECOMMENDED that STUN ...
... STUN itself
is seeking to detect and report. It is therefore an inherent
weakness in NAT, and not fixable in STUN. To help mitigate these
attacks ...
...
and V so that it can forward the response to C. Furthermore, if
there is a NAT between the attacker and the server, V must also be
behind the same NAT ...
... NAT between the attacker and the server, V must also be
behind the same NAT. In such a situation, the attacker can either
gain access to all the application-layer ...
... client attempts to determine
its address in another realm on the other side of a NAT through a
collaborative protocol reflection mechanism (RFC 3424 [17 ...
... o Provide a means for a client to detect the presence of one or more
NATs between it and a server run by a service provider on the
public Internet ...
... o Provide a means for a client to detect the presence of one or more
NATs between it and another client, where the second client is
...
... client to obtain an address on the public
Internet from a non-symmetric NAT, for the express purpose of
receiving incoming UDP ...
... service provider network. Whilst
the detection of the specific type of NAT may be brittle, the
discovery of the existence of NAT is itself quite robust. As NATs ...
... the detection of the specific type of NAT may be brittle, the
discovery of the existence of NAT is itself quite robust. As NATs
are phased out through the deployment ...
... NAT may be brittle, the
discovery of the existence of NAT is itself quite robust. As NATs
are phased out through the deployment of IPv6 ...
... IPv6, the discovery
operation will return immediately with the result that there is no
NAT, and no further operations are required. Indeed, the discovery
operation itself can be used to help motivate deployment of IPv6 ...
... deployment of IPv6; if
a user detects a NAT between themselves and the public Internet, they
can call up their access provider ...
... STUN can also help facilitate the introduction of midcom. As
midcom-capable NATs are deployed, applications will, instead of using
STUN (which also resides at the application layer ...
... based on their treatment of UDP. There could be other types of
NATs that are deployed that would not fit into one of these molds.
Therefore, future NATs may not be properly detected by STUN ...
... NATs that are deployed that would not fit into one of these molds.
Therefore, future NATs may not be properly detected by STUN. STUN
...
... o The binding acquisition usage of STUN does not work for all NAT
types. It will work for any application for full cone NATs only.
...
... STUN does not work for all NAT
types. It will work for any application for full cone NATs only.
For restricted cone and port restricted cone NAT ...
... NATs only.
For restricted cone and port restricted cone NAT, it will work for
some applications depending on the application. Application
specific processing will generally be needed. For symmetric NATs ...
... NAT, it will work for
some applications depending on the application. Application
specific processing will generally be needed. For symmetric NATs,
the binding acquisition will not yield a usable address ...
... binding acquisition will not yield a usable address. The
tight dependency on the specific type of NAT makes the protocol
brittle.
...
...
o The bindings allocated from the NAT need to be continuously
refreshed. Since the timeouts for these bindings is very
...
... lifetime will exist for all bindings. This may not
be true if the NAT uses dynamic binding lifetimes to handle
overload ...
... binding lifetimes to handle
overload, or if the NAT itself reboots during the discovery
process.
...
... clients A and B. For example,
consider client A and B, both of which have residential NAT
devices. Both devices connect them to their cable operators,
but both clients ...
... clients have different providers. Each provider has a
NAT in front of their entire network, connecting it to the
public Internet ...
... clients, but both clients are behind the same
NAT connecting to that address realm. For example, if the two
clients ...
... clients in the previous example had the same cable operator,
that cable operator had a single NAT connecting their network
to the public Internet ...
... public
Internet, the address obtained by A would not be usable by B.
That is because some NATs will not accept an internal packet
sent to a public IP address which is mapped back to an internal
address ...
... STUN has led to the following requirements for a
long term solution to the NAT problem:
Requests for bindings ...
...
Requests for bindings and control of other resources in a NAT
need to be explicit. Much of the brittleness in STUN derives from
...
... need to be explicit. Much of the brittleness in STUN derives from
its guessing at the parameters of the NAT, rather than telling the
NAT what parameters to use.
...
... its guessing at the parameters of the NAT, rather than telling the
NAT what parameters to use.
Control needs to be "in-band ...
...
Control needs to be limited. Users will need to communicate
through NATs which are outside of their administrative control.
In order for providers to be willing to deploy NATs ...
... NATs which are outside of their administrative control.
In order for providers to be willing to deploy NATs which can be
controlled by users in different domains, the scope of such
...
... Several of the practical issues with STUN involve future proofing -
breaking the protocol when new NAT types get deployed. Fortunately,
this is not an issue at the current time, since most of the deployed
NATs ...
... NAT types get deployed. Fortunately,
this is not an issue at the current time, since most of the deployed
NATs are of the types assumed by STUN. The primary usage STUN has
...
... RTP traffic. This pairing
property cannot be guaranteed through NATs that are not directly
controllable. As a result, RTCP traffic ...
... STUN have to do with the lack of standardized behaviors and controls
in NATs. The result of this lack of standardization has been a
proliferation of devices whose behavior is highly unpredictable,
extremely variable, and uncontrollable. STUN ...
... such a hostile environment. Ultimately, the solution is to make the
environment less hostile, and to introduce controls and standardized
behaviors into NAT. However, until such time as that happens, STUN
provides a good short term solution given the terrible conditions
...
... Senie, D., "Network Address Translator (NAT)-Friendly Application Design Guidelines", RFC 3235, January 2002. ...