NAT devices [Egevang and Francis, 1994] are typically deployed at the edge of the network, commonly referred to as an internal network, and present it as a single IP address to the external network. The NAT devices have at least two IP addresses, an internal IP address and an external IP address. The later is also referred to as the server-reflexive address [Rosenberg, 2010]. When a device in the internal network needs to exchange packets with a device in the external network, the NAT device assigns an external IP address and port number for this exchange, so that the packets from the device in the external network can be routed back to the NAT and onwards to the device in the internal network. The NAT devices may also filter the packets that arrive at the external IP address and port number
Internal network External network X:x X:x X1':x1' X2':x2' X Y1 Y2 Y2:y2 Y1:y1
Figure 2.1: Machine X in the internal network exchanging packets with machines Y1 and Y2 in the external network through a NAT device.
allocated by the NAT device. RFC 5128 [Srisuresh et al., 2008] refers to these behaviors as the mapping and filtering behaviors of NATs. Together, these behaviors determine if machines behind two different NAT devices can directly exchange packets or may require the use of an intermediary. Next, we briefly elaborate the mapping and filtering behavior of NAT devices. For a detailed description of these behaviors, we refer the reader to [Audet and Jennings, 2007; Ford et al., 2005].
Consider Figure 2.1 where a machine with an IP address and port number X:x behind a NAT device needs to exchange packets with machines Y1 and Y2 in the external network, having IP addresses and port numbers Y1:y1 and Y2:y2, respectively. Assume that for the packet exchange between X:x and Y1:y1 and X:x and Y2:y2, the NAT device allocates an external IP address and port number X1’:x1’ and X2’:x2’, respectively.
2.2.1 Mapping Behavior of NATs
The mapping is known as endpoint-independent mapping, if the NAT reuses the map- ping for subsequent packets sent from the same internal IP address and port X:x to any external IP address and port such as Y1:y1 or Y2:y2. The mapping is known as address- dependent mapping if the NAT reuses the mapping for subsequent packets sent from the same internal IP address and port X:x to the same external IP address, regardless of the
external port. That is, packets sent from X:x to any port on Y1 will use the same mapping X1’:x1’. However, any packets sent by X:x to any port on Y2 will use a different mapping X2’:x2’. The mapping is known as address and port-dependent mapping if the NAT assigns a new mapping for packets sent from the same internal IP address and port X:x to any external IP address and port number.
If the NAT behavior is not endpoint-independent, then it requires the hosts behind two different NAT devices to correctly guess the mapping allocated by the NAT device in order to directly exchange packets. An incorrect guess means that hosts behind two different NATs must exchange packets through an intermediary or a relay.
2.2.2 Filtering Behavior of NATs
When a host in an internal network exchanges packets with a host in the external network, the NAT stores a mapping between the internal host and the external host and assigns a filtering rule. The rule is known as endpoint-independent filtering if the NAT device forwards packets received from any host on this mapping. The rule is known as address- dependent filtering if the NAT device only forwards packets from the external host for which the mapping is maintained, regardless of the source port of the packet received from the external host. The rule is known as address and port-dependent filtering if the NAT device only forwards packets from the port of the external host with which the internal host has exchanged packets.
The NATs with endpoint-independent mapping and filtering behavior are the least con- strained types. The devices behind these NAT devices are able to establish a media session without an intermediary. The NATs with address and port-dependent mapping and filtering are the most constrained type.
2.2.3 Typical NAT Behavior
A survey of 1,787 unique NAT devices indicates that only 11% have an endpoint independent mapping and filtering behavior [M¨uller and Klenk, 2010]. The rest of the NAT devices have an endpoint dependent mapping and filtering behavior, which makes it difficult for hosts behind these devices to directly exchange packets.
2.2.4 Protocols for Traversing NATs
Session traversal utilities for NAT (STUN) [Rosenberg et al., 2008] is a protocol that can be used by an endpoint to determine the IP address and port allocated to it by a NAT. The protocol can also be used to check the type of NAT an endpoint is behind [MacDonald and Lowekamp, 2010] and to check direct connectivity between endpoints that may be behind different NAT devices. Traversal using relays around NAT (TURN) [Mahy et al., 2010] is an extension of the STUN protocol that allows the endpoints behind two different NATs or firewalls to exchange packets through an intermediary. Interactive connectivity establishment (ICE) [Rosenberg, 2010] is a protocol that makes use of the STUN and TURN protocol to establish connectivity between two endpoints directly or through an intermediary.
STUN, TURN, and ICE do not require any special behavior from the NAT devices. Therefore, we use these protocols in designing p2p communication protocols. Protocols such as UPnP [UPnP Forum, 2010] require explicit signaling between applications and NAT devices and will not work with the installed base of NATs that does not support these protocols.