+----------+ +--------+ +----------+ | Internal +--------+ NAT +--------+ External | | Network | | Device | | Network | +----------+ +--------+ +----------+ (usually) (rest of the your home) Internet)
NAT stands for Network Address Translation, and it is a method to remap an IP (Internet Protocol) address space into another by modifying network address information (in the IP header) of packets while they are in transit across a traffic routing device (see the Fig 1) [5, 3]. When a network device1 in an internal (usually private) network sends a packet \(P\) to the Internet, the NAT device translates the internal IP address to an external (usually public) IP address. When a packet from the Internet arrives to the NAT device, it translates the external IP address to the internal IP address of the device receiver of the packet \(P\).
Most NAT boxes are implemented as a part of home routers.
NAT was designed because it provides the following advantages:
However, NAT also has (mainly) one disadvantage:
An IP address is an unique label that identifies a device on a network. It is an integer number (32 bits in the case of IPv4 and 128 bits in IPv6) assigned to devices that use the Internet to communicate. All IP packets have an IP address in their header. IPv4 addresses are usually written using the dotted-decimal notation, such as for example, 10.20.30.40. On the other hand, IPv6 addresses are expresed in colon-hexadecimal notation, such for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
A port in the context of networking is an integer number (usually 16 bits long), deployed by a transport protocol (TCP or UDP, usually) and associated with a application protocol, that receives or transmits data for a specific service (for example, the port 80 is used for the HyperText Transfer Protocol (HTTP), which is employed to transfer Web pages). In general, ports are used to identify a running process on a computer (host). When a host receives a packet of data, the operating system looks at the port number in the packet header to determine which service is the destination of the data.
An end-point is the combination of an IP address and a port. End-points identify networked actors (usually computer processes) that interchange IP packets. For example, the end-point 8.8.8.8:53 identify a name-server provided by Google Inc. In general, we will represent an end-point as \(A:b\), where \(A\) is an IP address and \(b\) is a port.
In the context of UDP, a “conection”4 is the action of transmitting at least one packet from one end-point to another. Notice that connections are determined by a pair of end-points. But it should be clear that, by definition, connections are only generated when applications use the TCP.
Networked actors (usually processes5) can be classified in severs, clients, and peers. Servers wait for requests from clients (clients always initiate the connections). When the actors can act as servers and clients at the same time, they are called peers.
A NAT device uses a TT to track the connections that are established between “internal” and “external” peers (see the Fig. 1). When an outgoing packet (generated in the internal network) is sent to another peer through a NAT device, the TT6 is used to take note of the internal end-point of the peer that has sent this packet. Thus, when an incoming packet (generated in the external network) arrives, the TT indicates the internal end-point of a peer. How the NAT box find the internal end-point depends on the type of NAT (see below).
Notice that the entries in the TT are only generated for outgoing traffic (generated in the internal network). If happens that an external IP packet arrives to the NAT device and there is not any entry in the TT (with a working TT-record) associated to the connection, the packet is discarded.
NAT devices can be classified as [1]:
Depending on the number of available IP external addresses:
Depending on how the external ports are assigned:
In CDM (Connection Dependent Mapping) NAT devices, the assigned (external) port \(P(X:x,Y:y)\) is different for each “connection” \((X:x,Y:y)\), where \(X:x\) is an internal end-point and \(Y:y\) is an external end-point. In this case, we can distinguish between:
These algorithms are used in Symmetric NAT devices. Notice that, even if our device is fixed-\(\Delta \), it could behave as a Random-\(\Delta \) one due to the outgoing traffic generated by neighbor peers or other network actors.
Remember that none of these techniques have been standarized. Therefore, your NAT box can implement one of them, a mixure of them, or even any other algorithm.
Depending on how the incoming traffic is accepted (or not), NAT are classified as:
Again, remember that your NAT box can use any other algorithm :-/
UDP hole punching [4] is a technique for transmitting UDP packets between peers that are behind different NAT devices, ... in some cases.12 UDP hole punching works by having the two peers first send messages to each other, sometimes13 with the help of a third-party server. After that, the peers try to “punch a hole” in theirs NAT devices through which the incoming traffic can cross the NAT device.
Figure 2 shows an example where two “NAT-ed” peers \(P_1\) and \(P_2\), establish an “UDP connection”, with the information provided by a server \(S\) (the public IP end-points used by the NAT devices). As it can be seen, the peers talk to the server first and then, between them.14 In the Step 15, \(P_1\) knows that it can communicate with \(P_2\), and in the Step 19, \(P_2\) recongnizes a successful connection with \(P_1\).
STUN (Session Traversal Utilities for NAT) is a standard network protocol, defined in the RFC (Request for Comments) 5389 [2], designed to provide public IP address and port discovery when UDP is used. In theory, there are dozens of STUN servers available that can be consulted. Some of them are:
stun.l.google.com:3478 stun.12connect.com:3478 stun.12voip.com:3478
Notice that most STUN severs are listening to the port 3478.
In Python, you can query a server with:
import stun # Install with "pip install pystun3" nat_type, external_ip, external_port = stun.get_ip_info(stun_host=’stun.l.google.com’)
Notice that STUN servers do not provide information about other peers. Therefore, even if you use a STUN server for knowing the public end-point used by your NAT device, you will need to specify (manually) the end-point of your interlocutor when using InterCom (which automatically performs the UDP hole punching maneuver because the InterCom instances start transmitting UDP packets as soon as there is audio data).
It is possible to open “manually” external ports in your NAT device, if you have administrator privileges. To do this, you need to login into your NAT device (router) and configure an UDP data redirection which should indicate an external (unused) port and the internal end-point where, for exampke, InterCom is listening to.
Determine (experimentally) if your NAT is a:
Describe the experiments in your report. Try to use Jupyter Notebook. Here you have an example.
Tip: The IP address of your NAT device can be found with:
[1] C. Jennings and F. Audet. Network Address Translation (NAT) Behavioral Requirements for Unicast UDP (RFC 4787), 2007.
[2] J. Rosenberg, R. Mahy, P. Matthews, and D. Wing. Session Traversal Utilities for NAT (STUN) (RFC5389), 2008.
[3] P. Srisuresh and K. Egevang. Traditional IP Network Address Translator (Traditional NAT) (RFC3022), 2001.
[4] P. Srisuresh, B. Ford, and D. Kegel. State of peer-to-peer (P2P) communication across network address translators (NATs) (RFC 5128). 2008.
[5] P. Srisuresh and M. Holdrege. IP Network Address Translator (NAT) Terminology and Considerations (RFC 2663). 1999.
1Installed for example in a host.
2Different from our network.
3Something that, by definition, is not done by servers.
4The term connection is mainly used in the context of TCT, which is not our case. However, we will use this word to refeer that there is a communication between two processes that use the UDP.
5But it could be a piece of hardware or any other computational entity.
6Managed by the NAT box.
7Or at least, one.
8\(\Delta \) is a natural number.
9Apart from the existence of a working TT-record for the corresponding public port used by the incoming packets.
10Notice that in this case, TT-records are also indexed by the external IP addresses of the incoming packets.
11Now, the TT-records are indexed by the external port and the external end-point.
12It is not always reliable, and it may not work in all situations, ... because the NAT devices behavior has not been standarized.
13Depending on the application.
14Notice, however, that the server is optional. The peers could obtain their interlocutor’s end-point through other means.
