DOCSLIB.ORG

A Retrospective View of Network Address Translation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ZHANG LAYOUT 9/5/08 1:03 PM Page 8 A Retrospective View of Network Address Translation Lixia Zhang, University of California, Los Angeles Abstract Today, network address translators, or NATs, are everywhere. Their ubiquitous adoption was not promoted by design or planning but by the continued growth of the Internet, which places an ever-increasing demand not only on IP address space but also on other functional requirements that network address translation is per- ceived to facilitate. This article presents a personal perspective on the history of NATs, their pros and cons in a retrospective light, and the lessons we can learn from the NAT experience. network address translator (NAT) commonly I also emphasize that this writing represents a personal refers to a box that interconnects a local network view, and my recall of history is likely to be incomplete and to to the public Internet, where the local network contain errors. My personal view on this subject has also runs on a block of private IPv4 addresses as spec- changed over time, and it may continue to evolve, as we are Aified in RFC 1918 [1]. In the original design of the Internet all in a continuing process of understanding the fascinating architecture, each IP address was defined to be globally and dynamically changing Internet. unique and globally reachable. In contrast, a private IPv4 address is meaningful only within the scope of the local net- work behind a NAT and, as such, the same private address How a NAT Works block can be reused in multiple local networks, as long as As mentioned previously, IP addresses originally were those networks do not directly talk to each other. Instead, designed to be globally unique and globally reachable. This they communicate with each other and with the rest of Inter- property of the IP address is a fundamental building block net through NAT boxes. in supporting the end-to-end architecture of the Internet. Like most unexpected successes, the ubiquitous adoption of Until recently, almost all of the Internet protocol designs, NATs was not foreseen when the idea first emerged more especially those below the application layer, were based on than 15 years ago [2, 3]. Had anyone foreseen where NAT the aforementioned IP address model. However, the explo- would be today, it is possible that NAT deployment might sive growth of the Internet during the 1990s not only sig- have followed a different path, one that was better planned naled the danger of IP address space exhaustion, but also and standardized. The set of Internet protocols that were created an instant demand on IP addresses: suddenly, con- developed over the past 15 years also might have evolved dif- necting large numbers of user networks and home comput- ferently by taking into account the existence of NATs, and we ers demanded IP addresses instantly and in large quantities. might have seen less overall complexity in the Internet com- Such demand could not possibly be met by going through pared to what we have today. the regular IP address allocation process. Network address Although the clock cannot be turned back, I believe it is a translation came into play to meet this instant high demand, worthwhile exercise to revisit the history of network address and NAT products were quickly developed to meet the mar- translation to learn some useful lessons. It also can be worth- ket demand. while to assess, or reassess, the pros and cons of NATs, as However, because NATs were not standardized before well as to take a look at where we are today in our under- their wide deployment, a number of different NAT products standing of NATs and how best to proceed in the future. exist today, each with somewhat different functionality and It is worth pointing out that in recent years many efforts different technical details. Because this article is about the were devoted to the development and deployment of NAT history of NAT deployment — and not an examination of how traversal solutions, such as simple traversal of UDP through to traverse various different NAT boxes — I briefly describe a NAT (STUN) [4], traversal using relay NAT (TURN) [5], and popular NAT implementation as an illustrative example. Teredo [6], to name a few. These solutions remove obstacles Interested readers can visit Wikipedia to find out more about introduced by NATs to enable an increasing number of new existing types of NAT products. application deployments. However, as the title suggested, this A NAT box N has a public IP address for its interface article focuses on examining the lessons that we can learn connecting to the global Internet and a private address fac- from the NAT deployment experience; a comprehensive sur- ing the internal network. N serves as the default router for vey of NAT traversal solutions must be reserved for a sepa- all of the destinations that are outside the local NAT address rate article. block. When an internal host H sends an IP packet P to a 8 0890-8044/08/$25.00 © 2008 IEEE IEEE Network • September/October 2008 Authorized licensed use limited to: IEEE Xplore. Downloaded on February 9, 2009 at 17:52 from IEEE Xplore. Restrictions apply. ZHANG LAYOUT 9/5/08 1:03 PM Page 9 public IP destination address D located in the global Inter- RFC 1287 also discussed three possible directions to extend net, the packet is routed to N. N translates the private IP address space. The first one pointed to a direction similar source IP address in P’s header to N’s public IP address and to current NATs: adds an entry to its internal table that keeps track of the mapping between the internal host and the outgoing packet. Replace the 32-bit field with a field of the same size but with a This entry represents a piece of state, which enables subse- different meaning. Instead of being globally unique, it would be quent packet exchanges between H and D. For example, unique only within some smaller region. Gateways on the bound- when D sends a packet P’ in response to P, P’ arrives at N, ary would rewrite the address as the packet crossed the boundary. and N can find the corresponding entry from its mapping table and replace the destination IP address — which is its RFC 1335 [3], published shortly after RFC 1287, provided own public IP address — with the real destination address a more elaborate description of the use of internal IP address- H, so that P’ will be delivered to H. The mapping entry times es (i.e., private IP addresses) as a solution to IP address out after a certain period of idleness that is typically set to a exhaustion. The first article describing the NAT idea, “Extend- vendor-specific value. In the process of changing the IP ing the IP Internet through Address Reuse” [10], appeared in address carried in the IP header of each passing packet, a the January 1993 issue of ACM Computer Communication NAT box also must recalculate the IP header checksum, as Review and was published a year later as RFC 1631 [11]. well as the checksum of the transport protocol if it is calcu- Although these RFCs can be considered forerunners in the lated based on the IP address, as is the case for Transmis- development of NAT, as explained later, for various reasons sion Control Protocol (TCP) and User Datagram Protocol the IETF did not take action to standardize NAT. (UDP) checksums. The invention of the Web further accelerated Internet From this brief description, it is easy to see the major bene- growth in the early 1990s. The explosive growth underlined fit of a NAT: one can connect a large number of hosts to the the urgency to take action toward solving both the routing global Internet by using a single public IP address. A number scalability and the address shortage problems. The IETF took of other benefits of NATs also became clear over time, which several follow-up steps, which eventually led to the launch of I will discuss in more detail later. the IPng development effort. I believe that the expectation at At the same time, a number of drawbacks to NATs also the time was to develop a new IP within a few years, followed can be identified immediately. First and foremost, the NAT by a quick deployment. However, the actual deployment dur- changed the end-to-end communication model of the Inter- ing the next ten years took a rather unexpected path. net architecture in a fundamental way: instead of allowing any host to talk directly to any other host on the Internet, the The Planned Solution hosts behind a NAT must go through the NAT to reach oth- As pointed out in RFC 1287, the continued growth of the ers, and all communications through a NAT box must be ini- Internet exposed strains on the original design of the Internet tiated by an internal host to set up the mapping entries on architecture, the two most urgent of which were routing sys- the NAT. In addition, because ongoing data exchange tem scalability and the exhaustion of IP address space. depends on the mapping entry kept at the NAT box, the box Because long-term solutions require a long lead time to devel- represents a single point of failure: if the NAT box crashes, it op and deploy, efforts began to develop both a short term and could lose all the existing state, and the data exchange a long-term solution to those problems. between all of the internal and external hosts must be restart- Classless inter-domain routing, or CIDR, was proposed as a ed.
Recommended publications
  • IP Datagram ICMP Message Format ICMP Message Types

