IEG3090 - Tutorial 10 NAT Traversal Fong Chi Hang, Bosco
Overview • Types of NATs & Firewalls • STUN • NAT Traversal using STUN
Network Address Translation (NAT) • The process of modifying network address information in datagram packet header • Remapping a given address space into another
Full cone NAT discovery
Restricted cone NAT discovery
Port-restricted cone NAT discovery
Symmetric NAT discovery
Firewalls Stun client request
Stun server
Firewall response
Node with private address X
Application at address Y port P
Some firewall may block all UDP Some firewall may allow UDP response if sent from Y/P where an earlier UDP request was sent to (“symmetric firewall”)
STUN (Simple Traversal of UDP datagram protocol through NATs) • A protocol used by end hosts to determine whether it is behind firewall/NAT boxes, and to identify the type of it • Communicate with a public STUN server • Key point alternating the response IP address and port number
STUN Request and Response The STUN response from the server may include: MAPPED-ADDRESS
- contains the IP address and port of client. CHANGED-ADDRESS - contains the alternate IP address and port of the server. SOURCE-ADDRESS - contains the IP address and port of server.
The STUN request can contain a flag to request the STUN server to use alternative address and port to send STUN response CHANGE-REQUEST
and port of server.
- contains flags for the alternate IP address
Flow chart for NAT discovering process
NAT Traversal using NAT • Alice (with private address) wants to call Bob • Bob is also behind NAT box (with private address) • Alice talks to public (STUN) server, so server knows Alice’s external address/port • Bob also talks to public server, so server knows about Bob too • Public server tells Alice about Bob, and Bob about Alice • Bob sends packet to Alice (creating a “hole” in his NAT) 1
server 3
Alice
2 4 Bob
NAT Traversal using NAT • Now when Alice sends a packet back to Bob, Bob’s NAT does not filter it, assuming it is return packet from earlier request • Alice’s NAT also allows Bob’s future packets to return • This assumes Alice’s NAT will use the same external address/port (for server) to talk to Bob. • This does not work if NATs are Symmetric NATs
1
server 3
Alice
2 4 Bob
Thank you very much !