draft-ietf-behave-nat-udp-00.txt   draft-ietf-behave-nat-udp-01.txt 
BEHAVE F. Audet, Ed. BEHAVE F. Audet, Ed.
Internet-Draft Nortel Networks Internet-Draft Nortel Networks
Expires: July 11, 2005 C. Jennings Expires: October 13, 2005 C. Jennings
Cisco Systems Cisco Systems
January 10, 2005 April 11, 2005
NAT Behavioral Requirements for Unicast UDP NAT Behavioral Requirements for Unicast UDP
draft-ietf-behave-nat-udp-00 draft-ietf-behave-nat-udp-01
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each of Section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as Internet-
Internet-Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 11, 2005. This Internet-Draft will expire on October 13, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document defines basic terminology for describing different This document defines basic terminology for describing different
types of NAT behavior when handling Unicast UDP, and defines a set of types of NAT behavior when handling Unicast UDP, and defines a set of
requirements that would allow many applications, such as multimedia requirements that would allow many applications, such as multimedia
communications or on-line gaming, to work consistently. Developing communications or on-line gaming, to work consistently. Developing
NATs that meet this set of requirements will greatly increase the NATs that meet this set of requirements will greatly increase the
likelihood that these applications will function properly. likelihood that these applications will function properly.
Table of Contents Table of Contents
1. Applicability Statement . . . . . . . . . . . . . . . . . . . 3 1. Applicability Statement . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Network Address and Port Translation Behavior . . . . . . . . 6 4. Network Address and Port Translation Behavior . . . . . . . . 5
4.1 Address and Port Mapping . . . . . . . . . . . . . . . . . 6 4.1 Address and Port Mapping . . . . . . . . . . . . . . . . . 5
4.2 Port Assignment . . . . . . . . . . . . . . . . . . . . . 8 4.2 Port Assignment . . . . . . . . . . . . . . . . . . . . . 7
4.2.1 Port Assignment Behavior . . . . . . . . . . . . . . . 8 4.2.1 Port Assignment Behavior . . . . . . . . . . . . . . . 7
4.2.2 Port Parity . . . . . . . . . . . . . . . . . . . . . 10 4.2.2 Port Parity . . . . . . . . . . . . . . . . . . . . . 9
4.2.3 Port Contiguity . . . . . . . . . . . . . . . . . . . 10 4.2.3 Port Contiguity . . . . . . . . . . . . . . . . . . . 9
4.3 Mapping Refresh Direction . . . . . . . . . . . . . . . . 11 4.3 Mapping Refresh Direction . . . . . . . . . . . . . . . . 10
4.4 Mapping Refresh Scope . . . . . . . . . . . . . . . . . . 11 4.4 Mapping Refresh Scope . . . . . . . . . . . . . . . . . . 10
5. Filtering Behavior . . . . . . . . . . . . . . . . . . . . . . 12 5. Filtering Behavior . . . . . . . . . . . . . . . . . . . . . . 11
5.1 Filtering of Unsolicited Packets . . . . . . . . . . . . . 12 5.1 Filtering of Unsolicited Packets . . . . . . . . . . . . . 11
5.2 NAT Filter Refresh . . . . . . . . . . . . . . . . . . . . 13 5.2 NAT Filter Refresh . . . . . . . . . . . . . . . . . . . . 11
6. Relationship with Cone and Symmetric NAT Terminology . . . . . 13 6. Hairpinning Behavior . . . . . . . . . . . . . . . . . . . . . 12
7. Hairpinning Behavior . . . . . . . . . . . . . . . . . . . . . 16 7. Application Level Gateways . . . . . . . . . . . . . . . . . . 12
8. Application Level Gateways . . . . . . . . . . . . . . . . . . 16 8. Deterministic Properties . . . . . . . . . . . . . . . . . . . 13
9. Deterministic Properties . . . . . . . . . . . . . . . . . . . 17 9. ICMP Behavior . . . . . . . . . . . . . . . . . . . . . . . . 14
10. ICMP Behavior . . . . . . . . . . . . . . . . . . . . . . . 18 10. Fragmentation of Packets . . . . . . . . . . . . . . . . . . 14
11. Fragmentation of Packets . . . . . . . . . . . . . . . . . . 18 10.1 Smaller Adjacent MTU . . . . . . . . . . . . . . . . . . . 14
11.1 Smaller Adjacent MTU . . . . . . . . . . . . . . . . . . . 18 10.2 Smaller Network MTU . . . . . . . . . . . . . . . . . . . 15
11.2 Smaller Network MTU . . . . . . . . . . . . . . . . . . . 19 11. Receiving Fragmented Packets . . . . . . . . . . . . . . . . 15
12. Receiving Fragmented Packets . . . . . . . . . . . . . . . . 19 12. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 15
13. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 19 12.1 Requirement Discussion . . . . . . . . . . . . . . . . . . 17
13.1 Requirement Discussion . . . . . . . . . . . . . . . . . . 21 13. Security Considerations . . . . . . . . . . . . . . . . . . 19
14. Security Considerations . . . . . . . . . . . . . . . . . . 23 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . 20
15. IANA Considerations . . . . . . . . . . . . . . . . . . . . 24 15. IAB Considerations . . . . . . . . . . . . . . . . . . . . . 20
16. IAB Considerations . . . . . . . . . . . . . . . . . . . . . 24 16. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 21
17. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 25 17. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
18. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 17.1 Normative References . . . . . . . . . . . . . . . . . . . 21
18.1 Normative References . . . . . . . . . . . . . . . . . . . . 25 17.2 Informational References . . . . . . . . . . . . . . . . . 21
18.2 Informational References . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 27 Intellectual Property and Copyright Statements . . . . . . . . 24
Intellectual Property and Copyright Statements . . . . . . . . 28
1. Applicability Statement 1. Applicability Statement
The purpose of this specification is to define a set of requirements The purpose of this specification is to define a set of requirements
for NATs that would allow many applications, such as multimedia for NATs that would allow many applications, such as multimedia
communications or on-line gaming, to work consistently. Developing communications or on-line gaming, to work consistently. Developing
NATs that meet this set of requirements will greatly increase the NATs that meet this set of requirements will greatly increase the
likelihood that these applications will function properly. likelihood that these applications will function properly.
The requirements of this specification apply generally to all NAT The requirements of this specification apply generally to all NAT
variations, including the ones described in RFC 2663 [3] (Traditional variations, including the ones described in RFC 2663 [3] (Traditional
NAT, Basic NAT, NAPT, Bi-directional NAT, Twice NAT, and Multihomed NAT, Basic NAT, NAPT, Bi-directional NAT, Twice NAT, and Multihomed
NATs). However, it is not within the scope of this specification to NATs). However, it is not within the scope of this specification to
address all issues specific to all possible NAT variations. address all issues specific to all possible NAT variations.
This document is meant to cover NATs of any size, from small This document is meant to cover NATs of any size, from small
residential NATs to large Enterprise NATs. However, it should be residential NATs to large Enterprise NATs. However, it should be
understood that Enterprise NATs normally provide much more than just understood that Enterprise NATs normally provide much more than just
NAT capabilities: for example, they typically provide Firewall NAT capabilities: for example, they typically provide Firewall
capabilities. Firewalls is specifically out-of-scope of this capabilities. Firewalls is specifically out-of-scope of this
specification. However, this specification does cover the inherent specification: however, this specification does cover the inherent
filtering aspects of NAT. Many large Enterprise NATs also have filtering aspects of NAT.
additional requirements on security, multihoming and so forth, which
may impose further restrictions on the NAT capabilities. These extra
requirements specifically targeted at large Enterprise NATs are
outside the scope of this document. Furthermore, it is understood
that certain NATs, especially NATs that have to satisfy additional
requirements such as Firewall, may choose to be compliant to only
certain requirements from this specification.
Approaches using directly signaled control off the middle boxes such Approaches using directly signaled control off the middle boxes such
as Midcom, UPnP, or in-path signaling are out of scope. as Midcom, UPnP, or in-path signaling are out of scope.
UDP Relays are out of the scope of this document. UDP Relays are out of the scope of this document.
Application aspects are out of scope as the focus is strictly on the Application aspects are out of scope as the focus is strictly on the
NAT itself. NAT itself.