    IP Datagram ICMP Message Format ICMP Message Types

    ICMP Internet Control Message Protocol ICMP is a protocol used for exchanging control messages. CSCE 515: Two main categories Query message Computer Network Error message Programming Usage of an ICMP message is determined by type and code fields ------ IP, Ping, Traceroute ICMP uses IP to deliver messages. Wenyuan Xu ICMP messages are usually generated and processed by the IP software, not the user process. Department of Computer Science and Engineering University of South Carolina IP header ICMP Message 20 bytes CSCE515 – Computer Network Programming IP Datagram ICMP Message Format 1 byte 1 byte 1 byte 1 byte VERS HL Service Total Length Datagram ID FLAG Fragment Offset 0781516 31 TTL Protocol Header Checksum type code checksum Source Address Destination Address payload Options (if any) Data CSCE515 – Computer Network Programming CSCE515 – Computer Network Programming ICMP Message Types ICMP Address Mask Request and Reply intended for a diskless system to obtain its subnet mask. Echo Request Id and seq can be any values, and these values are Echo Response returned in the reply. Destination Unreachable Match replies with request Redirect 0781516 31 Time Exceeded type(17 or 18) code(0) checksum there are more ... identifier sequence number subnet mask CSCE515 – Computer Network Programming CSCE515 – Computer Network Programming ping Program ICMP Echo Request and Reply Available at /usr/sbin/ping Test whether another host is reachable Send ICMP echo_request to a network host -n option to set number of echo request to send
  • N2N: a Layer Two Peer-To-Peer VPN

