Network address translation

“NAT” redirects here. For other uses, see Nat. As network address translation modifies the IP address in- formation in packets, it has serious consequences on the quality of Internet connectivity and requires careful at- In computer networking, network address translation (NAT) provides a method[1] of modifying network ad- tention to the details of its implementation. NAT imple- mentations vary widely in their specific behavior in vari- dress information in Internet Protocol (IP) datagram packet headers while they are in transit across a traf- ous addressing cases and in their effect on network traffic. Vendors of equipment containing implementations do not fic routing device for the purpose of remapping one [2] IP address space into another. The term NAT44 is commonly document the specifics of NAT behavior. sometimes used to more specifically indicate mapping between two IPv4 addresses; this is the typical case while IPv4 carries the majority of traffic on the Inter- 1 Basic NAT net. NAT64 refers to the mapping of an IPv4 address to an IPv6 address, or vice versa. The simplest type of NAT provides a one-to-one transla- Network administrators originally used network address tion of IP addresses. RFC 2663 refers to this type of NAT translation to map every address of one address space to a as basic NAT; it is often also called a one-to-one NAT. corresponding address in another space, such as when an In this type of NAT, only the IP addresses, IP header organization changed Internet service providers without checksum and any higher level checksums that include having a facility to announce a public route to the net- the IP address are changed. Basic NATs can be used to work. As of 2014 NAT operates most commonly in con- interconnect two IP networks that have incompatible ad- junction with IP masquerading, which is a technique dressing. that hides an entire IP address space - usually consisting of private network IP addresses (RFC 1918) - behind a single IP address in another, usually public address space. Vendors implement this mechanism in a routing device 2 One-to-many NAT that uses stateful translation tables to map the “hidden” addresses into a single IP address and that readdresses the The majority of NATs map multiple private hosts to one outgoing Internet Protocol packets on exit so they appear publicly exposed IP address. In a typical configuration, to originate from the routing device. In the reverse com- a local network uses one of the designated “private” IP munications path, the router maps responses back to the address subnets (RFC 1918). A router on that network originating IP addresses using the rules (“state”) stored has a private address in that address space. The router is in the translation tables. The translation table rules es- also connected to the Internet with a “public” address as- tablished in this fashion are flushed after a short period signed by an Internet service provider. As traffic passes unless new traffic refreshes their state. from the local network to the Internet, the source address in each packet is translated on the fly from a private ad- The method enables communication through the router dress to the public address. The router tracks basic data only when the conversation originates in the masqueraded about each active connection (particularly the destination network, since this establishes the translation tables. For address and port). When a reply returns to the router, example, a web browser in the masqueraded network can it uses the connection tracking data it stored during the browse a website outside, but a web browser outside can outbound phase to determine the private address on the not browse a web site hosted within the masqueraded net- internal network to which to forward the reply. work. However, most NAT devices today allow the net- work administrator to configure translation table entries All datagram packets on IP networks have a source IP for permanent use. This feature is often referred to as address and a destination IP address. Typically packets “static NAT” or port forwarding - it allows traffic origi- passing from the private network to the public network nating in the “outside” network to reach designated hosts will have their source address modified while packets in the masqueraded network. passing from the public network back to the private net- work will have their destination address modified. More Because of the popularity of this technique to conserve complex configurations are also possible. IPv4 address space, the term NAT has become virtually synonymous with the method of IP masquerading. To avoid ambiguity in how to translate returned packets, further modifications to the packets are required. The

