NAT Traversal Techniques
Tuesday, 29 July 2008
The ability of applications like Ultravnc and Hamachi to operate behind firewalls through NAT traversal intrigued me. Newport Networks has a whitepaper detailing current NAT traversal solutions for SIP:
- Universal Plug and Play (UPnP)
- Simple Traversal of UDP Through Network Address Translation devices (STUN)
- TURN - Traversal Using Relay NAT
- Application Layer Gateway
- Manual Configuration
- Tunnel Techniques
- Automatic Channel Mapping
Problem: … relies on the NAT opening pinholes to the outside world under the dynamic control of the UPnP client - maybe a SoftPhone on a PC. This capability is most likely contrary to most security policies and therefore may not be accepted by communications managers of corporate customers.
Problem: Most NATs in use today are symmetric. This means that they create a mapping based on source IP address and port number as well as the destination IP address and port number. STUN will not work with symmetric NATs
Refinement over STUN by using a proxy to relay packets
Enhanced NAT that can modify packets depending on whether protocol is SIP, or some other. However, it doesn’t really explain how a SIP phone behind a firewall can receive inbound calls. (UDP sessions are easier than TCP sessions?)
On the practical side of things, Heise Security has a light write-up on how Skype tries different methods, from direct UDP through to probing firewalls in order to tunnel a direct connection between two computers.