This document only covers the UDP Unicast aspects of NAT traversal This document only covers the UDP Unicast aspects of NAT traversal
and does not cover TCP, IPSEC, or other protocols. Since the and does not cover TCP, IPSEC, or other protocols. Since the
document is for UDP only, packet inspection below the UDP layer document is for UDP only, packet inspection below the UDP layer
(including RTP) is also out-of-scope. (including RTP) is also out-of-scope.
2. Introduction 2. Introduction
Network Address Translators (NAT) are well known to cause very Network Address Translators (NAT) are well known to cause very
significant problems with applications that carry IP addresses in the significant problems with applications that carry IP addresses in the
payload RFC 3027 [5]. Applications that suffer from this problem payload RFC 3027 [5]. Applications that suffer from this problem
include Voice Over IP and Multimedia Over IP (e.g., SIP [6] and H.323 include Voice Over IP and Multimedia Over IP (e.g., SIP [6] and H.323
[19]), as well as online gaming. [20]), as well as online gaming.
Many techniques are used to attempt to make realtime multimedia Many techniques are used to attempt to make realtime multimedia
applications, online games, and other applications work across NATs. applications, online games, and other applications work across NATs.
Application Level Gateways [3] are one such mechanism. STUN [7] Application Level Gateways [3] are one such mechanism. STUN [7]
describes a UNilateral Self-Address Translation (UNSAF) mechanism describes a UNilateral Self-Address Translation (UNSAF) mechanism
[2]. UDP Relays have also been used to enable applications across [2]. UDP Relays have also been used to enable applications across
NATs, but these are generally seen as a solution of last resort. ICE NATs, but these are generally seen as a solution of last resort. ICE
[16] describes a methodology for using many of these techniques and [16] describes a methodology for using many of these techniques and
avoiding a UDP Relay unless the type of NAT is such that it forces avoiding a UDP Relay unless the type of NAT is such that it forces
the use of such a UDP Relay. This specification defines requirements the use of such a UDP Relay. This specification defines requirements
for improving NATs. Meeting these requirements ensures that for improving NATs. Meeting these requirements ensures that
applications will not be forced to use UDP media relay. applications will not be forced to use UDP media relay.
Several recommendations regarding NATs for Peer-to-Peer media were
made in [17] and this specification derives some of its requirements
from that draft.
As pointed out in UNSAF [2], "From observations of deployed networks, As pointed out in UNSAF [2], "From observations of deployed networks,
it is clear that different NAT boxes' implementation vary widely in it is clear that different NAT boxes' implementation vary widely in
terms of how they handle different traffic and addressing cases." terms of how they handle different traffic and addressing cases."
This wide degree of variability is one part of what contributes to This wide degree of variability is one part of what contributes to
the overall brittleness introduced by NATs and makes it extremely the overall brittleness introduced by NATs and makes it extremely
difficult to predict how any given protocol will behave on a network difficult to predict how any given protocol will behave on a network
traversing NATs. Discussions with many of the major NAT vendors have traversing NATs. Discussions with many of the major NAT vendors have
made it clear that they would prefer to deploy NATs that were made it clear that they would prefer to deploy NATs that were
deterministic and caused the least harm to applications while still deterministic and caused the least harm to applications while still
meeting the requirements that caused their customers to deploy NATs meeting the requirements that caused their customers to deploy NATs
skipping to change at page 5, line 11 skipping to change at page 4, line 46
providers of services that have NAT traversal issues to make providers of services that have NAT traversal issues to make
statements about where their applications will work and where they statements about where their applications will work and where they
will not, as well as to specify their own NAT requirements. will not, as well as to specify their own NAT requirements.
3. Terminology 3. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. document are to be interpreted as described in RFC 2119 [1].
A NAT that complies with all of the mandatory requirements of this
specification (i.e., the "MUST"), is "compliant with this
specification." A NAT that complies with all of the requirements of
this specification (i.e., including the "RECOMMENDED" and SHOULD) is
"fully compliant with all the mandatory and recommended requirements
of this specification."
Readers are urged to refer to RFC 2263 [3] for information on NAT Readers are urged to refer to RFC 2263 [3] for information on NAT
taxonomy and terminology. Traditional NAT is the most common type of taxonomy and terminology. Traditional NAT is the most common type of
NAT device deployed. Readers may refer to RFC 3022 [4] for detailed NAT device deployed. Readers may refer to RFC 3022 [4] for detailed
information on traditional NAT. Traditional NAT has two main information on traditional NAT. Traditional NAT has two main
varieties - Basic NAT and Network Address/Port Translator (NAPT). varieties - Basic NAT and Network Address/Port Translator (NAPT).
NAPT is by far the most commonly deployed NAT device. NAPT allows NAPT is by far the most commonly deployed NAT device. NAPT allows
multiple internal hosts to share a single public IP address multiple internal hosts to share a single public IP address
simultaneously. When an internal host opens an outgoing TCP or UDP simultaneously. When an internal host opens an outgoing TCP or UDP
session through a NAPT, the NAPT assigns the session a public IP session through a NAPT, the NAPT assigns the session a public IP
skipping to change at page 5, line 40 skipping to change at page 5, line 21
forwarded to the internal host. The effect is that the NAPT forwarded to the internal host. The effect is that the NAPT
establishes a NAT session to translate the (private IP address, establishes a NAT session to translate the (private IP address,
private port number) tuple to (public IP address, public port number) private port number) tuple to (public IP address, public port number)
tuple and vice versa for the duration of the session. An issue of tuple and vice versa for the duration of the session. An issue of
relevance to peer-to-peer applications is how the NAT behaves when an relevance to peer-to-peer applications is how the NAT behaves when an
internal host initiates multiple simultaneous sessions from a single internal host initiates multiple simultaneous sessions from a single
(private IP, private port) endpoint to multiple distinct endpoints on (private IP, private port) endpoint to multiple distinct endpoints on
the external network. In this specification, the term "NAT" refers the external network. In this specification, the term "NAT" refers
to both "Basic NAT" and "Network Address/Port Translator (NAPT)". to both "Basic NAT" and "Network Address/Port Translator (NAPT)".
This document uses the term "session" as defined in RFC 2663: This document uses the term "session" as defined in RFC 2663: "TCP/
"TCP/UDP sessions are uniquely identified by the tuple of (source IP UDP sessions are uniquely identified by the tuple of (source IP
address, source TCP/UDP ports, target IP address, target TCP/UDP address, source TCP/UDP ports, target IP address, target TCP/UDP
Port)." Port)."
This document uses the term "address and port mapping" as the This document uses the term "address and port mapping" as the
translation between an external address and port and an internal translation between an external address and port and an internal
address and port. Note that this is not the same as an "address address and port. Note that this is not the same as an "address
binding" as defined in RFC 2663. binding" as defined in RFC 2663.
RFC 3489 [7] defines a terminology for different NAT variations. In Earlier documents used the terms "Full Cone", "Restricted Cone",
particular, it uses the terms "Full Cone", "Restricted Cone", "Port "Port Restricted Cone" and "Symmetric" to refer to different
Restricted Cone" and "Symmetric" to refer to different variations of variations of NATs applicable to UDP only. Unfortunately, this
NATs applicable to UDP only. This specification refers to specific terminology has been the source of much confusion as it proved
individual NAT behaviors instead of using the Cone/Symmetric inadequate at describing real-life NAT behavior. This specification
terminology. The relationship between the Cone/Symmetric terminology therefore refers to specific individual NAT behaviors instead of
and the individual behaviors defined in this specification is using the Cone/Symmetric terminology.
described.
4. Network Address and Port Translation Behavior 4. Network Address and Port Translation Behavior
This section describes the various NAT behaviors applicable to NAT. This section describes the various NAT behaviors applicable to NAT.
4.1 Address and Port Mapping 4.1 Address and Port Mapping
When an internal endpoint opens an outgoing UDP session through a When an internal endpoint opens an outgoing UDP session through a
NAT, the NAT assigns the session an external IP address and port NAT, the NAT assigns the session an external IP address and port
number so that subsequent response packets from the external endpoint number so that subsequent response packets from the external endpoint
skipping to change at page 7, line 30 skipping to change at page 6, line 43
+-----+ n +-----+ n
a a
l l
The following address and port mapping behavior are defined: The following address and port mapping behavior are defined:
External NAT mapping is endpoint independent: External NAT mapping is endpoint independent:
The NAT reuses the port mapping for subsequent sessions The NAT reuses the port mapping for subsequent sessions
initiated from the same internal IP address and port (X:x) to initiated from the same internal IP address and port (X:x) to
any external IP address and port. Specifically, X1':x1' equals any external IP address and port. Specifically, X1':x1' equals
X2':x2' for all values of Y2:y2. From an RFC 3489 NAT X2':x2' for all values of Y2:y2.
perspective, this is a "Cone NAT" where the sub-type is really
based on the filtering behavior.