1 2 3 IMPLEMENTATION

vast bulk of Internet traffic is TCP and UDP packets, and ual NAT behaviors instead of using the Cone/Symmetric for these protocols the port numbers are changed so that terminology. Especially, most NAT translators combine the combination of IP address and port information on symmetric NAT for outgoing connections with static port the returned packet can be unambiguously mapped to the mapping, where incoming packets to the external address corresponding private address and port information. RFC and port are redirected to a specific internal address and 2663 uses the term network address and port translation port. Some products can redirect packets to several inter- (NAPT) for this type of NAT. Other names include port nal hosts, e.g. to divide the load between a few servers. address translation (PAT), IP masquerading, NAT over- However, this introduces problems with more sophis- load and many-to-one NAT. This is the most common ticated communications that have many interconnected type of NAT, and has become synonymous with the term packets, and thus is rarely used. NAT in common usage. This method enables communi- cation through the router only when the conversation orig- inates in the masqueraded network, since this establishes 2.2 Type of NAT and NAT traversal, role the translation tables. For example, a web browser in the of port preservation for TCP masqueraded network can browse a website outside, but a web browser outside could not browse a web site hosted The NAT traversal problem arises when two peers be- within the masqueraded network. However, most NAT hind distinct NAT try to communicate. One way to solve devices today allow the network administrator to config- this problem is to use port forwarding, another way is to ure translation table entries for permanent use. This fea- use various NAT traversal techniques. The most popular ture is often referred to as “static NAT” or port forward- technique for TCP NAT traversal is TCP hole punching, ing and allows traffic originating in the “outside” network which requires the NAT to follow the port preservation to reach designated hosts in the masqueraded network. design for TCP, as explained below. Protocols not based on TCP or UDP require other trans- Many NAT implementations follow the port preservation lation techniques. ICMP packets typically relate to an ex- design for TCP: for a given outgoing tcp communica- isting connection and need to be mapped using the same tion, they use the same values as internal and external IP address and port mappings as that connection. port numbers. NAT port preservation for outgoing TCP connections is crucial for TCP NAT traversal, because as TCP requires that one port can only be used for one com- 2.1 Methods of port translation munication at a time, programs bind distinct TCP sockets to ephemeral ports for each TCP communication, render- There are several ways of implementing network address ing NAT port prediction impossible for TCP.[2] and port translation. In some application protocols that use IP address information, the application running on a On the other hand, for UDP, NATs do not need to have node in the masqueraded network needs to determine the port preservation. Indeed multiple UDP communications external address of the NAT, i.e., the address that its com- (each with a distinct endpoint) can occur on the same munication peers detect, and, furthermore, often needs to source port, and applications usually reuse the same UDP examine and categorize the type of mapping in use. Usu- socket to send packets to distinct hosts. This makes port ally this is done because it is desired to set up a direct prediction straightforward, as it is the same source port communications path (either to save the cost of taking for each packet. the data via a server or to improve performance) between Furthermore, port preservation in NAT for TCP allows two clients both of which are behind separate NATs. P2P protocols to offer less complexity and less latency For this purpose, the Simple traversal of UDP over NATs because there is no need to use a third party (like STUN) (STUN) protocol was developed (RFC 3489, March to discover the NAT port since the application itself al- [2][3] 2003). It classified NAT implementation as full-cone ready knows the NAT port. NAT, (address) restricted-cone NAT, port-restricted cone However, if two internal hosts attempt to communicate NAT or symmetric NAT and proposed a methodology with the same external host using the same port number, for testing a device accordingly. However, these pro- the external port number used by the second host is cho- cedures have since been deprecated from standards sta- sen at random. Such NAT is sometimes perceived as (ad- tus, as the methods have proven faulty and inadequate to dress) restricted cone NAT and other times as symmetric correctly assess many devices. New methods have been NAT. standardized in RFC 5389 (October 2008) and the STUN Recent studies have shown that roughly 70% of clients in acronym now represents the new title of the specification: P2P networks employ some form of NAT.[4] Session Traversal Utilities for NAT. This terminology has been the source of much confusion, as it has proven inadequate at describing real-life NAT behavior.[2] Many NAT implementations combine these 3 Implementation types, and it is therefore better to refer to specific individ- 3.4 Visibility of operation 3

3.1 Establishing two-way communication entry in a translation table containing the internal IP address, original source port, and the translated Every TCP and UDP packet contains a source IP address source port. Subsequent packets from the same con- and source port number as well as a destination IP address nection are translated to the same port number. and destination port number. The IP address/port number pair forms a socket. In particular, the source IP address • The computer receiving a packet that has undergone and source port number form the source socket. NAT establishes a connection to the port and IP ad- For publicly accessible services such as web servers and dress specified in the altered packet, oblivious to mail servers the port number is important. For example, the fact that the supplied address is being translated port 80 connects to the web server software and port 25 to (analogous to using a post office box number). a mail server’s SMTP daemon. The IP address of a public server is also important, similar in global uniqueness to a • A packet coming from the external network is postal address or telephone number. Both IP address and mapped to a corresponding internal IP address and port number must be correctly known by all hosts wishing port number from the translation table, replacing the to successfully communicate. external IP address and port number in the incoming packet header (similar to the translation from post Private IP addresses as described in RFC 1918 are signif- office box number to street address). The packet icant only on private networks where they are used, which is then forwarded over the inside network. Other- is also true for host ports. Ports are unique endpoints of wise, if the destination port number of the incom- communication on a host, so a connection through the ing packet is not found in the translation table, the NAT device is maintained by the combined mapping of packet is dropped or rejected because the PAT de- port and IP address. vice doesn't know where to send it. PAT (Port Address Translation) resolves conflicts that would arise through two different hosts using the same NAT only translates IP addresses and ports of its internal source port number to establish unique connections at the hosts, hiding the true endpoint of an internal host on a same time. private network.