    N2N: a Layer Two Peer-To-Peer VPN

    N2N: A Layer Two Peer-to-Peer VPN Luca Deri1, Richard Andrews2 ntop.org, Pisa, Italy1 Symstream Technologies, Melbourne, Australia2 {deri, andrews}@ntop.org Abstract. The Internet was originally designed as a flat data network delivering a multitude of protocols and services between equal peers. Currently, after an explosive growth fostered by enormous and heterogeneous economic interests, it has become a constrained network severely enforcing client-server communication where addressing plans, packet routing, security policies and users’ reachability are almost entirely managed and limited by access providers. From the user’s perspective, the Internet is not an open transport system, but rather a telephony-like communication medium for content consumption. This paper describes the design and implementation of a new type of peer-to- peer virtual private network that can allow users to overcome some of these limitations. N2N users can create and manage their own secure and geographically distributed overlay network without the need for central administration, typical of most virtual private network systems. Keywords: Virtual private network, peer-to-peer, network overlay. 1. Motivation and Scope of Work Irony pervades many pages of history, and computing history is no exception. Once personal computing had won the market battle against mainframe-based computing, the commercial evolution of the Internet in the nineties stepped the computing world back to a substantially rigid client-server scheme. While it is true that the today’s Internet serves as a good transport system for supplying a plethora of data interchange services, virtually all of them are delivered by a client-server model, whether they are centralised or distributed, pay-per-use or virtually free [1].
  • NAT Traversal About

    NAT Traversal About

    NAT Traversal About Some difficulties have been encountered with devices that have poor NAT support. FreeSWITCH goes to great lengths to repair broken NAT support in phones and gateway devices. In order to aid FreeSWITCH in traversing NAT please see the External profile page. Some routers offer an Application Layer Gateway feature which can prevent FreeSWITCH NAT traversal from working. See the ALG page for more information, including how to disable it. Using STUN to aid in NAT Traversal STUN is a method to allow an end host (i.e. phone) to discover its public IP address if it is located behind a NAT . Using this method requires a STUN server on the public internet and a client on the phone. The phone's STUN client queries the STUN server for it's own public IP and transmits the information it has received in it's connection information in the SIP packets it sends to the SIP server. Enable and configure STUN settings on your phone in order correctly to report your phone's contact information to FreeSWITCH when registering. Unfortunately, not all phones have a properly working STUN client. STUN servers This site contains a list of public STUN servers: https://gist.github.com/zziuni/3741933 stun.freeswitch.org is never guaranteed to be up and running so use it in production at your own risk. There are several open source projects to run your own STUN server, e.g. STUNTMAN Using FreeSWITCH built-in methods to aid in NAT Traversal nat-options-ping This parameter causes FreeSWITCH to regularly (every 20 - 40s) send an OPTIONS packet to NATed registered endpoints in order to keep the port on the clients firewall open.
  • NAT and NAT Traversal Lecturer: Andreas Müller Mueller@Net.In.Tum

    NAT and NAT Traversal Lecturer: Andreas Müller [email protected]

    NAT and NAT Traversal lecturer: Andreas Müller [email protected] NetworkIN2097 - MasterSecurity, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 39 NAT: Network Address Translation Problem: shortage of IPv4 addresses . more and more devices . only 32bit address field Idea: local network uses just one IP address as far as outside world is concerned: . range of addresses not needed from ISP: just one IP address for all devices . can change addresses of devices in local network without notifying outside world . can change ISP without changing addresses of devices in local network . devices inside local net not explicitly addressable, visible by outside world (a security plus). NetworkIN2097 - MasterSecurity, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 40 NAT: Network Address (and Port) Translation rest of local network Internet (e.g., home network) 10.0.0/24 10.0.0.1 10.0.0.4 10.0.0.2 138.76.29.7 10.0.0.3 All datagrams leaving local Datagrams with source or network have same single source destination in this network NAT IP address: 138.76.29.7, have 10.0.0/24 address for different source port numbers source, destination (as usual) NetworkIN2097 - MasterSecurity, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 41 NAT: Network Address Translation Implementation: NAT router must: . outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #) . remote clients/servers will respond using (NAT IP address, new port #) as destination addr. remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair -> we have to maintain a state in the NAT .
  • Transport Layer Chapter 6