External NAT mapping is endpoint address dependent: External NAT mapping is endpoint address dependent:
The NAT reuses the port mapping for subsequent sessions The NAT reuses the port mapping for subsequent sessions
initiated from the same internal IP address and port (X:x) only initiated from the same internal IP address and port (X:x) only
for sessions to the same external IP address, regardless of the for sessions to the same external IP address, regardless of the
external port. Specifically, X1':x1' equals X2':x2' if, and external port. Specifically, X1':x1' equals X2':x2' if, and
only if, Y2 equals Y1. From an RFC 3489 NAT perspective, but only if, Y2 equals Y1.
not necessarily a filtering perspective, this is a "Symmetric
NAT".
External NAT mapping is endpoint address and port dependent: External NAT mapping is endpoint address and port dependent:
The NAT reuses the port mapping for subsequent sessions The NAT reuses the port mapping for subsequent sessions
initiated from the same internal IP address and port (X:x) only initiated from the same internal IP address and port (X:x) only
for sessions to the same external and port. Specifically, for sessions to the same external and port. Specifically,
X1':x1' equals X2':x2' if, and only if, Y2:y2 equals Y1:y1. X1':x1' equals X2':x2' if, and only if, Y2:y2 equals Y1:y1.
From an RFC 3489 NAT perspective, but not necessarily a
filtering perspective, this is a "Symmetric NAT".
It is important to note that these three possible choices make no It is important to note that these three possible choices make no
difference to the security properties of the NAT. The security difference to the security properties of the NAT. The security
properties are fully determined by which packets the NAT allows in properties are fully determined by which packets the NAT allows in
and which it does not. This is determined by the filtering behavior and which it does not. This is determined by the filtering behavior
in the filtering portions of the NAT. in the filtering portions of the NAT.
Some NATs are capable of assigning IP addresses from a pool of IP Some NATs are capable of assigning IP addresses from a pool of IP
addresses on the external side of the NAT, as opposed to just a addresses on the external side of the NAT, as opposed to just a
single IP address. This is especially common with larger NATs. Some single IP address. This is especially common with larger NATs. Some
NATs use the external IP address mapping in an arbitrary fashion NATs use the external IP address mapping in an arbitrary fashion
(i.e. randomly): one internal IP address could have multiple (i.e. randomly): one internal IP address could have multiple external
external IP address mappings active at the same time for different IP address mappings active at the same time for different sessions.
sessions. These NATs have an "IP address pooling" behavior of These NATs have an "IP address pooling" behavior of "Arbitrary".
"Arbitrary". Some large Enterprise NATs use an IP address pooling Some large Enterprise NATs use an IP address pooling behavior of
behavior of "Arbitrary" as a means of hiding the IP address assigned "Arbitrary" as a means of hiding the IP address assigned to specific
to specific endpoints by making their assignment less predictable. endpoints by making their assignment less predictable. Other NATs
Other NATs use the same external IP address mapping for all sessions use the same external IP address mapping for all sessions associated
associated with the same internal IP address. These NATs have an "IP with the same internal IP address. These NATs have an "IP address
address pooling" behavior of "Paired." NATs that use an "IP address pooling" behavior of "Paired." NATs that use an "IP address pooling"
pooling" behavior of "arbitrary" can cause issues for applications behavior of "arbitrary" can cause issues for applications that use
that use multiple ports from the same endpoint but do not negotiate multiple ports from the same endpoint but do not negotiate IP
IP addresses individually (e.g., some applications using RTP and addresses individually (e.g., some applications using RTP and RTCP).
RTCP).
4.2 Port Assignment 4.2 Port Assignment
4.2.1 Port Assignment Behavior 4.2.1 Port Assignment Behavior
This section uses the following diagram for reference. This section uses the following diagram for reference.
E E
+-------+ +-------+ x +-------+ +-------+ x
| Y1 | | Y2 | t | Y1 | | Y2 | t
skipping to change at page 10, line 11 skipping to change at page 9, line 11
endpoints are establishing sessions to the same external destination. endpoints are establishing sessions to the same external destination.
Most applications fail in some cases with "Port Overloading". It is Most applications fail in some cases with "Port Overloading". It is
clear that "Port Overloading" behavior will result in many problems. clear that "Port Overloading" behavior will result in many problems.
For example it will fail if two internal endpoints try to reach the For example it will fail if two internal endpoints try to reach the
same external destination, e.g., a server used by both endpoints such same external destination, e.g., a server used by both endpoints such
as a SIP proxy, or a web server, etc.) as a SIP proxy, or a web server, etc.)
When NATs do allocate a new source port, there is the issue of which When NATs do allocate a new source port, there is the issue of which
IANA-defined range of port to choose. The ranges are "well-known" IANA-defined range of port to choose. The ranges are "well-known"
from 0 to 1023, "registered" from 1024 to 49151, and from 0 to 1023, "registered" from 1024 to 49151, and "dynamic/
"dynamic/private" from 49152 through 65535. For most protocols, private" from 49152 through 65535. For most protocols, these are
these are destination ports and not source ports, so mapping a source destination ports and not source ports, so mapping a source port to a
port to a source port that is already registered is unlikely to have source port that is already registered is unlikely to have any bad
any bad effects. Some NATs may choose to use only the ports in the effects. Some NATs may choose to use only the ports in the dynamic
dynamic range; the only down side of this practice is that it limits range; the only down side of this practice is that it limits the
the number of ports available. Other NAT devices may use everything number of ports available. Other NAT devices may use everything but
but the well-known range and may prefer to use the dynamics range the well-known range and may prefer to use the dynamics range first
first or possibly avoid the actual registered ports in the registered or possibly avoid the actual registered ports in the registered
range. Other NATs preserve the port range if it is in the well-known range. Other NATs preserve the port range if it is in the well-known
range. It should be noted that port 0 is reserved and must not be range. It should be noted that port 0 is reserved and must not be
used. used.
4.2.2 Port Parity 4.2.2 Port Parity
Some NATs preserve the parity of the UDP port, i.e., an even port Some NATs preserve the parity of the UDP port, i.e., an even port
will be mapped to an even port, and an odd port will be mapped to an will be mapped to an even port, and an odd port will be mapped to an
odd port. This behavior respects the RFC 3550 [8] rule that RTP use odd port. This behavior respects the RFC 3550 [8] rule that RTP use
even ports, and RTCP use odd ports. Some NATs preserve the parity of even ports, and RTCP use odd ports. Some NATs preserve the parity of
skipping to change at page 12, line 24 skipping to change at page 11, line 24
The key behavior to describe is what criteria are used by the NAT to The key behavior to describe is what criteria are used by the NAT to
filter packets originating from specific external endpoints. filter packets originating from specific external endpoints.
External filtering is endpoint independent: External filtering is endpoint independent:
The NAT filters out only packets not destined to the internal The NAT filters out only packets not destined to the internal
address and port X:x, regardless of the external IP address and address and port X:x, regardless of the external IP address and
port source (Z:z). The NAT forwards any packets destined to port source (Z:z). The NAT forwards any packets destined to
X:x. In other words, sending packets from the internal side of X:x. In other words, sending packets from the internal side of
the NAT to any external IP address is sufficient to allow any the NAT to any external IP address is sufficient to allow any
packets back to the internal endpoint. From an RFC 3489 packets back to the internal endpoint.
filtering perspective, this is a "Full Cone NAT".
External filtering is endpoint address dependent: External filtering is endpoint address dependent:
The NAT filters out packets not destined to the internal The NAT filters out packets not destined to the internal
address X:x. Additionally, the NAT will filter out packets address X:x. Additionally, the NAT will filter out packets
from Y:y destined for the internal endpoint X:x if X:x has not from Y:y destined for the internal endpoint X:x if X:x has not
sent packets to Y previously (independently of the port used by sent packets to Y previously (independently of the port used by
Y). In other words, for receiving packets from a specific Y). In other words, for receiving packets from a specific
external endpoint, it is necessary for the internal endpoint to external endpoint, it is necessary for the internal endpoint to
send packets first to that specific external endpoint's IP send packets first to that specific external endpoint's IP
address. From an RFC 3489 filtering perspective, this is a address.