3.2 Telephone number extension analogy 3.4 Visibility of operation

A NAT device is similar to a phone system at an office NAT operation is typically transparent to both the internal that has one public telephone number and multiple ex- and external hosts. tensions. Outbound phone calls made from the office all Typically the internal host is aware of the true IP address appear to come from the same telephone number. How- and TCP or UDP port of the external host. Typically the ever, an incoming call that does not specify an extension NAT device may function as the default gateway for the cannot be transferred to an individual inside the office. In internal host. However the external host is only aware of this scenario, the office is a private LAN, the main phone the public IP address for the NAT device and the particu- number is the public IP address, and the individual ex- [5] lar port being used to communicate on behalf of a specific tensions are unique port numbers. internal host.

3.3 Translation of the endpoint 4 NAT and TCP/UDP With NAT, all communications sent to external hosts ac- tually contain the external IP address and port informa- “Pure NAT”, operating on IP alone, may or may not cor- tion of the NAT device instead of internal host IP ad- rectly parse protocols that are totally concerned with IP dresses or port numbers. information, such as ICMP, depending on whether the payload is interpreted by a host on the “inside” or “out- • When a computer on the private (internal) network side” of translation. As soon as the protocol stack is tra- sends an IPv4 packet to the external network, the versed, even with such basic protocols as TCP and UDP, NAT device replaces the internal IP address in the the protocols will break unless NAT takes action beyond source field of the packet header (sender’s address) the network layer. with the external IP address of the NAT device. IP packets have a checksum in each packet header, which PAT may then assign the connection a port num- provides error detection only for the header. IP datagrams ber from a pool of available ports, inserting this port may become fragmented and it is necessary for a NAT to number in the source port field (much like the post reassemble these fragments to allow correct recalculation office box number), and forwards the packet to the of higher-level checksums and correct tracking of which external network. The NAT device then makes an packets belong to which connection. 4 8 NAT LOOPBACK

The major transport layer protocols, TCP and UDP, have Microsoft Windows Server. It provides connection track- a checksum that covers all the data they carry, as well as ing and filtering for the additional network connections the TCP/UDP header, plus a “pseudo-header” that con- needed for the FTP, ICMP, H.323, and PPTP protocols tains the source and destination IP addresses of the packet as well as the ability to configure a transparent HTTP carrying the TCP/UDP header. For an originating NAT proxy server. to pass TCP or UDP successfully, it must recompute the TCP/UDP header checksum based on the translated IP addresses, not the original ones, and put that checksum 7 Dynamic network address trans- into the TCP/UDP header of the first packet of the frag- mented set of packets. The receiving NAT must recom- lation pute the IP checksum on every packet it passes to the destination host, and also recognize and recompute the Dynamic NAT, just like static NAT, is not common in TCP/UDP header using the retranslated addresses and smaller networks but is found within larger corporations pseudo-header. This is not a completely solved problem. with complex networks. The way dynamic NAT differs One solution is for the receiving NAT to reassemble the from static NAT is that where static NAT provides a one- entire segment and then recompute a checksum calcu- to-one internal to public static IP address mapping, dy- lated across all packets. namic NAT doesn't make the mapping to the public IP The originating host may perform Maximum transmis- address static and usually uses a group of available public sion unit (MTU) path discovery to determine the packet IP addresses. size that can be transmitted without fragmentation, and then set the don't fragment (DF) bit in the appropriate packet header field. 8 NAT loopback

NAT loopback, also known as NAT hairpinning or NAT re- 5 DNAT flection,[6] is a feature in many consumer routers[7] which allows a user to connect to his/her own public IP address Destination network address translation (DNAT) is a from inside the LAN. This is especially useful when, for technique for transparently changing the destination IP example, a website is hosted at that IP address. The fol- address of an end route packet and performing the inverse lowing describes an example network: function for any replies. Any router situated between two endpoints can perform this transformation of the packet. • Public address: 203.0.113.1 (this is the address of the WAN interface on the router) DNAT is commonly used to publish a service located in a private network on a publicly accessible IP address. This • Internal address of router: 192.168.1.1 use of DNAT is also called port forwarding, or DMZ when used on an entire server, which becomes exposed • Address of the server: 192.168.1.2 to the WAN, becoming analogous to an undefended mil- • Address of a computer: 192.168.100.1 itary demilitarised zone (DMZ).