    Transport Layer Chapter 6

    Transport Layer Chapter 6 • Transport Service • Elements of Transport Protocols • Congestion Control • Internet Protocols – UDP • Internet Protocols – TCP • Performance Issues • Delay-Tolerant Networking Revised: August 2011 CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 The Transport Layer Responsible for delivering data across networks with the desired Application reliability or quality Transport Network Link Physical CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Transport Service • Services Provided to the Upper Layer » • Transport Service Primitives » • Berkeley Sockets » • Socket Example: Internet File Server » CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Services Provided to the Upper Layers (1) Transport layer adds reliability to the network layer • Offers connectionless (e.g., UDP) and connection- oriented (e.g, TCP) service to applications CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Services Provided to the Upper Layers (2) Transport layer sends segments in packets (in frames) Segment Segment CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Transport Service Primitives (1) Primitives that applications might call to transport data for a simple connection-oriented service: • Client calls CONNECT, SEND, RECEIVE, DISCONNECT • Server calls LISTEN, RECEIVE, SEND, DISCONNECT Segment CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice
  • Internet Protocol Suite

    Internet Protocol Suite

    InternetInternet ProtocolProtocol SuiteSuite Srinidhi Varadarajan InternetInternet ProtocolProtocol Suite:Suite: TransportTransport • TCP: Transmission Control Protocol • Byte stream transfer • Reliable, connection-oriented service • Point-to-point (one-to-one) service only • UDP: User Datagram Protocol • Unreliable (“best effort”) datagram service • Point-to-point, multicast (one-to-many), and • broadcast (one-to-all) InternetInternet ProtocolProtocol Suite:Suite: NetworkNetwork z IP: Internet Protocol – Unreliable service – Performs routing – Supported by routing protocols, • e.g. RIP, IS-IS, • OSPF, IGP, and BGP z ICMP: Internet Control Message Protocol – Used by IP (primarily) to exchange error and control messages with other nodes z IGMP: Internet Group Management Protocol – Used for controlling multicast (one-to-many transmission) for UDP datagrams InternetInternet ProtocolProtocol Suite:Suite: DataData LinkLink z ARP: Address Resolution Protocol – Translates from an IP (network) address to a network interface (hardware) address, e.g. IP address-to-Ethernet address or IP address-to- FDDI address z RARP: Reverse Address Resolution Protocol – Translates from a network interface (hardware) address to an IP (network) address AddressAddress ResolutionResolution ProtocolProtocol (ARP)(ARP) ARP Query What is the Ethernet Address of 130.245.20.2 Ethernet ARP Response IP Source 0A:03:23:65:09:FB IP Destination IP: 130.245.20.1 IP: 130.245.20.2 Ethernet: 0A:03:21:60:09:FA Ethernet: 0A:03:23:65:09:FB z Maps IP addresses to Ethernet Addresses
  • The Internet Protocol, Version 4 (Ipv4)

    The Internet Protocol, Version 4 (Ipv4)

