Through the fog of NAT: In-depth understanding of network address translation and NAT penetration, as well as the relationship between STUN, TURN, and ICE

What is NAT?

NAT is the abbreviation of Net Address Translation, which means network address translation.

NAT is deployed at the network exit, between the intranet and the public network. It is a bridge connecting the intranet host and the public network. All two-way traffic must pass through NAT. A router equipped with NAT software is called a NAT router. NAT routers have public IP addresses.

Most of your home and office network environments are connected to the Internet through NAT routing. This also means that when you connect to the Internet via WIFI on your PC at home, the IP address (intranet) you see through the command line (ifconfig) on ​​your PC is different from the IP address (public network) you see through Baidu, which can also prove that your PC is behind NAT.

What problem does NAT solve?

NAT is mainly used to solve the problem of insufficient IPv4 addresses.

IPv4 uses 32 bits to represent a network address, and can represent a maximum of 2 to the power of 32 (2^32=4 billion) IP addresses. However, with the rapid growth of various networked devices, IPv4 addresses are not enough, and IPv6 is not enough to quench thirst. What should we do? NAT technology came into being.

How does NAT work?

Intranet address: RFC1918 specifies three reserved address segments:

• 10.0.0.0-10.255.255.255;
• 172.16.0.0-172.31.255.255;
• 192.168.0.0-192.168.255.255.

These three ranges are in the address segments of Class A, B, and C respectively. They are not allocated to specific users and are reserved by IANA as private addresses. These addresses can be used within any organization or enterprise. The difference from other Internet addresses is that they can only be used internally and cannot be used as global routing addresses.

The intranet host behind NAT uses the intranet address, also called the local address, which is the host's identifier on the intranet. If the intranet host wants to communicate with the public network, it must go through NAT. NAT will automatically convert the internal and external network addresses for the network packets passing through (this is also the meaning of NAT). The public network address is the host's identifier on the Internet.

NAT principle: When a network packet sent by an intranet host to an extranet host passes through NAT, the IP and PORT will be replaced by the extranet IP/PORT assigned by NAT to the host, that is, the exit IP/PORT of the intranet host on NAT. After receiving the network packet, the extranet host will regard the network packet as sent from NAT; the extranet host can only send network packets to it through the extranet IP/PORT assigned by NAT to the intranet host. The local address of the intranet host is not visible to the outside world. When the network packet passes through NAT, NAT will convert the extranet IP/PORT to the intranet IP/PORT.

It can be seen that NAT maintains the mapping relationship between the intranet address of the intranet host and the external network address assigned to it on NAT, and needs to maintain an association table. NAT performs two address conversions in two transmission directions, replacing the source (Src) information in the outbound direction and the destination (Dst) information in the inbound direction. The conversion of internal and external network addresses is automatically completed on NAT. The existence of the NAT gateway is transparent to both communicating parties.

So how does NAT alleviate the problem of IPv4 address exhaustion? The answer is port multiplexing. Through PAT (Port Address Translation), multiple intranet hosts behind NAT can share one external IP, thus saving external IP resources to the maximum extent.

How do multiple intranet hosts behind NAT share an external IP? It is done by modifying the source IP and port of outgoing data packets.

Assume that the intranet hosts H1 and H2 are behind NAT. H1 sends a data packet to the public network host X through the local address 10.0.0.1:port1. When passing through NAT, the IP:PORT of the data packet is modified to the external network address 1.2.3.4:2222 of NAT.

H2 sends a data packet to the public network host X through the local address 10.0.0.2:port2. When passing through NAT, the ip:port of the data packet is modified to the NAT external network 1.2.3.4:3333.

Although the IPs of H1 and H2 are mapped to the same NAT external IP (1.2.3.4), NAT assigns them different ports (2222 and 3333), so H1 and H2 can be distinguished by the port. Later, when the public network host X sends a network packet to the internal network host H1, it only needs to use 1.2.3.4:2222 as the destination address:port, and NAT can automatically complete the conversion and correctly forward it to the H1 host.

This is the working principle of NAT based on port multiplexing (NPAT). By mapping different intranet connections (host to NAT) to different ports of the same public IP, the multiplexing and demultiplexing of the public IP is achieved. This one-to-many method is also called port translation PAT or IP masquerade.

NAT Constraints

NAT divides the network into the public network and the intranet. The intranet host can directly send network packets to the external network host, but the external network host cannot actively send network packets to the intranet host. In other words, network communication must be actively initiated by the intranet side, and the public network host cannot actively access the intranet host. This is the limitation and constraint brought by NAT.

After the internal host has actively sent network packets to the external host, the external host may send network packets to the internal host.

Types of NAT

There are three ways to implement NAT: static translation, dynamic translation, and port multiplexing. However, port multiplexing is the most commonly used and most typical application mode.

First of all, from a broad perspective, port multiplexing NAT (Net Address Port Translation) can be divided into symmetric NAT and asymmetric NAT.