If a packet is sent to the public address (203.0.113.1) by a computer at 192.168.100.1, the packet would nor- 6 SNAT mally be routed to the default gateway (the router), un- less an explicit route is set in the computer’s routing ta- The meaning of the term SNAT varies by vendor. Many bles. A router with the NAT loopback feature detects vendors have proprietary definitions for SNAT: that 203.0.113.1 is the address of its WAN interface, and treats the packet as if coming from that interface. It de- • source NAT is the common expansion, as the coun- cides based on DNAT (port forwarding) rules on the des- terpart of destination NAT (DNAT) tination for the packet. For example, if the data were sent to port 80 and there is a DNAT rule for port 80 directed • stateful NAT is used by Cisco Systems to 192.168.1.2, then the host at that address will receive the packet. • static NAT is used by WatchGuard If no applicable DNAT rules are available, the router’s • secure NAT is used by F5 Networks and by Mi- firewall drops the packet. An ICMP Destination Un- crosoft (in regard to the ISA Server) reachable reply may be sent. If any DNAT rules were present, address translation is still in effect; the router still Microsoft’s Secure network address translation (SNAT) rewrites the source IP address in the packet. The com- is part of Microsoft’s Internet Security and Acceleration puter (192.168.100.1) sends the packet as coming from Server and is an extension to the NAT driver built into 192.168.100.1, but the server (192.168.1.2) receives it 5 as coming from 203.0.113.1. When the server replies the pler, more widely understood, and more compatible with process is identical as for an external sender. Thus, two- legacy NATs. In either case, the high level protocol must way communication is possible between hosts inside the be designed with NAT traversal in mind, and it does not LAN network via their public IP address. work reliably across symmetric NATs or other poorly be- NAT loopback is especially useful when the server hosts a haved legacy NATs. domain name that resolves to a public address. When the Other possibilities are UPnP Internet Gateway Device router does not perform NAT loopback, any connection Protocol, NAT-PMP (NAT Port Mapping Protocol), or attempts to that IP address fail. Port Control Protocol (PCP),[9] but these require the NAT device to implement that protocol. 8.1 NAT in IPv6 Most traditional client-server protocols (FTP being the main exception), however, do not send layer 3 contact in- Network address translation is not commonly used in formation and therefore do not require any special treat- IPv6 as one of its aims is to restore true host-to-host ment by NATs. In fact, avoiding NAT complications connectivity,[8] NAT loopback is not commonly needed. is practically a requirement when designing new higher- Although still possible, the large addressing space of IPv6 layer protocols today (e.g. the use of SFTP instead of obviates the need to conserve addresses and every device FTP). can be given a unique globally routable address. NAT NATs can also cause problems where IPsec encryption is loopback, when implemented, works as in IPv4. applied and in cases where multiple devices such as SIP phones are located behind a NAT. Phones which encrypt their signaling with IPsec encapsulate the port informa- 9 Applications affected by NAT tion within an encrypted packet, meaning that NA(P)T devices cannot access and translate the port. In these cases the NA(P)T devices revert to simple NAT opera- Some Application Layer protocols (such as FTP and SIP) tion. This means that all traffic returning to the NAT is send explicit network addresses within their application mapped onto one client causing service to more than one data. FTP in active mode, for example, uses separate client “behind” the NAT to fail. There are a couple of so- connections for control traffic (commands) and for data lutions to this problem: one is to use TLS, which operates traffic (file contents). When requesting a file transfer, the at level 4 in the OSI Reference Model and therefore does host making the request identifies the corresponding data not mask the port number; another is to encapsulate the connection by its network layer and transport layer ad- IPsec within UDP - the latter being the solution chosen dresses. If the host making the request lies behind a sim- by TISPAN to achieve secure NAT traversal, or a NAT ple NAT firewall, the translation of the IP address and/or with “IPsec Passthru” support. TCP port number makes the information received by the server invalid. The Session Initiation Protocol (SIP) con- Interactive Connectivity Establishment is a NAT traversal trols many Voice over IP (VoIP) calls, and suffers the technique which does not rely on ALG support. same problem. SIP and SDP may use multiple ports to The DNS protocol vulnerability announced by Dan set up a connection and transmit voice stream via RTP. IP Kaminsky on July 8, 2008 is indirectly affected by NAT addresses and port numbers are encoded in the payload port mapping. To avoid DNS server cache poisoning, data and must be known prior to the traversal of NATs. it is highly desirable not to translate UDP source port Without special techniques, such as STUN, NAT behav- numbers of outgoing DNS requests from a DNS server ior is unpredictable and communications may fail. which is behind a firewall that implements NAT. The Application Layer Gateway (ALG) software or hardware recommended work-around for the DNS vulnerability is may correct these problems. An ALG software module to make all caching DNS servers use randomized UDP running on a NAT firewall device updates any payload source ports. If the NAT function de-randomizes the data made invalid by address translation. ALGs obvi- UDP source ports, the DNS server becomes vulnerable. ously need to understand the higher-layer protocol that they need to fix, and so each protocol with this problem requires a separate ALG. For example, on many Linux systems, there are kernel modules called connection track- 10 Port address translation ers which serve to implement ALGs. However, ALG does not work if the control channel is encrypted (e.g. Port address translation (PAT) allows many internal hosts FTPS). to share a single external IP address. Users who do not Another possible solution to this problem is to use NAT require support for inbound connections do not consume traversal techniques using protocols such as STUN or public IP addresses. ICE, or proprietary approaches in a session border con- The primary purpose of IP-masquerading NAT is that it troller. NAT traversal is possible in both TCP- and UDP- has been a practical solution to the impending exhaustion based applications, but the UDP-based technique is sim- of the IPv4 address space. Even large networks can be 6 10 PORT ADDRESS TRANSLATION