"Restricted Cone NAT".
External filtering is endpoint address and port dependent: External filtering is endpoint address and port dependent:
This is similar to the previous behavior, except that the This is similar to the previous behavior, except that the
external port is also relevant. The NAT filters out packets external port is also relevant. The NAT filters out packets
not destined for the internal address X:x. Additionally, the not destined for the internal address X:x. Additionally, the
NAT will filter out packets from Y:y destined for the internal NAT will filter out packets from Y:y destined for the internal
endpoint X:x if X:x has not sent packets to Y:y previously. In endpoint X:x if X:x has not sent packets to Y:y previously. In
other words, for receiving packets from a specific external other words, for receiving packets from a specific external
endpoint, it is necessary for the internal endpoint to send endpoint, it is necessary for the internal endpoint to send
packets first to that external endpoint's IP address and port. packets first to that external endpoint's IP address and port.
From an RFC 3489 filtering perspective, this is either a "Port
Restricted Cone NAT" or a "Symmetric NAT" as they both have the
same filtering behavior.
5.2 NAT Filter Refresh 5.2 NAT Filter Refresh
The time for which a NAT filter is valid can be refreshed based on The time for which a NAT filter is valid can be refreshed based on
packets that are inbound, outbound, or going either direction. In packets that are inbound, outbound, or going either direction. In
the case of "External Filtering" of "Address dependent" or "Address the case of "External Filtering" of "Address dependent" or "Address
and port dependent" NATs, the scope of the refresh could include the and port dependent" NATs, the scope of the refresh could include the
filters for just the particular port and destination or for all the filters for just the particular port and destination or for all the
ports and destinations sharing the same external address and port on ports and destinations sharing the same external address and port on
the NAT. the NAT.
6. Relationship with Cone and Symmetric NAT Terminology 6. Hairpinning Behavior
This section describes the relationship between the Network Address
and Port and Filtering behaviors defined in this document, and the
Cone/Symmetric NAT terminology described in RFC 3489.
RFC 3489 defines the following variations. They have been slightly
paraphrased for emphasizing the mapping behavior and the filtering
behavior.
Full Cone:
1. A full cone NAT is one where all requests from the same
internal IP address and port are mapped to the same external
IP address and port.
2. Furthermore, any external host can send a packet to the
internal host, by sending a packet to the mapped external
address.
Restricted Cone:
1. A restricted cone NAT is one where all requests from the same
internal IP address and port are mapped to the same external
IP address and port.
2. Unlike a full cone NAT, an external host (with IP address X)
can send a packet to the internal host only if the internal
host had previously sent a packet to IP address X.
Port Restricted Cone:
1. A port restricted cone NAT is one where all requests from the
same internal IP address and port are mapped to the same
external IP address and port.
2. The restriction includes port numbers. Specifically, an
external host can send a packet, with source IP address X and
source port P, to the internal host only if the internal host
had previously sent a packet to IP address X and port P.
Symmetric:
1. A symmetric NAT is one where all requests from the same
internal IP address and port, to a specific destination IP
address and port, are mapped to the same external IP address
and port. If the same host sends a packet with the same
source address and port, but to a different destination, a
different mapping is used.
2. Furthermore, only the external host that receives a packet can
send a UDP packet back to the internal host.
Unfortunately, this terminology defined in RFC 3489 has been the
source of much confusion. This terminology does not distinguish
between the mapping behavior (conditions 1 above) and the filtering
behavior (conditions 2 above).
The inferred definition of "Cone NAT" is quite clear since the same
definition is used for all variations of Cone NAT:
o A cone NAT is one where all requests from the same internal IP
address and port are mapped to the same address and port.
A "Cone NAT" therefore only refers to the Network Address and Port
mapping behavior. This maps to the "External NAT mapping is endpoint
independent" defined in this specification.
The terms "Full", "Restricted", "Port Restricted" refers to their
filtering behavior. They map respectively to the "External filtering
is endpoint independent", "External filtering is endpoint address
dependent" and "External filtering is address and port dependent"
behaviors.
However, the Symmetric NAT definition is more troublesome as it
bundles together the mapping and the filtering definitions.
Condition 1 of the Symmetric NAT definition is the NAT behavior and
condition 2 is the filtering behavior. However, they are not
necessarily dependent: we have observed NATs that will conform to
condition (1) but not to (2). Using RFC 3489, this type of NAT would
be detected as a "Cone NAT" since it uses condition (2). Using a
different algorithm such as the one described in NATCHECK [20] which
uses condition (1), the same NAT would be detected as a "Symmetric
NAT". If the endpoint receiving the media has a permissive policy on
accepting media, condition (2) is more appropriate, but if it has a
restrictive policy, condition (1) is more appropriate. Some view the
"real" definition of Symmetric NAT to be condition 1 while others
believes it is condition 2.
It was found that many devices' behaviors do not exactly fit into the
described variations. For example, a device could be symmetric from
a filtering point of view and Cone from a NAT point of view. Other
aspects of NATs are not covered by this terminology: for example,
many NATs will switch over from basic NAT (preserving ports) to NAPT
(mapping ports) in order to preserve ports when possible.
The relationship between the RFC 3489 and the behaviors described in
this document is easier to describe in a table:
------------------------------------------------
|| External Filtering Behavior |
-------------------++---------------------------------------------|
| External NAT || Endpoint | Endpoint | Endpoint |
| Mapping Behavior || Independent | Address | Address/Port |
| || | Dependent | Dependent |
|=================================================================|
| Endpoint || Full | Restricted | Port Restricted |
| Independent || Cone | Cone | Cone |
|------------------++-------------+-------------+-----------------|
| Endpoint Address || Symmetric~ | Symmetric~ | Symmetric~ |
| Dependent || (a) | (a, 2) | (a, b) |
|------------------++-------------+-------------+-----------------|
| Endpoint Address || Symmetric~ | Symmetric | Symmetric~ |
| /Port Dependent || (1) | (1, 2) | (1, b) |
-------------------------------------------------------------------
Where:
1. Satisfies condition 1 for Symmetric NAT: "All requests from the
same internal IP address and port to a specific destination
address and port are mapped to the same external IP address and
port. If a host sends a packet with the same source address and
port to different destination addresses or ports, a different
mapping is used for each."
2. Satisfies condition 2 for Symmetric NAT: "Furthermore, only the
external host that receives a packet can send a UDP packet back
to the internal host."
And:
a) This is a variation on condition (1), but where the destination
port is not of any consequence.
b) This one is a variation on condition (2) which is more restrictive
and not covered in the definition of Symmetric: "Furthermore, only
packets originating from a port of the external host that has
received packets already on that port will be forwarded."
If conditions (1) and (2), but not (b) are met, this is a Symmetric
NAT as per the definition of RFC 3489. This is denoted as
"Symmetric" in the table. Otherwise, the NAT is not quite Symmetric
and is denoted as "Symmetric~". In some cases these Symmetric~ NATs
are slightly more restrictive than a real Symmetric NAT, and in other
cases they are more permissive.
7. Hairpinning Behavior
If two hosts (called X1 and X2) are behind the same NAT and If two hosts (called X1 and X2) are behind the same NAT and
exchanging traffic, the NAT may allocate an address on the outside of exchanging traffic, the NAT may allocate an address on the outside of
the NAT for X2, called X2':x2'. If X1 sends traffic to X2':x2', it the NAT for X2, called X2':x2'. If X1 sends traffic to X2':x2', it
goes to the NAT, which must relay the traffic from X1 to X2. This is goes to the NAT, which must relay the traffic from X1 to X2. This is
referred to as hairpinning and is illustrated below. referred to as hairpinning and is illustrated below.
NAT NAT
+----+ from X1:x1 to X2':x2' +-----+ X1':x1' +----+ from X1:x1 to X2':x2' +-----+ X1':x1'
| X1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+--- | X1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+---
skipping to change at page 16, line 41 skipping to change at page 12, line 43
X2:x2, back to that internal address X2:x2. Note that typically X1' X2:x2, back to that internal address X2:x2. Note that typically X1'
is the same as X2'. is the same as X2'.
Furthermore, the NAT may present the hairpinned packet with either an Furthermore, the NAT may present the hairpinned packet with either an
internal or an external source IP address and port. The hairpinning internal or an external source IP address and port. The hairpinning
NAT behavior can therefore be either "External source IP address and NAT behavior can therefore be either "External source IP address and
port" or "Internal source IP address and port". "Internal source IP port" or "Internal source IP address and port". "Internal source IP
address and port" may cause problems by confusing an implementation address and port" may cause problems by confusing an implementation
that is expecting an external IP address and port. that is expecting an external IP address and port.
