Types of Network Address Translation

by Prapattimynk, Sunday, 17 September 2023 (6 months ago)
Types of Network Address Translation


While still very useful, the old definition of NAT types is outdated. The new definition accurately reflects the kind of NAT present in the network and what we can expect from the translator.

Glossary:

  • NAT: Network Address Translation (you should have some familiarity with that, otherwise please read the NAT page on Wikipedia)
  • host:port: an address of a PC in a network subjected to NAT when reaching a public host
  • public-host:public-port: the public host to reach
  • external-host and/or external-port: temporary public address provided by the NAT mechanism on the router at the edge of your network (i.e., before going outside)

You can still read this definition in the NAT page on Wikipedia. In short, we have these different types of NAT:

  • Full-cone: an internal address (host:port) is mapped to an external address (external-host:external-port). Every outgoing packet from the internal address will be mapped to that external address, regardless of the destination. Also, every incoming packet to the external address will be forwarded to the internal address, regardless of the source.
  • (Address)-restricted-cone NAT: same as above. The only difference is that an incoming packet (from external) will be accepted if the packet source has been contacted from the internal address in the past (no matter which destination port the internal address used in the previous outgoing packet).
  • Port-restricted cone NAT: same as above, however the port is now restricted: this means that the port of the previous outgoing packet to the external host should be the same port used as “source port” in the incoming packets. In other words: an address public-host:public-port can send a packet to the internal host:port via external-host:external-port only if in the past the internal address host:port sent an outgoing packet to public-host:public-port
  • Symmetric NAT: each different internal address and destination gets a different external-host:external-port when mapping occurs. This means that the only address that can reply back to the internal address is the contacted one (both hostname AND port are used).

As you can imagine, Symmetric NAT is the worst possible situation for NAT bypass techniques (like UDP hole punching). Sometimes an ISP uses a specific implementation of NAT on purpose. E.g., symmetric NAT uses more device resources, but it won’t allow any traversal mechanism (hence things like BitTorrent or other p2p clients will suffer) and may use fewer public IPs.

The current definition from RFCs (mostly RFC 4787) splits the behavior into parts: mapping, filter, port number, and hairpin.

Mapping

The mapping indicates which kind of mapping will occur:

  • Endpoint-Independent Mapping: in this mode, the same internal address host:port is always associated with the same external address external-host:external-port, regardless of the destination.
  • Address-Dependent Mapping: in this mode, the same internal address host:port is associated with the external address external-host:external-port when sending packets to the same destination host public-host (any port). Different destination hosts will get different mappings.
  • Address and Port-Dependent Mapping: in this mode, the same internal address host:port is associated with the same external address external-host:external-port when sending packets to the same destination address public-host:public-port. Different destination addresses or ports will get different mappings.

Filtering

The filtering behavior controls who can use the mapped external-host and external-port to reach the internal address host:port:

  • Endpoint-Independent Filtering: basically anyone can use the external-host:external-port address to reach host:port
  • Address-Dependent Filtering: in order to receive packets from public-host via external-host:external-port, the internal address host:port should send packets first to public-host (any port). In other words, only those destinations already contacted by the host:port in the past (to any port) can use the external mapping to reach the internal address.
  • Address and Port-Dependent Filtering: to receive packets from public-host via external-host:external-port, the internal address host:port should send packets first to public-host:public-port. In other words, only those destinations public-host:public-port already contacted by the host:port in the past can use the external mapping to reach the internal address. Note that in this case, the public-port is present in the filter.

Port number

A NAT device can decide to operate in different ways when assigning mapped external-ports:

  • port preservation: the NAT device tries to preserve the internal port number when mapping. In other words, the port number of external-port will be the same as port, if available.
    • In case of collisions (e.g., a previous mapping already present, using the same port number), there are different techniques: tries with another external addresses external-host (if the router has more than one address); un-map the previous mapping and re-use the port number; or use a random port instead.
    • When the NAT device removes the previous mapping, it can be classified as port overloading.
  • no port preservation or random: when the NAT device won’t preserve the port. In other words, the mapping will use a random port.

Hairpin

Lastly, hairpin is the property of some routers to allow communications between hosts in the same LAN using the public/external address of the router itself. This is very useful when two hosts are trying to establish a link in the same network, and they are not aware that they can reach each other directly.

Other attributes

Note that some NAT devices have been found to change the behavior dynamically, based on resource consumption or other factors. If you’re interested in this, a chapter named “Deterministic Properties” in the RFC 4787 explains the findings.

Also, the RFC 4787 defines other minor attributes: Port parity is the capability of preserving the parity of UDP ports (even ports will be mapped to even ports, etc.), Port Contiguity when the NAT device assigns ports sequentially in some cases (like in RTCP=RTP+1), Mapping Refresh is the way the NAT device handle the mapping expiration and keepalives, handling of Application Layer Gateways, and blocking/allowing ICMP Destination Unreachable packets.

The old and the new definitions are incompatible because the new one explains the situation with more details and possibilities. However, we can still map between them if we remember that the mapping will be somehow “fuzzy”.

Old mapping nameMappingFiltering
Full coneEndpoint-IndependentEndpoint-Independent
(Address)-restricted coneEndpoint-IndependentAddress-Dependent
Port-restricted coneEndpoint-IndependentAddress and Port-Dependent
SymmetricAddress- and Port-DependentAddress-Dependent / Address and Port-Dependent

Port preservation, hairpin, and other attributes were not present in the previous definitions. Also, any type of NAT may use any port reservation mechanism (unrelated), so adding these to the table makes little sense.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.