connected to the Internet with a single IP address. The to-end connectivity, in violation of the core principles of more common arrangement is having computers that re- the Internet as laid out by the Internet Architecture Board. quire end-to-end connectivity supplied with a routable IP address, while having others that do not provide services • Scalability - An implementation that only tracks to outside users behind NAT with only a few IP addresses ports can be quickly depleted by internal appli- used to enable Internet access. cations that use multiple simultaneous connections Some[10] have also called this exact feature a major draw- (such as an HTTP request for a web page with many back, since it delays the need for the implementation of embedded objects). This problem can be mitigated IPv6: by tracking the destination IP address in addition to the port (thus sharing a single local port with many remote hosts), at the expense of implementa- "[...] it is possible that its [NAT’s] tion complexity and CPU/memory resources of the widespread use will significantly delay the need translation device. to deploy IPv6. [...] It is probably safe to say that networks would be better off without NAT • Firewall complexity - Because the internal addresses [...]" are all disguised behind one publicly accessible ad- dress, it is impossible for external hosts to initi- ate a connection to a particular internal host with- Hosts behind NAT-enabled routers do not have end-to- out special configuration on the firewall to forward end connectivity and cannot participate in some Internet connections to a particular port. Applications such protocols. Services that require the initiation of TCP con- as VOIP, videoconferencing, and other peer-to-peer nections from the outside network, or stateless protocols applications must use NAT traversal techniques to such as those using UDP, can be disrupted. Unless the function. NAT router makes a specific effort to support such pro- tocols, incoming packets cannot reach their destination. IEEE[13] Reverse Address and Port Translation (RAPT, Some protocols can accommodate one instance of NAT or RAT) allows a host whose real IP address is chang- between participating hosts (“passive mode” FTP, for ex- ing from time to time to remain reachable as a server via ample), sometimes with the assistance of an application- a fixed home IP address. In principle, this should allow level gateway (see below), but fail when both systems are setting up servers on DHCP-run networks. While not a separated from the Internet by NAT. Use of NAT also perfect mobility solution, RAPT together with upcoming complicates tunneling protocols such as IPsec because protocols like DHCP-DDNS, it may end up becoming an- NAT modifies values in the headers which interfere with other useful tool in the network admin’s arsenal. the integrity checks done by IPsec and other tunneling protocols. Cisco RAPT implementation is port address translation (PAT) or NAT overloading, and maps multiple private End-to-end connectivity has been a core principle of the IP addresses to a single public IP address. Multiple ad- Internet, supported for example by the Internet Archi- dresses can be mapped to a single address because each tecture Board. Current Internet architectural documents private address is tracked by a port number. PAT uses observe that NAT is a violation of the End-to-End Prin- unique source port numbers on the inside global IP ad- ciple, but that NAT does have a valid role in careful dress to distinguish between translations. The port num- design.[11] There is considerably more concern with the ber are 16-bit integers. The total number of internal use of IPv6 NAT, and many IPv6 architects believe IPv6 addresses that can be translated to one external address was intended to remove the need for NAT.[12] could theoretically be as high as 65,536 per IP address. Because of the short-lived nature of the stateful trans- Realistically, the number of ports that can be assigned a lation tables in NAT routers, devices on the inter- single IP address is around 4000. PAT attempts to pre- nal network lose IP connectivity typically within a serve the original source port. If this source port is al- very short period of time unless they implement NAT ready used, PAT assigns the first available port number keep-alive mechanisms by frequently accessing outside starting from the beginning of the appropriate port group hosts. This dramatically shortens the power reserves 0-511, 512-1023, or 1024-65535. When there are no on battery-operated hand-held devices and has thwarted more ports available and there is more than one exter- more widespread deployment of such IP-native Internet- nal IP address configured, PAT moves to the next IP ad- enabled devices. dress to try to allocate the original source port again. This Some Internet service providers (ISPs), especially in process continues until it runs out of available ports and India, Russia, parts of Asia and other “developing” re- external IP addresses. gions provide their customers only with “local” IP ad- Mapping of Address and Port is a Cisco proposal which dresses, due to a limited number of external IP addresses combines A+P port address translation with tunneling of allocated to those entities. Thus, these customers must the IPv4 packets over an ISP provider’s internal IPv6 net- access services external to the ISP’s network through work. In effect, it is an (almost) stateless alternative to NAT. As a result, the customers cannot achieve true end- Carrier Grade NAT and DS-Lite that pushes the IPv4 IP 7 address/port translation function (and therefore the main- 13 References tenance of NAT state) entirely into the existing customer premises equipment NAT implementation. thus avoiding [1] Network Protocols Handbook (2 ed.). Javvin Technologies the NAT444 and statefulness problems of Carrier Grade Inc. 2005. p. 27. ISBN 9780974094526. Retrieved NAT, and also provides a transition mechanism for the 2014-09-16. Network Address Translation (Basic NAT) deployment of native IPv6 at the same time with very lit- is a method by which IP addresses are mapped from one tle added complexity. group to another, transparent to end users. [2] François Audet; and Cullen Jennings (January 2007). “RFC 4787 Network Address Translation (NAT) Behav- ioral Requirements for Unicast UDP” (text). IETF. Re- 11 Examples of NAT software trieved 2007-08-29.

[3] “Characterization and Measurement of TCP Traversal • Internet Connection Sharing (ICS): NAT & DHCP through NATs and Firewalls”. December 2006. implementation included with Windows desktop op- erating systems [4] “Illuminating the shadows: Opportunistic network and web measurement”. December 2006. • IPFilter: included with (Open)Solaris, FreeBSD [5] “The Audio over IP Instant Expert Guide”. Tieline. Jan- and NetBSD, available for many other Unix-like op- uary 2010. Retrieved 2011-08-19. erating systems [6] superuser.com • ipfirewall (ipfw): FreeBSD-native packet filter [7] “NAT Loopback Routers - OpenSim”. Opensimula- tor.org. 2013-10-21. Retrieved 2014-02-21. • Netfilter with iptables/nftables: the Linux packet fil- ter [8] Iljitsch van Beijnum (2008-07-23). “After staunch resis- tance, NAT may come to IPv6 after all”. Ars Technica. • NPF: NetBSD-native Packet Filter Retrieved 2014-04-24. [9] RFC 6887, Port Control Protocol (PCP), Wing, Cheshire, • PF: OpenBSD-native Packet Filter Boucadair, Penno & Selkirk (April 2013)

[10] Larry L. Peterson; and Bruce S. Davie; Computer Net- • Routing and Remote Access Service: routing imple- works: A Systems Approach, Morgan Kaufmann, 2003, mentation included with Windows Server operating pp. 328-330, ISBN 1-55860-832-X systems [11] R. Bush; and D. Meyer; RFC 3439, Some Internet Archi- • WinGate: third-party routing implementation for tectural Guidelines and Philosophy, December 2002 Windows [12] G. Van de Velde et al.; RFC 4864, Local Network Protec- tion for IPv6, May 2007

