Hi,
As characterized by C. Huitema of Microsoft in
http://www.ietf.org/internet-drafts/draft-ietf-ngtrans-shipworm-05.txt
(IPv6 tunnels through NAT's using UDP), there are basically 4 kinds of
NAT's wrt. how strictly they check the incoming packets to allocated
NAT ports:
--8--
Experience shows that the implementers of NAT products can adopt
widely different treatments of UDP mappings:
1) Some implement the simplest solution, which is to map an internal
UDP port, defined by an internal address and a port number on the
corresponding host, to an external port, defined by a global address
managed by the NAT and a port number valid for that address. In this
simple case, the mapping is retained as long as the port is active,
and is removed after an inactivity timer. As long as the mapping is
retained, any packet received by the NAT for the external port is
relayed to the internal address and port. These NATs are usually
called cone NATs.
2) Some implement a more complex solution, in which the NAT not only
establishes a mapping for the UDP port, but also maintains a list of
external hosts to which traffic has been sent from that port. The
packets originating from third party hosts to which the local host
has not yet sent traffic are rejected. These NATs are usually called
restricted cone NATs.
3) Instead of keeping just a list of authorized hosts, some NAT
implementations keep a list of authorized host and port pairs. UDP
packets coming from remote addresses are rejected if the internal
host has not yet sent traffic to the outside host and port pair. The
NATs are often called port restricted cone NATs
4) Finally, some NAT map the same internal address and port pair to
different external address and port pairs, depending on the address
of the remote host. These NATs are usually called symmetric NATs.
Measurement campaigns and studies of documentations have shown that
most NAT implement either option 1 or option 2, i.e. cone NATs or
restricted cone NATs. The Teredo solution ensures connectivity for
all NAT types and all configurations, but it is legitimate to seek
an optimization in the case of cone NAT or restricted cone NATs.
--8--
I'm curious which kind of NAT does Netfilter (and possibly old ipchains
NAT) use?
Please Cc:.
--
Pekka Savola Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords