NAT traversal is a general term for techniques to establish and maintain TCP/IP network connections which traverse network address translation (NAT) gateways.

These techniques are typically required for client-to-client networking applications, especially peer-to-peer and Voice-over-IP (VoIP) deployments. Many techniques exist, but no technique works in every situation since NAT behavior is not standardized. Many techniques require assistance from a computer server at a publicly-routable IP address. Some methods use the server only when establishing the connection (such as STUN), while others are based on relaying all the data through it (such as TURN), which adds bandwidth costs and increases latency, detrimental to real-time VoIP applications.

Almost by definition, NAT techniques break end-to-end transparency. Intercepting and modifying traffic can only be performed transparently in the absence of secure encryption and authentication. Most NAT behavior-based techniques bypass enterprise security policies. Enterprise security experts prefer techniques that explicitly cooperate with NAT and firewalls, allowing NAT traversal while still enabling marshalling at the NAT to enforce enterprise security policies. From this point of view, the most promising IETF standards are Realm-Specific IP (RSIP) and Middlebox Communications (MIDCOM).

SOCKS, the oldest NAT traversal protocol, is still widely available. In home/SOHO settings, Universal Plug and Play (UPnP) is supported by most small NAT gateways. NAT-T is commonly used by IPsec VPN clients in order to have ESP packets traverse NAT.

The NAT traversal problem

NAT devices allow internal networks to communicate with external networks using a limited number of external IP Addresses by changing the source address of outgoing requests and listening for replies. This leaves the internal network ill-suited to act as a server, as the NAT device has no way of determining the internal host for which incoming packets are destined. On the Internet, this problem has not generally been relevant to home users behind NAT devices, as they either do not need to act as servers or can use static NAT mappings to correlate incoming requests to internal hosts. However, applications such as P2P file sharing (such as BitTorrent or Gnutella clients), VoIP networks (such as Skype) and the online services of current generation video game consoles (such as the Xbox 360's Xbox Live or the PS3's PlayStation Network) require clients to act like servers, thereby posing a problem for users behind NAT devices, as incoming requests cannot be correlated to the proper internal host.

NAT traversal and IPsec

In order for IPsec to work through a NAT, the following need to be allowed on the firewall:

• Internet Key Exchange (IKE) - User Datagram Protocol (UDP) port 500
• Encapsulating Security Payload (ESP) - Internet Protocol (IP) 50

or, in case of NAT-T:

• IPsec NAT-T - UDP port 4500

Often this is accomplished on home routers by enabling "IPsec Passthrough".

The default behavior of Windows XP SP2 was changed to no longer have NAT-T enabled by default, because of a rare and controversial security issue . This prevents most home users from using IPsec without making adjustments to their settings. To enable NAT-T for systems behind NATs to communicate with other systems behind NATs, the following registry key needs to be added and set to a value of 2: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPsecAssumeUDPEncapsulationContextOnSendRule

IPsec NAT-T patches are also available for Windows 2000, Windows NT and Windows 98.

One usage of NAT-T and IPsec is to enable opportunistic encryption between systems. NAT-T allows systems behind NATs to request and establish secure connections on demand.

See also

NAT traversal protocols and techniques based on NAT behavior

• Simple Traversal of UDP over NATs (STUN)
• Traversal Using Relay NAT (TURN)
• NAT-T Negotiation of NAT-Traversal in the IKE
• Teredo tunneling uses NAT traversal to provide IPv6 connectivity.
• Session Border Controller (SBC)
• UDP hole punching
• TCP hole punching

NAT traversal based on NAT control

• Realm-Specific IP (RSIP)
• Middlebox Communications (MIDCOM)
• SOCKS
• NAT Port Mapping Protocol (NAT PMP)
• Universal Plug and Play (UPnP)
• Application Layer Gateway (ALG)

NAT traversal combining several techniques

• Interactive Connectivity Establishment (ICE)

External links

IETF references

• RFC 1579 - Firewall Friendly FTP
• RFC 2663 - IP Network Address Translator (NAT) Terminology and Considerations
• RFC 2709 - Security Model with Tunnel-mode IPsec for NAT Domains
• RFC 2993 - Architectural Implications of NAT
• RFC 3027 - Protocol Complications with the IP Network Address Translator (NAT)
• RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines
• RFC 3947 - Negotiation of NAT-Traversal in the IKE
• RFC 5128 - State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)
• zConf.com - Understanding NAT Traversal

University research papers

• Cornell University - Characterization and Measurement of TCP Traversal through NATs and Firewalls
• Columbia University - An Analysis of the Skype Peer-to-Peer Internet Telephony
• Peer to peer communication across Network Address Translators (UDP Hole Punching):

External links

• NAT-Traversal Test
• How Skype & Co. get round firewalls