    Today’s Lecture I. IPv4 Overview The Internet Protocol, II. IP Fragmentation and Reassembly Version 4 (IPv4) III. IP and Routing IV. IPv4 Options Internet Protocols CSC / ECE 573 Fall, 2005 N.C. State University copyright 2005 Douglas S. Reeves 1 copyright 2005 Douglas S. Reeves 2 Internet Protocol v4 (RFC791) Functions • A universal intermediate layer • Routing IPv4 Overview • Fragmentation and reassembly copyright 2005 Douglas S. Reeves 3 copyright 2005 Douglas S. Reeves 4 “IP over Everything, Everything Over IP” IP = Basic Delivery Service • Everything over IP • IP over everything • Connectionless delivery simplifies router design – TCP, UDP – Dialup and operation – Appletalk – ISDN – Netbios • Unreliable, best-effort delivery. Packets may be… – SCSI – X.25 – ATM – Ethernet – lost (discarded) – X.25 – Wi-Fi – duplicated – SNA – FDDI – reordered – Sonet – ATM – Fibre Channel – Sonet – and/or corrupted – Frame Relay… – … – Remote Direct Memory Access – Ethernet • Even IP over IP! copyright 2005 Douglas S. Reeves 5 copyright 2005 Douglas S. Reeves 6 1 IPv4 Datagram Format IPv4 Header Contents 0 4 8 16 31 •Version (4 bits) header type of service • Functions version total length (in bytes) length (x4) prec | D T R C 0 •Header Length x4 (4) flags identification fragment offset (x8) 1. universal 0 DF MF s •Type of Service (8) e time-to-live (next) protocol t intermediate layer header checksum y b (hop count) identifier •Total Length (16) 0 2 2. routing source IP address •Identification (16) 3. fragmentation and destination IP address reassembly •Flags (3) s •Fragment Offset ×8 (13) e t 4. Options y IP options (if any) b •Time-to-Live (8) 0 4 ≤ •Protocol Identifier (8) s e t •Header Checksum (16) y b payload 5 •Source IP Address (32) 1 5 5 6 •Destination IP Address (32) ≤ •IP Options (≤ 320) copyright 2005 Douglas S.
  • Peer-To-Peer NAT-Traversal for Ipsec

    Peer-To-Peer NAT-Traversal for Ipsec

    Peer-to-Peer NAT-Traversal for IPsec y Anonymized peer registration y Endpoint discovery and relaying y Peer-initiated hole punching y IKEv2 Internet draft in preparation [email protected] [email protected] IKEv2 Mediation IKEv2 Mediation Server Mediation Connection Connection NAT Router NAT Router 1.2.3.4:1025 5.6.7.8:3001 IKEv2 Mediated Connection 10.1.0.10:4500 10.2.0.10:4500 Direct IPsec Tunnel using NAT-Traversal Peer Alice Peer Bob www.strongswan.org The double NAT case - where punching holes counts! ● You are selling automation systems all over the world. In order to save on travel expenses you want to remotely diagnose and update your deployed systems via the Internet. But security counts – thus IPsec is a must! Unfortunately both you and your customer are behind NAT routers so that no direct VPN connection is possible. You are helplessly blocked! ● You own an apartment at home, in the mountains or even abroad. You want to remotely control the heating or your sophisticated intrusion detection system via ADSL or Cable access. But since you and your apartment are separated by two NAT routers your are helplessly blocked. How it works! ● Two peers want to set up a direct IPsec tunnel using the established NAT traversal mechanism of encapsulating ESP packets in UDP datagrams. Unfortunately they cannot achieve this by themselves because neither host is seen from the Internet under the standard IKE NAT-T port 4500. Therefore both peers need to set up a mediation connection with an IKEv2 mediation server. In order to prevent unsolicited connection attempts by foreign peers, the mediation connections use randomized pseudonyms as IKE peer identities.
  • Problems of Ipsec in Combination with NAT and Their Solutions

    Problems of Ipsec in Combination with NAT and Their Solutions

    Problems of IPsec in Combination with NAT and Their Solutions Alexander Heinlein Abstract As the Internet becomes more and more a part of our daily life it also evolves as an at- tractive target for security attacks, often countered by Internet Protocol Security (IPsec) to establish virtual private networks (VPNs), if secure data communication is a primary objective. Then again, to provide Internet access for hosts inside Local Area Networks, a public IP address shared among all peers is often used, achieved by Network Address Translation (NAT) deployment. IPsec, however, is incompatible with NAT, leading to a variety of problems when using both in combination. Connection establishments origi- nating from the outside are blocked and NAT, as it modifies the outer IP header, breaks IPsec’s security mechanisms. In the following we analyze problems of NAT in combination with IPsec and multiple approaches to solve them. 1 Introduction The current TCP/IP protocols originate from a time where security was not a great concern. As the traditional Internet Protocol (IP) does not provide any guarantees on delivery, the receiver cannot detect whether the sender is the same one as recorded in the protocol header or if the packet was modified during transport. Moreover an attacker may also easily replay IP packets or read sensitive information out of them. In contrast, today, as the Internet becomes more and more a part of our everyday life, a more security aware protocol is needed. To fill this gap the Internet Engineering Task Force (IETF) worked on a new standard for securing IP, called Internet Protocol Security (IPsec).
  • The Impact of Network Address Translation on Peer-To-Peer Live Video Streaming Systems