8. Application Level Gateways 7. Application Level Gateways
Certain NATs have implemented Application Level Gateways (ALGs) for Certain NATs have implemented Application Level Gateways (ALGs) for
various protocols, including protocols for negotiating peer-to-peer various protocols, including protocols for negotiating peer-to-peer
UDP sessions. UDP sessions such as SIP.
Certain NATs have these ALGs turned on permanently, others have them Certain NATs have these ALGs turned on permanently, others have them
turned on by default but let them be be turned off, and others have turned on by default but let them be be turned off, and others have
them turned off by default but let them be turned on. them turned off by default but let them be turned on.
NAT ALGs may interfere with UNSAF methods and must therefore be used NAT ALGs may interfere with UNSAF methods and must therefore be used
with extreme caution. with extreme caution.
9. Deterministic Properties 8. Deterministic Properties
The classification of NATs is further complicated by the fact that The classification of NATs is further complicated by the fact that
under some conditions the same NAT will exhibit different behaviors. under some conditions the same NAT will exhibit different behaviors.
This has been seen on NATs that preserve ports or have specific This has been seen on NATs that preserve ports or have specific
algorithms for selecting a port other than a free one. If the algorithms for selecting a port other than a free one. If the
external port that the NAT wishes to use is already in use by another external port that the NAT wishes to use is already in use by another
session, the NAT must select a different port. This results in session, the NAT must select a different port. This results in
different code paths for this conflict case, which results in different code paths for this conflict case, which results in
different behavior. different behavior.
skipping to change at page 18, line 5 skipping to change at page 14, line 6
Non-deterministic NATs generally change behavior when a conflict of Non-deterministic NATs generally change behavior when a conflict of
some sort happens, i.e. when the port that would normally be used is some sort happens, i.e. when the port that would normally be used is
already in use by another mapping. The NAT mapping and External already in use by another mapping. The NAT mapping and External
Filtering in the absence of conflict is referred to as the Primary Filtering in the absence of conflict is referred to as the Primary
behavior. The behavior after the first conflict is referred to as behavior. The behavior after the first conflict is referred to as
Secondary and after the second conflict is referred to as Tertiary. Secondary and after the second conflict is referred to as Tertiary.
No NATs have been observed that change on further conflicts but it is No NATs have been observed that change on further conflicts but it is
certainly possible that they exist. certainly possible that they exist.
10. ICMP Behavior 9. ICMP Behavior
When a NAT sends a UDP packet towards a host on the other side of the When a NAT sends a UDP packet towards a host on the other side of the
NAT, an ICMP message may be sent in response to that packet. That NAT, an ICMP message may be sent in response to that packet. That
ICMP message may be sent by the destination host or by any router ICMP message may be sent by the destination host or by any router
along the network path. The NAT's default configuration SHOULD NOT along the network path. The NAT's default configuration SHOULD NOT
filter ICMP messages based on their source IP address. Such ICMP filter ICMP messages based on their source IP address. Such ICMP
messages SHOULD be rewritten by the NAT (specifically the IP headers messages SHOULD be rewritten by the NAT (specifically the IP headers
and the ICMP payload) and forwarded to the appropriate internal or and the ICMP payload) and forwarded to the appropriate internal or
external host. The NAT needs to perform this function for as long as external host. The NAT needs to perform this function for as long as
the UDP mapping is active. Receipt of any sort of ICMP message MUST the UDP mapping is active. Receipt of any sort of ICMP message MUST
skipping to change at page 18, line 29 skipping to change at page 14, line 30
There is no significant security advantage to blocking ICMP There is no significant security advantage to blocking ICMP
Destination Unreachable packets. Destination Unreachable packets.
Additionally, blocking ICMP Destination Unreachable packets can Additionally, blocking ICMP Destination Unreachable packets can
interfere with application failover, UDP Path MTU Discovery (see interfere with application failover, UDP Path MTU Discovery (see
RFC1191 [10] and RFC1435 [15]), and with traceroute. Blocking any RFC1191 [10] and RFC1435 [15]), and with traceroute. Blocking any
ICMP message is discouraged, and blocking ICMP Destination ICMP message is discouraged, and blocking ICMP Destination
Unreachable is strongly discouraged. Unreachable is strongly discouraged.
11. Fragmentation of Packets 10. Fragmentation of Packets
When sending a packet, there are two situations that may cause IP When sending a packet, there are two situations that may cause IP
fragmentation for packets from the inside to the outside. It is fragmentation for packets from the inside to the outside. It is
worth noting that many IP stacks do not use Path MTU Discovery with worth noting that many IP stacks do not use Path MTU Discovery with
UDP packets. UDP packets.
11.1 Smaller Adjacent MTU 10.1 Smaller Adjacent MTU
The first situation is when the MTU of the adjacent link is too The first situation is when the MTU of the adjacent link is too
small. This can occur if the NAT is doing PPPoE, or if the NAT has small. This can occur if the NAT is doing PPPoE, or if the NAT has
been configured with a small MTU to reduce serialization delay when been configured with a small MTU to reduce serialization delay when
sending large packets and small, higher-priority packets. sending large packets and small, higher-priority packets.
The packet could have its Don't Fragment bit set to 1 (DF=1) or 0 The packet could have its Don't Fragment bit set to 1 (DF=1) or 0
(DF=0). (DF=0).
If the packet has DF=1, the NAT should send back an ICMP message If the packet has DF=1, the NAT should send back an ICMP message
"fragmentation needed and DF set" message to the host as described in "fragmentation needed and DF set" message to the host as described in
RFC 792 [13]. RFC 792 [13].
If the packet has DF=0, the NAT should fragment the packet and send If the packet has DF=0, the NAT should fragment the packet and send
the fragments, in order. This is the same function a router performs the fragments, in order. This is the same function a router performs
in a similar situation RFC 1812 [14]. in a similar situation RFC 1812 [14].
NATs that operate as described in this section are described as NATs that operate as described in this section are described as
"Supports Fragmentation" (abbreviated SF). "Supports Fragmentation" (abbreviated SF).
11.2 Smaller Network MTU 10.2 Smaller Network MTU
The second situation is when the MTU on some link in the middle of The second situation is when the MTU on some link in the middle of
the network that is not the adjacent link is too small. If DF=0, the the network that is not the adjacent link is too small. If DF=0, the
router adjacent to the small-MTU segment will fragment the packet and router adjacent to the small-MTU segment will fragment the packet and
forward the fragments RFC 1812. forward the fragments RFC 1812.
If DF=1, the router adjacent to the small-MTU segment will send the If DF=1, the router adjacent to the small-MTU segment will send the
ICMP message "fragmentation needed and DF set" back towards the NAT. ICMP message "fragmentation needed and DF set" back towards the NAT.
The NAT needs to forward this ICMP message to the inside host. The NAT needs to forward this ICMP message to the inside host.
The classification of NATs that perform this behavior is covered in The classification of NATs that perform this behavior is covered in
the ICMP section of this document. the ICMP section of this document.
12. Receiving Fragmented Packets 11. Receiving Fragmented Packets
For a variety of reasons, a NAT may receive a fragmented UDP packet. For a variety of reasons, a NAT may receive a fragmented UDP packet.
The IP packet containing the UDP header could arrive first or last The IP packet containing the UDP header could arrive first or last
depending on network conditions, packet ordering, and the depending on network conditions, packet ordering, and the
implementation of the IP stack that generated the fragments. implementation of the IP stack that generated the fragments.
A NAT that is capable only of receiving UDP fragments in order (that A NAT that is capable only of receiving UDP fragments in order (that
is, with the UDP header in the first packet) and forwarding each of is, with the UDP header in the first packet) and forwarding each of
the fragments to the internal host is described as "Received the fragments to the internal host is described as "Received
Fragments Ordered". Fragments Ordered".
A NAT that is capable of receiving UDP fragments in or out of order A NAT that is capable of receiving UDP fragments in or out of order
and forwarding the individual packets (or a reassembled packet) to and forwarding the individual packets (or a reassembled packet) to
the internal host is referred to as "Receive Fragments Out of Order". the internal host is referred to as "Receive Fragments Out of Order".
