Application and NAT
Network Address Translation(NAT)
“strong proxy”
NAT is usually your home router today
NAT override your package, changing some field(such as source IP, source port …)
IP addresses behind a NAT is a private IP address given by NAT, in form of
10.x.x.xMany hosts can share a same public IP address via NAT
Types of NAT
The NAT just do the translation blindly, if some new host C send a package to 128.34.22.8:6641, the NAT will translate it into 10.0.0.101:4512, and host A will see the package from C
The NAT will filter the incoming package according to its source IP, if source IP match the previous destination IP(It is a response), the NAT will do the translation
The NAT not only filter on incoming package’s source IP but also the source port, it only allow responses from the requested port.(If the server want to use a different port to response, it will be blocked!)
The NAT will create a new mapping for a different destination, even the packages come from the same internal host with the same port.
NAT behavior recommendation
- TCP : RFC5382
- UDP : RFC4787
NAT implication
No incomming connection
Generally, you can’t open a connection to a computer behind a NAT directly
Solution 1 : connection reversal
Solution 2 : Relay server
Solution 3 : NAT hole punching
This works for full cone and port restricted, but will not work for symmetric NAT
No new Transport !
NAT violate the strong end-to-end protocol, it makes the assumption that TCP/UDP/ICMP is used, and these are what they translated
So it become unpossible to implement a new transport layer protocol until all people update their NATs
If you really want to implement something new, build it on top of UDP
NAT operations
- NAT is just a router, it can do anything a router can do
- In RFC, symmetric NAT is forbidden
- Read more at RFC