• Symmetric NAT: When a host on the intranet sends two different network packets to different network addresses (or ports) on the public network, symmetric NAT will generate two different exit port numbers for these two different network packets. In other words, the NAT gateway will treat the packets with the same "address-port pair" of the internal host and the "address-port pair" of the external host as a connection, and create a public network "address-port pair" as the exit address on the NAT gateway. Only when the external host that receives the packet sends a response packet from the corresponding port pair can it be converted. Symmetric NAT cannot make holes and can only be forwarded through TURN Server.
• In asymmetric NAT (also called cone NAT), when a host on the intranet sends a network packet to a host on the external network, NAT will generate a public (exit) IP:PORT for the host on the intranet. After that, the host on the intranet will communicate with all (if possible) hosts on the external network through the exit IP:PORT and will not be mapped to other ports (the exit IP will obviously not change).

Cone NAT segmentation:

• Full Cone NAT: As long as a host in the intranet has actively sent a network packet to an external network address (NAT will generate a public network exit IP:PORT for it), any host in the external network can send network packets to the intranet host through the exit IP:PORT of the intranet host on NAT. In other words, there is no limit on the IP and PORT of the external network host. This is the most relaxed type.
• Restricted Cone NAT (IP restricted NAT): If a host in the intranet has sent a network packet to an IP in the external network, the external network can send network packets to the host in the intranet through this IP. Note that as long as this IP is used as the src IP of the network packet, other IPs cannot be used as src, and the port number is not restricted.

For example, the intranet host 10.0.0.1 has actively sent network packets to the external network 1.2.3.4:2222. The external network host can send network packets to the intranet host 10.0.0.1 through 1.2.3.4:3333 (as src), and the port number is not limited, but it cannot send network packets to the intranet host through other IPs.

• Port Restricted Cone NAT: Similar to IP restriction, but more strict, restricting both IP and port number. The intranet host has sent a network packet to the external host 10.0.0.1:2222. The external network can only send network packets to the intranet host with 10.0.0.1:2222 as the src.

NAT type detection

NAT isolates the internal and external networks. The external network cannot actively access the internal network. However, P2P projects require the host (Peer) behind NAT to establish a connection. Therefore, it is necessary to detect the NAT type and then determine whether a direct connection can be established between Peers and how to establish the connection.

Detecting NAT type mainly utilizes the above-mentioned NAT characteristics, and achieves the purpose by testing connectivity and comparing port numbers. Therefore, to understand type detection, you must refer to the NAT type definition.

In addition, let me repeat: when the host behind NAT sends a network packet to the external network, NAT will assign an exit IP:PORT to the host when the network packet passes through NAT. NAT will replace the SRC of the network packet with the public network (exit) IP:PORT. In this way, after the receiving end receives the packet, it will check the SRC information of the packet and get the NAT exit IP:PORT, just as if the packet was sent directly from NAT.

Prerequisites for NAT type detection: There needs to be a server located on the public network, and the server has 2 public IP addresses and monitors on ip1:port1 and ip2:port2.

Note: In the detection step, the server returns packets to the client via ip:port, which means that when the server returns packets, ip:port will be set to the src ip and src port of the rsp packet.

Testing steps:

[Step 1] Determine whether the client is behind NAT

It's very simple. The host behind NAT needs to convert the internal and external network addresses when communicating with the public network. The two IPs are different. Therefore, it can be completed by the following operations:

• The client sends a req UDP packet to server ip1:port1.
• After receiving the UDP packet, the server takes out the src IP from the IP header and the src PORT from the UDP header, and sends them to the client as the rsp UDP payload.
• The client receives the rsp UDP, takes out the IP and PORT in the payload, and compares them with its own IP. If they are the same, the client is located on the public network and has a public IP, and the detection is complete; otherwise, the client is behind NAT.

[Step 2] Determine whether it is Full Cone NAT

The client sends a req UDP packet to the server ip1:port1, requesting the server to return a UDP packet to the client via ip2:port2 (using ip2:port2 as the src of rsp UDP).

According to the definition of full cone NAT, if the client receives the rsp UDP packet, it means that NAT does not restrict the IP address of the external network, indicating that the client is a full cone NAT. However, full cone NAT is rare, and it is highly likely that the rsp UDP packet will not be received. If it is not received, it is necessary to continue to judge.

[Step 3] Determine whether it is symmetric NAT

The client sends a req udp to the server ip2:port2. After receiving it, the server takes out the src ip and src port of the received req udp, puts them into the payload field of rsp UDP, and returns a UDP packet to the client via ip2:port2 (with ip2:port2 as the src of rsp UDP).

After receiving the rsp UDP, take out the ip and port in the payload and compare them with the ip and port in step 1. If they are different, it is symmetric NAT.

Because according to the previous definition, symmetric NAT will assign different NAT export ports to the same intranet IP according to different extranet IPs.

If they are the same, then it must be cone NAT. Step 2 has tested the full cone, so the only remaining NAT types that need to be further judged are IP restricted cone and port restricted cone.

[Step 4] Determine whether it is a restricted cone or a PORT restricted cone

The client sends a req udp to the server ip2:port2, asking the server to use ip2 and a port different from port2 to return a rsp udp to the client. That is, use ip2 + another port different from port2 as the udp src to return the packet to the client.

If the client can receive rsp udp, it means that as long as the ip is the same, NAT will let it go even if the port is different, so NAT is IP restricted; if it is not received, it is PORT restricted, which means that the packet can only be returned through port2.

At this point, all NAT types have been detected. Isn't it simple?

Symmetric NAT cannot establish P2P connections directly and can only relay packets through a transfer server.

To be continued.

It’s too long. I will talk about hole punching, STUN, TURN, and ICE later.