In the last decade, the number of computers connected to the Internet has increased by an enormous order of magnitude. High growth in the number of Internet connections has put severe pressure on the available address-space of routable internet protocol (IP) addresses. To overcome the problem of limited and diminishing IP address-space, it became imperative to have a solution that would allow multiple users to share a single routable internet address. The commonly used solution for sharing a single IP address is known as a Network Address Translator (NAT). Operation of a typical NAT is described next.
The basic concept underlying a NAT is to have a device or software module that allows sharing of one or more routable Internet Protocol (IP) addresses by multiple computers. A typical NAT is connected to the public internet on one side and has at least one global or public IP address for receiving and sending data packets from and to the public internet. On the other side of the typical NAT is a private network, in which each network node (computer) is assigned a local arbitrary addresses. Typically, the NAT assigns arbitrary addresses to the nodes of the private network using a Dynamic host Control Protocol (DHCP) or alternatively the NAT assigns static translation addresses.
The NAT provides a convenient way of providing shared and transparent communication between the public internet and the computers (attached to a private network) having a non-globally-unique IP address, i.e., an IP address that is not globally-unique. However, not all forms of communications are operable over NAT. Many types of applications require a globally-unique IP address as a termination point or require IP address consistency over the whole communication cycle. For example, an IP enabled phone will typically require a globally-unique IP address to receive and send voice-transmission using the IP. Presence of a NAT at the receiving end of the IP phone call may block the receiver from receiving the phone IP packets.
The presence of NATs in a network poses another type of problem as described next. There is no simple and convenient way to access a server type of device located behind a NAT from the public internet side of the NAT. For example, if a Hypertext Transfer Protocol (HTTP) webserver is located behind a NAT, then it has a private address which is invisible to the outside world through the public internet. On the contrary, a typical webserver, e.g., an HTTP server, which is not behind a NAT is readily accessible from the public internet if it has an IP address that can be resolved using common methods like the Domain Name System (DNS).
Typically, an HTTP server on a host is assumed to use the default port number, namely 80, for a host. An advantage of this arrangement is that the user of the browser does not need to designate a port number in addition to the address of the host because the default port number will be assumed. Because of the prevalence of Domain Name System (DNS) servers and dynamic DNS (DDNS) servers, most users of browsers do not understand that a domain name, e.g., www.name.com, represents a universal resource locator (URL), which is a long string of numbers. Moreover, most users of browsers have no understanding that a domain name of an HTTP server maps to a port number of the host as well as an address of the host because most users have never had to provide a port number.
TCP/IP allows multiple applications to run on a single computer using a variety of port numbers. When a NAT is used by a private network to share an IP address, then the port addresses are shielded behind the NAT from the outside network. This situation can be further complicated by presence of a firewall with a security policy that does not allow access to specific ports of the computers on the private network as described next.
A port-forwarding solution creates a “tunnel” through the firewall so that that external users from the public internet can access a specific computer in the private network using the designated port for the tunnel. Typically, a port forwarding solution has a maximum number of about five forwarded port entries. But many applications like network-gaming, instant messaging and collaboration software may require access to previously “unopened” specific TCP/UDP ports from the external public internet. Creating all the required tunnels for such applications can be an impractical task for a typical user, since the tunnel configuration process can be complicated and confusing. Port forwarding is typically a kind of functionality provided by a router, hence it typically raises a need for a specific router that has an inbuilt port forwarding capability.
The presence of NAT may not affect the network much if the transport connections are initiated from the clients that are behind the NAT. But if a server is located behind a NAT, then IP requests originating from the public network may not be able to access the server due to the presence of NAT. An approach to solve this problem, and its drawbacks are discussed next. In a Dynamic Domain Name System (DDNS) the users attempting to access a server located behind a NAT using a Fully Qualified Domain Name (FQDN) may face problems. Such problems result from the situation when a server or device behind a NAT is assigned a private IP address by a NAT which is invisible. A DDNS trying to route packets to an IP address due to a FQDN access request will fail since the NAT-assigned private address is invisible to the public internet side of the NAT.
One approach to get around the NAT restrictions is called DMZ (an acronym for De-Militarized Zone) which allows a given machine behind a NAT to be directly connected to the internet, without compromising security of other machines in the network. DMZ allows a machine behind the NAT to operate as if it is directly connected to the internet. DMZ, like port forwarding discussed above, can be confusing to configure for a typical user, since it requires user expertise to configure it. Those skilled in the art will appreciate that DMZ cannot be used to open-up all machines of a network to the public internet. DMZ exposes a given machine to all the vulnerabilities that are associated with a direct connection to the internet, since it overrides the firewall protection. Hence, neither DMZ nor port forwarding is a satisfactory solution to the problem of transparent NAT traversal that requires no or minimum user effort to implement.
Universal Plug-and-Play (UPnP) is another method for NAT traversal. UPnP can provide the public IP address to the client behind the NAT. Like port forwarding, UPnP facilities are typically provided by the router itself. But the drawback of this approach lies in the special hardware requirement in the form of a router that is UPnP compliant.
Attempts have been made to define protocols for solving the NAT traversal problem described above. For example, protocols like TURN (Traversal Using Relay NAT), STUN (Simple Traversal of UDP through NAT), SPAN-A (Simple Protocol for Augmenting NATs), etc., provide an approach that does not require routers to have specific functionality of supporting NAT traversal. However, the above protocols have their own drawbacks. STUN can detect the presence of a NAT and the type of NAT. However, the STUN protocol by itself does not allow applications using HTTP protocol to overcome NAT traversal issues. TURN or SPAN-A protocols allocate a TCP listener on the relay server to relay incoming packets from one point to another, but do not address the problem of how an application can operate using NAT traversal.