Types of Network Address Translation
While still very useful, the old definition of NAT types is outdated. The new definition accurately reflects the kind of NAT present in the network and what we can expect from the translator.
Glossary:
- NAT: Network Address Translation (you should have some familiarity with that, otherwise please read the NAT page on Wikipedia)
host:port: an address of a PC in a network subjected to NAT when reaching a public hostpublic-host:public-port: the public host to reachexternal-hostand/orexternal-port: temporary public address provided by the NAT mechanism on the router at the edge of your network (i.e., before going outside)
The old but common definition
You can still read this definition in the NAT page on Wikipedia. In short, we have these different types of NAT:
- Full-cone: an internal address (
host:port) is mapped to an external address (external-host:external-port). Every outgoing packet from the internal address will be mapped to that external address, regardless of the destination. Also, every incoming packet to the external address will be forwarded to the internal address, regardless of the source. - (Address)-restricted-cone NAT: same as above. The only difference is that an incoming packet (from external) will be accepted if the packet source has been contacted from the internal address in the past (no matter which destination port the internal address used in the previous outgoing packet).
- Port-restricted cone NAT: same as above, however the port is now restricted: this means that the port of the previous outgoing packet to the external host should be the same port used as “source port” in the incoming packets. In other words: an address
public-host:public-portcan send a packet to the internalhost:portviaexternal-host:external-portonly if in the past the internal addresshost:portsent an outgoing packet topublic-host:public-port - Symmetric NAT: each different internal address and destination gets a different
external-host:external-portwhen mapping occurs. This means that the only address that can reply back to the internal address is the contacted one (both hostname AND port are used).
As you can imagine, Symmetric NAT is the worst possible situation for NAT bypass techniques (like UDP hole punching). Sometimes an ISP uses a specific implementation of NAT on purpose. E.g., symmetric NAT uses more device resources, but it won’t allow any traversal mechanism (hence things like BitTorrent or other p2p clients will suffer) and may use fewer public IPs.
The current definition
The current definition from RFCs (mostly RFC 4787) splits the behavior into parts: mapping, filter, port number, and hairpin.
Mapping
The mapping indicates which kind of mapping will occur:
- Endpoint-Independent Mapping: in this mode, the same internal address
host:portis always associated with the same external addressexternal-host:external-port, regardless of the destination. - Address-Dependent Mapping: in this mode, the same internal address
host:portis associated with the external addressexternal-host:external-portwhen sending packets to the same destination hostpublic-host(any port). Different destination hosts will get different mappings. - Address and Port-Dependent Mapping: in this mode, the same internal address
host:portis associated with the same external addressexternal-host:external-portwhen sending packets to the same destination addresspublic-host:public-port. Different destination addresses or ports will get different mappings.
Filtering
The filtering behavior controls who can use the mapped external-host and external-port to reach the internal address host:port:
- Endpoint-Independent Filtering: basically anyone can use the
external-host:external-portaddress to reachhost:port - Address-Dependent Filtering: in order to receive packets from
public-hostviaexternal-host:external-port, the internal addresshost:portshould send packets first topublic-host(any port). In other words, only those destinations already contacted by thehost:portin the past (to any port) can use the external mapping to reach the internal address. - Address and Port-Dependent Filtering: to receive packets from
public-hostviaexternal-host:external-port, the internal addresshost:portshould send packets first topublic-host:public-port. In other words, only those destinationspublic-host:public-portalready contacted by thehost:portin the past can use the external mapping to reach the internal address. Note that in this case, thepublic-portis present in the filter.
Port number
A NAT device can decide to operate in different ways when assigning mapped external-ports:
- port preservation: the NAT device tries to preserve the internal
portnumber when mapping. In other words, the port number ofexternal-portwill be the same asport, if available.- In case of collisions (e.g., a previous mapping already present, using the same port number), there are different techniques: tries with another external addresses
external-host(if the router has more than one address); un-map the previous mapping and re-use the port number; or use a random port instead. - When the NAT device removes the previous mapping, it can be classified as port overloading.
- In case of collisions (e.g., a previous mapping already present, using the same port number), there are different techniques: tries with another external addresses
- no port preservation or random: when the NAT device won’t preserve the port. In other words, the mapping will use a random port.
Hairpin
Lastly, hairpin is the property of some routers to allow communications between hosts in the same LAN using the public/external address of the router itself. This is very useful when two hosts are trying to establish a link in the same network, and they are not aware that they can reach each other directly.
Other attributes
Note that some NAT devices have been found to change the behavior dynamically, based on resource consumption or other factors. If you’re interested in this, a chapter named “Deterministic Properties” in the RFC 4787 explains the findings.
Also, the RFC 4787 defines other minor attributes: Port parity is the capability of preserving the parity of UDP ports (even ports will be mapped to even ports, etc.), Port Contiguity when the NAT device assigns ports sequentially in some cases (like in RTCP=RTP+1), Mapping Refresh is the way the NAT device handle the mapping expiration and keepalives, handling of Application Layer Gateways, and blocking/allowing ICMP Destination Unreachable packets.
Migrate/translate between the previous and the current definition
The old and the new definitions are incompatible because the new one explains the situation with more details and possibilities. However, we can still map between them if we remember that the mapping will be somehow “fuzzy”.
| Old mapping name | Mapping | Filtering |
|---|---|---|
| Full cone | Endpoint-Independent | Endpoint-Independent |
| (Address)-restricted cone | Endpoint-Independent | Address-Dependent |
| Port-restricted cone | Endpoint-Independent | Address and Port-Dependent |
| Symmetric | Address- and Port-Dependent | Address-Dependent / Address and Port-Dependent |
Port preservation, hairpin, and other attributes were not present in the previous definitions. Also, any type of NAT may use any port reservation mechanism (unrelated), so adding these to the table makes little sense.