See the Security Considerations section of this document for a See the Security Considerations section of this document for a
discussion of this behavior. discussion of this behavior.
A NAT that is neither of these is referred to as "Receive Fragments A NAT that is neither of these is referred to as "Receive Fragments
None". None".
13. Requirements 12. Requirements
The requirements in this section are aimed at minimizing the The requirements in this section are aimed at minimizing the
complications caused by NATs to applications such as realtime complications caused by NATs to applications such as realtime
communications and online gaming. communications and online gaming.
It should be understood, however, that applications normally do not It should be understood, however, that applications normally do not
know in advance if the NAT conforms to the recommendations defined in know in advance if the NAT conforms to the recommendations defined in
this section. Peer-to-peer media applications still need to use this section. Peer-to-peer media applications still need to use
normal procedures such as ICE [16] . normal procedures such as ICE [16] .
skipping to change at page 20, line 17 skipping to change at page 16, line 20
specification." A NAT that supports all of the requirements of this specification." A NAT that supports all of the requirements of this
specification (i.e., included the "RECOMMENDED") is "fully compliant specification (i.e., included the "RECOMMENDED") is "fully compliant
with all the mandatory and recommended requirements of this with all the mandatory and recommended requirements of this
specification." specification."
REQ-1 A NAT MUST have an "External NAT mapping is endpoint REQ-1 A NAT MUST have an "External NAT mapping is endpoint
independent" behavior. independent" behavior.
REQ-2 It is RECOMMENDED that a NAT have an "IP address pooling" REQ-2 It is RECOMMENDED that a NAT have an "IP address pooling"
behavior of "Paired". Note that this requirement is not behavior of "Paired". Note that this requirement is not
applicable to NATs that do not support IP address pooling. applicable to NATs that do not support IP address pooling.
REQ-3 It is RECOMMENDED that a NAT have a "Port assignment" behavior REQ-3 IA NAT MUST NOT have a "Port assignment" behavior of "Port
of "No port preservation".
a) NAT MAY use a "Port assignment" behavior of "Port
preservation".
b) A NAT MUST NOT have a "Port assignment" behavior of "Port
overloading". overloading".
c) If the host's source port was in the range 1-1023, it is a) If the host's source port was in the range 1-1023, it is
RECOMMENDED the NAT's source port also be in the same RECOMMENDED the NAT's source port also be in the same
range. If the host's source port was in the range range. If the host's source port was in the range 1024-
1024-65535, it is RECOMMENDED that the NAT's source port 65535, it is RECOMMENDED that the NAT's source port also be
also be in that range. in that range.
REQ-4 It is RECOMMENDED that a NAT have a "Port parity preservation" REQ-4 It is RECOMMENDED that a NAT have a "Port parity preservation"
behavior of "Yes". behavior of "Yes".
REQ-5 A NAT UDP mapping timer MUST NOT expire in less than 2 REQ-5 A NAT UDP mapping timer MUST NOT expire in less than 2
minutes. minutes.
a) The value of the NAT UDP mapping timer MAY be configurable. a) The value of the NAT UDP mapping timer MAY be configurable.
b) A default value of 5 minutes for the NAT UDP mapping timer b) A default value of 5 minutes for the NAT UDP mapping timer
is RECOMMENDED. is RECOMMENDED.
REQ-6 The NAT mapping Refresh Direction MUST have a "NAT Outbound REQ-6 The NAT mapping Refresh Direction MUST have a "NAT Outbound
refresh behavior" of "True". refresh behavior" of "True".
a) The NAT mapping Refresh Direction MAY have a "NAT Inbound a) The NAT mapping Refresh Direction MAY have a "NAT Inbound
refresh behavior" of "True". refresh behavior" of "True".
b) The NAT mapping Refresh Direction MUST have a "NAT refresh b) The NAT mapping Refresh Direction MUST have a "NAT refresh
method behavior" of "Per mapping" (i.e. refresh all method behavior" of "Per mapping" (i.e. refresh all
sessions active on a particular mapping). sessions active on a particular mapping).
REQ-7 It is RECOMMENDED that a NAT have an "External filtering is REQ-7 It is RECOMMENDED that a NAT have an "External filtering is
endpoint address dependent" behavior. endpoint address dependent" behavior.
REQ-8 A NAT MUST support "Hairpinning". REQ-8 A NAT MUST support "Hairpinning".
a) A NAT Hairpinning behavior MUST be "External source IP a) A NAT Hairpinning behavior MUST be "External source IP
address and port". address and port".
REQ-9 If a NAT includes ALGs, it is RECOMMENDED that all of those REQ-9 If a NAT includes ALGs, it is RECOMMENDED that all of those
ALGs be disabled by default. ALGs (except for DNS [19] and FTP [18]) be disabled by
default.
a) If a NAT includes ALGs, it is RECOMMENDED that the NAT a) If a NAT includes ALGs, it is RECOMMENDED that the NAT
allow the user to enable or disable each ALG separately. allow the user to enable or disable each ALG separately.
REQ-10 A NAT MUST have deterministic behavior, i.e., it MUST NOT REQ-10 A NAT MUST have deterministic behavior, i.e., it MUST NOT
change the NAT mapping or the External External Filtering change the NAT mapping or the External External Filtering
Behavior at any point in time or under any particular Behavior at any point in time or under any particular
conditions. conditions.
REQ-11 It is RECOMMENDED that a NAT support ICMP Destination REQ-11 It is RECOMMENDED that a NAT support ICMP Destination
Unreachable. Unreachable.
a) The ICMP timeout SHOULD be greater than 2 seconds. a) The ICMP timeout SHOULD be greater than 2 seconds.
REQ-12 A NAT MUST support fragmentation of packets larger than link REQ-12 A NAT MUST support fragmentation of packets larger than link
MTU. MTU.
REQ-13 A NAT MUST support receiving in order fragments, so it MUST be REQ-13 A NAT MUST support receiving in order fragments, so it MUST be
skipping to change at page 21, line 20 skipping to change at page 17, line 22
Unreachable. Unreachable.
a) The ICMP timeout SHOULD be greater than 2 seconds. a) The ICMP timeout SHOULD be greater than 2 seconds.
REQ-12 A NAT MUST support fragmentation of packets larger than link REQ-12 A NAT MUST support fragmentation of packets larger than link
MTU. MTU.
REQ-13 A NAT MUST support receiving in order fragments, so it MUST be REQ-13 A NAT MUST support receiving in order fragments, so it MUST be
"Received Fragment Ordered" or "Received Fragment Out of "Received Fragment Ordered" or "Received Fragment Out of
Order". Order".
a) A NAT MAY support receiving fragmented packets that are out a) A NAT MAY support receiving fragmented packets that are out
of order and be of type "Received Fragment Out of Order". of order and be of type "Received Fragment Out of Order".
13.1 Requirement Discussion 12.1 Requirement Discussion
This section describes why each of these requirements was chosen and This section describes why each of these requirements was chosen and
the consequences of violating any of them: the consequences of violating any of them:
REQ-1 In order for UNSAF methods to work, REQ-1 needs to be met. REQ-1 In order for UNSAF methods to work, REQ-1 needs to be met.
Failure to meet REQ-1 will force the use of a Media Relay Failure to meet REQ-1 will force the use of a Media Relay
which is very often impractical. which is very often impractical.
REQ-2 This will allow applications that use multiple ports REQ-2 This will allow applications that use multiple ports
originating from the same internal IP address to also have the originating from the same internal IP address to also have the
same external IP address. This is to avoid breaking same external IP address. This is to avoid breaking peer-to-
peer-to-peer applications which are not capable of negotiating peer applications which are not capable of negotiating the IP
the IP address for RTP and the IP address for RTCP separately. address for RTP and the IP address for RTCP separately. As
As such it is envisioned that this requirement will become such it is envisioned that this requirement will become less
less important as applications become NAT-friendlier with important as applications become NAT-friendlier with time.
time. The main reason why this requirement is here is because The main reason why this requirement is here is because in a
in a peer-to-peer application, you are subject to the other peer-to-peer application, you are subject to the other peer's
peer's mistake. In particular, in the context of SIP, if my mistake. In particular, in the context of SIP, if my
application supports the extensions defined in RFC 3605 [9] application supports the extensions defined in RFC 3605 [9]
for indicating RTP and RTCP addresses and ports separately, for indicating RTP and RTCP addresses and ports separately,
but the other peer does not, there may still be breakage in but the other peer does not, there may still be breakage in
the form of lost of the RTP stream. This requirements will the form of lost of the RTP stream. This requirements will
avoid the loss of RTP in this context, although the loss of avoid the loss of RTP in this context, although the loss of
RTCP may be inevitable in this particular example. It is also RTCP may be inevitable in this particular example. It is also
worth noting that RFC 3605 is unfortunately not a mandatory worth noting that RFC 3605 is unfortunately not a mandatory
part of SIP (i.e., RFC 3261). This requirement will therefore part of SIP (i.e., RFC 3261). This requirement will therefore
address a particularly nasty problem that will prevail for a address a particularly nasty problem that will prevail for a
significant amount of time. significant amount of time.