    The Impact of Network Address Translation on Peer-To-Peer Live Video Streaming Systems

    The Impact of Network Address Translation on Peer-to-Peer Live Video Streaming Systems by Zhonghua Wei M.Sc., University of London, 2006 B.Eng., Beijing Univ. of Posts and Telecommunications, 2005 A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE in the Department of Computer Science c Zhonghua Wei, 2011 University of Victoria All rights reserved. This thesis may not be reproduced in whole or in part, by photocopying or other means, without the permission of the author. ii The Impact of Network Address Translation on Peer-to-Peer Live Video Streaming Systems by Zhonghua Wei M.Sc., University of London, 2006 B.Eng., Beijing Univ. of Posts and Telecommunications, 2005 Supervisory Committee Dr. Jianping Pan, Supervisor (Department of Computer Science) Dr. Kui Wu, Departmental Member (Department of Computer Science) iii Supervisory Committee Dr. Jianping Pan, Supervisor (Department of Computer Science) Dr. Kui Wu, Departmental Member (Department of Computer Science) ABSTRACT Video streaming over the Internet can be very difficult under the traditional client-server model. Peer-to-peer (P2P) systems, in which each participating peer contributes its upload bandwidth to other peers while it downloads data, have been successful in file-sharing applications, and they appear to be promising in delivering video contents, too. However, the existence of network address translation (NAT) is always considered as a challenge to peer-to-peer systems. NAT has been a practical solution to the Internet Protocol version 4 (IPv4) address exhaustion problem, as it reduces the usage of IP addresses by allowing multiple private hosts to share a single public IP address, but NAT can degrade the performance of a peer-to-peer system as it limits the direction of connectivity.
  • Developing P2P Protocols Across NAT Girish Venkatachalam

    Developing P2P Protocols Across NAT Girish Venkatachalam

    Developing P2P Protocols across NAT Girish Venkatachalam Abstract Hole punching is a possible solution to solving the NAT problem for P2P protocols. Network address translators (NATs) are something every software engineer has heard of, not to mention networking professionals. NAT has become as ubiquitous as the Cisco router in networking terms. Fundamentally, a NAT device allows multiple machines to communicate with the Internet using a single globally unique IP address, effectively solving the scarce IPv4 address space problem. Though not a long-term solution, as originally envisaged in 1994, for better or worse, NAT technology is here to stay, even when IPv6 addresses become common. This is partly because IPv6 has to coexist with IPv4, and one of the ways to achieve that is by using NAT technology. This article is not so much a description of how a NAT works. There already is an excellent article on this subject by Geoff Huston (see the on-line Resources). It is quite comprehensive, though plenty of other resources are available on the Internet as well. This article discusses a possible solution to solving the NAT problem for P2P protocols. What Is Wrong with NAT? NAT breaks the Internet more than it makes it. I may sound harsh here, but ask any peer-to-peer application developer, especially the VoIP folks, and they will tell you why. For instance, you never can do Web hosting behind a NAT device. At least, not without sufficient tweaking. Not only that, you cannot run any service such as FTP or rsync or any public service through a NAT device.
  • Lecture 11 – Network Address Translators and NAT Traversal * Introduction

    Lecture 11 – Network Address Translators and NAT Traversal * Introduction

    S38.3115 Signaling Protocols – Lecture Notes Spring 2015 lecture 11 S38.3115 Signaling Protocols – Lecture Notes Lecture 11 – Network Address Translators and NAT Traversal * Introduction ..................................................................................................................... 1* What are NATs and why are they needed ...................................................................... 3* Problems created by NATs to Voice Applications ......................................................... 4* Types of NATs ................................................................................................................ 4* Mapping behavior ....................................................................................................... 6* Address pooling behavior ........................................................................................... 7* Port Assignment .......................................................................................................... 8* Filtering behavior ........................................................................................................ 9* Need for optimization of NAT traversal ......................................................................... 9* STUN a toolbox for NAT traversal .............................................................................. 10* An extension to STUN: Relay operation .................................................................. 11* NAT traversal solutions: SIP Outbound ......................................................................