NAT traversal

From Wikipedia, the free encyclopedia

NAT traversal refers to an algorithm to the common problem in TCP/IP networking of establishing connections between hosts in private TCP/IP networks which use NAT devices.

This problem is typically faced by developers of client-to-client networking applications especially in peer-to-peer and VoIP. NAT-T is commonly used by IPsec VPN clients in order to have ESP packets go through NAT.

Many techniques exist, but no technique works in every situation since NAT behavior is not standardized. Many techniques require a public server on a well-known globally reachable IP address. Some methods use the server only when establishing the connection (such as STUN), while others are based on relaying all the data through it (such as TURN), which adds bandwidth costs and increases latency detrimental to conversational VoIP applications.

Most NAT behavior-based techniques fail to preserve enterprise security policies and break end-to-end transparency. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. To that extent, the most promising IETF standards are Realm-Specific IP (RSIP) and Middlebox Communications (MIDCOM). SOCKS as the oldest NAT control protocol remains valid and is widely available while Universal Plug and Play (UPnP) is attractive for home/SOHO use because it might be widely supported by small gateways vendors.

Contents

NAT devices allow internal networks to communicate with external networks using a limited number of external IP Addresses by changing the source address of outgoing requests and listening for replies. This leaves the internal network ill suited to act as a server as the NAT device has no way of determining which internal host the incoming packets are destined for. On the Internet this problem was not generally relevant to home users behind NAT devices as they either do not need to act as servers or can use static NAT mappings to correlate incoming requests to internal hosts. Applications such as P2P file sharing (like BitTorrent or Gnutella clients) or VoIP networks (like Skype) require clients to act like servers and pose a problem to users behind NAT devices as incoming requests can not be correlated to the proper internal host.

In order for IPsec to work through a NAT the following need to be allowed on the firewall:

  • Internet Key Exchange (IKE) - User Datagram Protocol (UDP) port 500
  • IPsec NAT-T - UDP port 4500
  • Encapsulating Security Payload (ESP) - Internet Protocol (IP) protocol 50

often this is accomplished on home routers by enabling "IPsec Passthrough".

The default behaviour of Windows XP SP2 was changed to no longer have NAT-T enabled by default because of a rare and controversial security issue. This prevents most home users from using IPsec without making adjustments to their settings. To enable NAT-T for systems behind NATs to communicate with systems behind NATs the following registry key needs to be added and set to a value of 2: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule[1]

IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.

One usage of NAT-T and IPsec is to enable opportunistic encryption between systems. NAT-T allows systems behind NATs to request and establish secure connections on demand.

This article or section is in need of attention from an expert on the subject.
Please help recruit one or improve this article yourself. See the talk page for details.
Please consider using {{Expert-subject}} to associate this request with a WikiProject

  • RFC 1579 - Firewall Friendly FTP
  • RFC 2663 - IP Network Address Translator (NAT) Terminology and Considerations
  • RFC 2709 - Security Model with Tunnel-mode IPsec for NAT Domains
  • RFC 2993 - Architectural Implications of NAT
  • RFC 3027 - Protocol Complications with the IP Network Address Translator (NAT)
  • RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines
  • RFC 3947 - Negotiation of NAT-Traversal in the IKE

Retrieved from "http://en.wikipedia.org../../../n/a/t/NAT_traversal_5d3e.html"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.