REQ-3 NATs that implement port preservation have to deal with
REQ-3 This requirement must be met in order to enable two
applications on the internal side of the NAT both to use the
same port to try to communicate with the same destination.
NATs that implement port preservation have to deal with
conflicts on ports, and the multiple code paths this conflicts on ports, and the multiple code paths this
introduces often result in nondeterministic behavior. introduces often result in nondeterministic behavior.
However, it should be understood that a NAT that when a port
c) Port preservation can work, but the NAT implementors need is randomly assigned, it may just randomly happen to be
to be very careful that it does not become a assigned the same port. Applications must therefore be able
nondeterministic NAT. to deal with both port preservation, and no port preservation.
d) REQ-2b must be met in order to enable two applications on a) Certain applications expect the source UDP port to be in
the internal side of the NAT both to use the same port to
try to communicate with the same destination.
e) Certain applications expect the source UDP port to be in
the well-known range. See RFC 2623 for an example. the well-known range. See RFC 2623 for an example.
REQ-4 This is to avoid breaking peer-to-peer applications which do REQ-4 This is to avoid breaking peer-to-peer applications which do
not explicity and separately specify RTP and RTCP port numbers not explicity and separately specify RTP and RTCP port numbers
and which follow the RFC 3550 rule to decrement an odd RTP and which follow the RFC 3550 rule to decrement an odd RTP
port to make it even. The same considerations as per the IP port to make it even. The same considerations as per the IP
address pooling requirement apply. address pooling requirement apply.
REQ-5 This requirement is to ensure that the timeout is long enough REQ-5 This requirement is to ensure that the timeout is long enough
to avoid too frequent timer refresh packets. to avoid too frequent timer refresh packets.
a) Configuration is desirable for adapting to specific a) Configuration is desirable for adapting to specific
networks and troubleshooting. networks and troubleshooting.
skipping to change at page 22, line 46 skipping to change at page 19, line 4
the port open. In theory, filtering based on both IP address the port open. In theory, filtering based on both IP address
and port is more secure than filtering based only on the IP and port is more secure than filtering based only on the IP
address (because the external endpoint could in reality be two address (because the external endpoint could in reality be two
endpoints behind another NAT, where one of the two endpoints endpoints behind another NAT, where one of the two endpoints
is an attacker). However, such a restrictive policy could is an attacker). However, such a restrictive policy could
interfere with certain applications that use more than one interfere with certain applications that use more than one
port. port.
REQ-8 This requirement is to allow communications between two REQ-8 This requirement is to allow communications between two
endpoints behind the same NAT when they are trying each endpoints behind the same NAT when they are trying each
other's external IP addresses. other's external IP addresses.
a) Using the external IP address is necessary for applications a) Using the external IP address is necessary for applications
with a restrictive policy of not accepting packets from IP with a restrictive policy of not accepting packets from IP
addresses that differ from what is expected. addresses that differ from what is expected.
REQ-9 NAT ALGs may interfere with UNSAF methods. REQ-9 NAT ALGs may interfere with UNSAF methods.
a) This requirement allows the user to enable ALGs which are a) This requirement allows the user to enable ALGs which are
necessary to aid operation of some applications without necessary to aid operation of some applications without
enabling ALGs which interfere with operation of other enabling ALGs which interfere with operation of other
applications. applications.
REQ-10 Non-deterministic NATs are very difficult to troubleshoot REQ-10 Non-deterministic NATs are very difficult to troubleshoot
because they require more intensive testing. This because they require more intensive testing. This non-
non-deterministic behavior is the root cause of much of the deterministic behavior is the root cause of much of the
uncertainty that NATs introduce about whether or not uncertainty that NATs introduce about whether or not
applications will work. applications will work.
REQ-11 This is easy to do, is used for many things including MTU REQ-11 This is easy to do, is used for many things including MTU
discovery and rapid detection of error conditions, and has no discovery and rapid detection of error conditions, and has no
negative consequences. negative consequences.
REQ-12 Fragmented packets become more common with large video packets REQ-12 Fragmented packets become more common with large video packets
and should continue to work. Applications can use MTU and should continue to work. Applications can use MTU
discovery to work around this problem. discovery to work around this problem.
REQ-13 See Security Considerations. REQ-13 See Security Considerations.
14. Security Considerations 13. Security Considerations
NATs are often deployed to achieve security goals. Most of the NATs are often deployed to achieve security goals. Most of the
recommendations and requirements in this document do not affect the recommendations and requirements in this document do not affect the
security properties of these devices, but a few of them do have security properties of these devices, but a few of them do have
security implications and are discussed in this section. security implications and are discussed in this section.
This work recommends that the timers for mapping be refreshed only on This work recommends that the timers for mapping be refreshed only on
outgoing packets and does not make recommendations about whether or outgoing packets and does not make recommendations about whether or
not inbound packets should update the timers. If inbound packets not inbound packets should update the timers. If inbound packets
update the timers, an external attacker can keep the mapping alive update the timers, an external attacker can keep the mapping alive
skipping to change at page 24, line 26 skipping to change at page 20, line 31
Moreover, since some networks deliver small packets ahead of large Moreover, since some networks deliver small packets ahead of large
ones, there can be many out of order fragments. NATs that are ones, there can be many out of order fragments. NATs that are
capable of delivering these out of order packets are possible but capable of delivering these out of order packets are possible but
they need to store the out of order fragments, which can open up a they need to store the out of order fragments, which can open up a
DoS opportunity. Fragmentation has been a tool used in many attacks, DoS opportunity. Fragmentation has been a tool used in many attacks,
some involving passing fragmented packets through NATs and others some involving passing fragmented packets through NATs and others
involving DoS attacks based on the state needed to reassemble the involving DoS attacks based on the state needed to reassemble the
fragments. NAT implementers should be aware of RFC 3128 [12] and RFC fragments. NAT implementers should be aware of RFC 3128 [12] and RFC
1858 [11]. 1858 [11].
15. IANA Considerations 14. IANA Considerations
There are no IANA considerations. There are no IANA considerations.
16. IAB Considerations 15. IAB Considerations
The IAB has studied the problem of "Unilateral Self Address Fixing", The IAB has studied the problem of "Unilateral Self Address Fixing",
which is the general process by which a client attempts to determine which is the general process by which a client attempts to determine
its address in another realm on the other side of a NAT through a its address in another realm on the other side of a NAT through a
collaborative protocol reflection mechanism [2]. collaborative protocol reflection mechanism [2].
This specification does not in itself constitute an UNSAF This specification does not in itself constitute an UNSAF
application. It consists of a series of requirements for NATs aimed application. It consists of a series of requirements for NATs aimed
at minimizing the negative impact that those devices have on at minimizing the negative impact that those devices have on peer-to-
peer-to-peer media applications, especially when those applications peer media applications, especially when those applications are using
are using UNSAF methods. UNSAF methods.
Section 3 of UNSAF lists several practical issues with solutions to Section 3 of UNSAF lists several practical issues with solutions to
NAT problems. This document makes recommendations to reduce the NAT problems. This document makes recommendations to reduce the
uncertainty and problems introduced by these practical issues with uncertainty and problems introduced by these practical issues with
NATs. In addition, UNSAF lists five architectural considerations. NATs. In addition, UNSAF lists five architectural considerations.
Although this is not an UNSAF proposal, it is interesting to consider Although this is not an UNSAF proposal, it is interesting to consider
the impact of this work on these architectural considerations. the impact of this work on these architectural considerations.
Arch-1: The scope of this is limited to UDP packets in NATs like the Arch-1: The scope of this is limited to UDP packets in NATs like the
ones widely deployed today. The "fix" helps constrain the ones widely deployed today. The "fix" helps constrain the
variability of NATs for true UNSAF solutions such as STUN. variability of NATs for true UNSAF solutions such as STUN.