[13] ieeexplore.ieee.org 12 See also

• AYIYA (IPv6 over IPv4 UDP thus working IPv6 14 External links tunneling over most NATs) • NAT-Traversal Test and results • Gateway (telecommunications) • Characterization of different TCP NATs – Paper discussing the different types of NAT • Internet Gateway Device Protocol (IGD) Protocol: UPnP NAT-traversal method • Anatomy: A Look Inside Network Address Trans- lators – Volume 7, Issue 3, September 2004 • Middlebox • Jeff Tyson, HowStuffWorks: How Network Address • Port triggering Translation Works • Routing with NAT (Part of the documentation for • Subnetwork the IBM iSeries)

• TCP and UDP port • How NAT Works – Cisco Systems

• Teredo tunneling: NAT traversal using IPv6 8 15 TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES

15 Text and image sources, contributors, and licenses

15.1 Text

• Network address translation Source: http://en.wikipedia.org/wiki/Network%20address%20translation?oldid=639630822 Contributors: Magnus Manske, WojPob, Brion VIBBER, Mav, Zundark, The Anome, Ap, Gareth Owen, Aldie, PierreAbbat, Deb, Mintguy, Twilsonb, Edward, Nealmcb, Oystein, Nixdorf, TakuyaMurata, Karada, CrucifiedChrist, (, Pde, Goatasaur, CesarB, Copsewood, Angela, Glenn, Phenry, Tristanb, JidGom, Vanished user 5zariu3jisj0j4irj, Dcoetzee, Dysprosia, Wernher, Bevo, Joy, Robbot, Kristof vt, RedWolf, Nurg, Kwi, Nilmerg, Ashwin, Jondel, Wikibot, Tobias Bergemann, Giftlite, Wolfkeeper, Alex.atkins, Everyking, Gracefool, Rchandra, Alis- tairMcMillan, Just Another Dan, Tagishsimon, Edcolins, Golbez, Chowbok, SoWhy, LiDaobing, Beland, Robert Brockway, The Inedible Bulk, Quarl, Icairns, Urhixidur, Bbpen, Zondor, SimonEast, JTN, Discospinster, Pmsyyz, Indrian, Plugwash, Brynosaurus, Tverbeek, Si- mon South, Alex.zeffertt, Smalljim, Guiltyspark, Giraffedata, Cheung1303, Daf, MARQUIS111, Wrs1864, Helix84, Shirimasen, Nazli, Alansohn, Gary, Cbarbry, DiGiT, CyberSkull, Droob, Andrewpmk, Lightdarkness, Rabarberski, Rick Sidwell, Cburnett, Stephan Leeds, Evil Monkey, Kenyon, Simetrical, Woohookitty, Mindmatrix, Eolsson, Eddy264, Kzollman, Pol098, MarcoTolo, Mandarax, Graham87, Taestell, Kbdank71, Josh Parris, Pdelong, Zbxgscqf, Syndicate, DeadlyAssassin, SMC, Aapo Laitinen, FlaBot, Crazycomputers, Garyvdm, DevastatorIIC, Fresheneesz, YurikBot, Wavelength, Hairy Dude, SLATE, RussBot, Sideswipe091976, Jengelh, Hydrargyrum, Stephenb, Manop, Cate, Lavenderbunny, Wiki alf, Joshf, ArséniureDeGallium, Jpbowen, Misza13, Zwobot, Mditto, BOT-Superzerocool, Bota47, Pash, Robot Monk, MarkBrooks, Dspradau, Maltest, Aelantha, Cotoco, Leuk he, SaulPerdomo, Jsnx, SmackBot, Eskimbot, Gilliam, Win- terheart, KD5TVI, Bluebot, Wolf0403, Para, Gracenotes, Benoit rigaut, Daveg1k, Jonshea, JonHarder, Rrburke, Gabi S., Valenciano, PP- Blais, Ryan Roos, Sbmehta, Ksn, Drumzandspace2000, SpyMagician, JHunterJ, Hovden, Peyre, Kvng, Keycard, Karstbj, Andrew Hampe, Ergy, CmdrObot, Ivan Pozdeev, Imcdnzl, Pmussler, Altrn8r, Equendil, Phatom87, Cydebot, Mblumber, UncleBubba, Philbert2.71828, Slackerhobo, Christian75, Jan Kunder, Thijs!bot, Drpixie, Hcberkowitz, Ajo Mama, Dawnseeker2000, Jtmoon, AntiVandalBot, Widefox, Rohitthakral, Tylerbot, D235, Mercury543210, JAnDbot, Mallow40, Barek, MER-C, LittleOldMe, VoABot II, Nyttend, Balajisarathi, Kgfleischmann, Jez9999, CommonsDelinker, Oalbacha, Felipe1982, J.delanoy, Fenix*NBK*, Svetovid, EH74DK, DanielEng, Naniwako, Sollosonic, WithGLEE, Ross Fraser, Xpanzion, Alan U. Kennington, Psychocim, Asymmetric, TXiKiBoT, A4bot, Rei-bot, Vanishin- gUser, Rushtoshankar, Alex Smotrov, M gol, Mannafredo, Ramsey585, Wolfrock, SQL, Truthanado, Daveofthenewcity, YordanGeorgiev, Pjoef, Michael Frind, Demize, Kbrose, SieBot, Nubiatech, Tresiden, Tiddly Tom, ToePeu.bot, Althena, Quest for Truth, Philadams, Steven Zhang, Ivan.Lt, Mygerardromance, Pinkadelica, Church, ClueBot, SalineBrain, GorillaWarfare, Jan1nad, Siipikarja, Niceguyedc, Sujirou, Nat32support, Gandaliter, Yk4ever, Steelmans1980, Excirial, Sun Creator, Shiro jdn, LobStoR, Aitias, Zhlmmc, Johnuniq, SF007, XLinkBot, SilvonenBot, Dgtsyb, HarlandQPitt, Shahid789, Alexhixon, Dsimic, Iranway, Addbot, Tsunanet, Grimmfarmer, Moosehadley, CarsracBot, Jasper Deng, Tide rolls, Lightbot, Teles, Legobot, Luckas-bot, DisillusionedBitterAndKnackered, Crispmuncher, AnomieBOT, AmritasyaPutra, Rubinbot, Götz, Jim1138, Piano non troppo, Ulric1313, Aneah, Harrymcfogs, ArthurBot, Xqbot, Renaissancee, Jhbdel, Damienivan, Cybjit, TonyHagale, Andersenman, Marchash, JonDePlume, Mmmeg, Guitargod2323, FrescoBot, Murjek, Jonathansuh, Andrewriddell2, Aawc, Jokerspuppet, Laserbrian, MastiBot, Jandalhandler, FoxBot, DixonDBot, DARTH SIDIOUS 2, EmausBot, John of Reading, Racerx11, Xmm0, Tommy2010, Alexisabarca, Wikipelli, Venkata.nikhil.muppaneni, Seikku Kaita, HiW-Bot, ZéroBot, Zap Rowsdower, Cf. Hay, Bos-Herz edit acct, Danwing, ClueBot NG, Nimiew, MelbourneStar, Wimblykit, Widr, Lspo99, Profchakraborty iitkanpur, BG19bot, SimonSellick, Nkansahrexford, Twasono, Cpartsenidis, Lucb1e, Rob.bosch, WorldTechIT, Ferdusy, NewbiePedant, Hrbm14, Mpb2, Amortias, Dai Pritchard, EvilLair and Anonymous: 513