Arch-2: This will exit at the same rate that NATs exit. It does not Arch-2: This will exit at the same rate that NATs exit. It does not
imply any protocol machinery that would continue to live imply any protocol machinery that would continue to live
after NATs were gone or make it more difficult to remove after NATs were gone or make it more difficult to remove
them. them.
Arch-3: This does not reduce the overall brittleness of NATs but will Arch-3: This does not reduce the overall brittleness of NATs but will
hopefully reduce some of the more outrageous NAT behaviors hopefully reduce some of the more outrageous NAT behaviors
and make it easer to discuss and predict NAT behavior in and make it easer to discuss and predict NAT behavior in
given situations. given situations.
Arch-4: This work and the results [18] of various NATs represent the Arch-4: This work and the results [17] of various NATs represent the
most comprehensive work at IETF on what the real issues are most comprehensive work at IETF on what the real issues are
with NATs for applications like VoIP. This work and STUN with NATs for applications like VoIP. This work and STUN
have pointed out more than anything else the brittleness NATs have pointed out more than anything else the brittleness NATs
introduce and the difficulty of addressing these issues. introduce and the difficulty of addressing these issues.
Arch-5: This work and the test results [18] provide a reference model Arch-5: This work and the test results [17] provide a reference model
for what any UNSAF proposal might encounter in deployed NATs. for what any UNSAF proposal might encounter in deployed NATs.
17. Acknowledgments 16. Acknowledgments
The editor would like to acknowledge Bryan Ford, Pyda Srisuresh and The editor would like to acknowledge Bryan Ford, Pyda Srisuresh and
Dan Kegel for the their draft [17] on peer-to-peer communications Dan Kegel for the their multiple contributions on peer-to-peer
accross a NAT, from which a lot of the material in this specification communications accross a NAT, from which a lot of the material in
is derived. this specification is derived.
Dan Wing contributed substantial text on IP fragmentation and ICMP Dan Wing contributed substantial text on IP fragmentation and ICMP
behavior. behavior.
Thanks to Rohan Mahy, Jonathan Rosenberg, Mary Barnes, Melinda Shore, Thanks to Rohan Mahy, Jonathan Rosenberg, Mary Barnes, Melinda Shore,
Lyndsay Campbell, Geoff Huston, Jiri Kuthan, Harald Welte, Steve Lyndsay Campbell, Geoff Huston, Jiri Kuthan, Harald Welte, Steve
Casner, Robert Sanders and Spencer Dawkins for their important Casner, Robert Sanders and Spencer Dawkins for their important
contributions. contributions.
18. References 17. References
18.1 Normative References 17.1 Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[2] Daigle, L. and IAB, "IAB Considerations for UNilateral [2] Daigle, L. and IAB, "IAB Considerations for UNilateral Self-
Self-Address Fixing (UNSAF) Across Network Address Translation", Address Fixing (UNSAF) Across Network Address Translation",
RFC 3424, November 2002. RFC 3424, November 2002.
18.2 Informational References 17.2 Informational References
[3] Srisuresh, P. and M. Holdrege, "IP Network Address Translator [3] Srisuresh, P. and M. Holdrege, "IP Network Address Translator
(NAT) Terminology and Considerations", RFC 2663, August 1999. (NAT) Terminology and Considerations", RFC 2663, August 1999.
[4] Srisuresh, P. and K. Egevang, "Traditional IP Network Address [4] Srisuresh, P. and K. Egevang, "Traditional IP Network Address
Translator (Traditional NAT)", RFC 3022, January 2001. Translator (Traditional NAT)", RFC 3022, January 2001.
[5] Holdrege, M. and P. Srisuresh, "Protocol Complications with the [5] Holdrege, M. and P. Srisuresh, "Protocol Complications with the
IP Network Address Translator", RFC 3027, January 2001. IP Network Address Translator", RFC 3027, January 2001.
[6] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., [6] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP: Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002. Session Initiation Protocol", RFC 3261, June 2002.
[7] Rosenberg, J., Weinberger, J., Huitema, C. and R. Mahy, "STUN - [7] Rosenberg, J., Huitema, C., and R. Mahy, "STUN - Simple
Simple Traversal of User Datagram Protocol (UDP) Through Traversal of User Datagram Protocol (UDP) Through Network
Network Address Translators (NATs)", RFC 3489, March 2003. Address Translators (NATs)", draft-ietf-behave-rfc3489bis (work
in progress), February 2003.
[8] Schulzrinne, H., Casner, S., Frederick, R. and V. Jacobson, [8] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson,
"RTP: A Transport Protocol for Real-Time Applications", RFC "RTP: A Transport Protocol for Real-Time Applications",
3550, July 2003. RFC 3550, July 2003.
[9] Huitema, C., "Real Time Control Protocol (RTCP) attribute in [9] Huitema, C., "Real Time Control Protocol (RTCP) attribute in
Session Description Protocol (SDP)", RFC 3605, October 2003. Session Description Protocol (SDP)", RFC 3605, October 2003.
[10] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, [10] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
November 1990. November 1990.
[11] Ziemba, G., Reed, D. and P. Traina, "Security Considerations [11] Ziemba, G., Reed, D., and P. Traina, "Security Considerations
for IP Fragment Filtering", RFC 1858, October 1995. for IP Fragment Filtering", RFC 1858, October 1995.
[12] Miller, I., "Protection Against a Variant of the Tiny Fragment [12] Miller, I., "Protection Against a Variant of the Tiny Fragment
Attack (RFC 1858)", RFC 3128, June 2001. Attack (RFC 1858)", RFC 3128, June 2001.
[13] Postel, J., "Internet Control Message Protocol", STD 5, RFC [13] Postel, J., "Internet Control Message Protocol", STD 5,
792, September 1981. RFC 792, September 1981.
[14] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, [14] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812,
June 1995. June 1995.
[15] Knowles, S., "IESG Advice from Experience with Path MTU [15] Knowles, S., "IESG Advice from Experience with Path MTU
Discovery", March 1993. Discovery", March 1993.
[16] Rosenberg, J., "Interactive Connectivity Establishment (ICE): A [16] Rosenberg, J., "Interactive Connectivity Establishment (ICE): A
Methodology for Network Address Translator (NAT) Traversal for Methodology for Network Address Translator (NAT) Traversal for
the Session Initiation Protocol (SIP)", the Session Initiation Protocol (SIP)",
draft-ietf-mmusic-ice-03 (work in progress), October 2004. draft-ietf-mmusic-ice-04 (work in progress), February 2005.
[17] Ford, B., Srisuresh, P. and D. Kegel, "State of [17] Jennings, C., "NAT Classification Results using STUN",
Peer-to-Peer(P2P) communication across Network Address draft-jennings-behave-test-results-00 (work in progress),
Translators(NATs)", draft-srisuresh-behave-p2p-state-00 (work February 2005.
in progress), December 2004.
[18] Jennings, C., "NAT Classification Results using STUN", [18] Postel, J. and J. Reynolds, "FILE TRANSFER PROTOCOL (FTP)",
draft-jennings-midcom-stun-results-02 (work in progress), RFC 959, October 1985.
October 2004.
[19] "Packet-based Multimedia Communications Systems", ITU-T [19] Mockapetris, P., "DOMAIN NAMES - IMPLEMENTATION AND
Recommendation H.323, July 2003. SPECIFICATION", RFC 1035, November 1987.
[20] Ford, B. and D. Andersen, "Nat Check Web Site: [20] "Packet-based Multimedia Communications Systems", ITU-
http://midcom-p2p.sourceforge.net", June 2004. T Recommendation H.323, July 2003.
Authors' Addresses Authors' Addresses
Francois Audet (editor) Francois Audet (editor)
Nortel Networks Nortel Networks
4655 Great America Parkway 4655 Great America Parkway
Santa Clara, CA 95054 Santa Clara, CA 95054
US US
Phone: +1 408 495 3756 Phone: +1 408 495 3756
EMail: audet@nortel.com Email: audet@nortel.com
Cullen Jennings Cullen Jennings
Cisco Systems Cisco Systems
170 West Tasman Drive 170 West Tasman Drive
MS: SJC-21/2 MS: SJC-21/2
San Jose, CA 95134 San Jose, CA 95134
US US
Phone: +1 408 902 3341 Phone: +1 408 902 3341
EMail: fluffy@cisco.com Email: fluffy@cisco.com
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/