15.2 Images

• File:Bus_icon.svg Source: http://upload.wikimedia.org/wikipedia/commons/c/ca/Bus_icon.svg License: Public domain Contributors: ? Original artist: ? • File:Edit-clear.svg Source: http://upload.wikimedia.org/wikipedia/en/f/f2/Edit-clear.svg License: Public domain Contributors: The Tango! Desktop Project. Original artist: The people from the Tango! project. And according to the meta-data in the file, specifically: “Andreas Nilsson, and Jakub Steiner (although minimally).” • File:Full_Cone_NAT.svg Source: http://upload.wikimedia.org/wikipedia/commons/4/44/Full_Cone_NAT.svg License: CC-BY-SA-3.0 Contributors: Own work Original artist: Christoph Sommer • File:Port_Restricted_Cone_NAT.svg Source: http://upload.wikimedia.org/wikipedia/commons/c/c2/Port_Restricted_Cone_NAT.svg License: CC-BY-SA-3.0 Contributors: Own work Original artist: Christoph Sommer • File:Restricted_Cone_NAT.svg Source: http://upload.wikimedia.org/wikipedia/commons/3/3c/Restricted_Cone_NAT.svg License: CC-BY-SA-3.0 Contributors: Own work Original artist: Christoph Sommer • File:Symmetric_NAT.svg Source: http://upload.wikimedia.org/wikipedia/commons/7/73/Symmetric_NAT.svg License: CC-BY-SA- 3.0 Contributors: Own work Original artist: Christoph Sommer

15.3 Content license

• Creative Commons Attribution-Share Alike 3.0