Routing – Why can the STUN server reach the client behind NAT

nat;routing

In these two figures, why the 173.239.151.99(clientB) and the STUN server both know the clientA(192.168.0.1)'s public IP, why clientB can't reach clientA but STUN server can?

Or to put my question this way: why we need STUN server after all? Say when clientA send request to clientB, there will be a binding between clientA's IP&port and NAT device's public IP&port in translation table, this " mapping is created when a TCP SYN packet is
sent from inside the NAT or when a first UDP packet is
sent.", so when clientB sends response back, the translation table will help it to reach clientA. Then why on earth we need STUN?

Best Answer

syntethic task ;-)

STUN can be used only with "full cone NAT, restricted cone NAT, and port restricted cone NAT"… but not with symmetric NAT. STUN is the protocol for clients, but clients, as usually, in real world are using symmetric NAT(unique port for any connection, dynamic translation)! In the real world servers are using full-cone NAT(static translation), and servers, as usually, gets connections from clients, which are already know ip:port…

However, formal answer: most "frequent" using of STUN it is sip client to server keepalive(udp), but there are also other usages: https://www.rfc-editor.org/rfc/rfc5389#section-14:

14.  STUN Usages
   At the time of writing, three STUN usages are defined: Interactive
   Connectivity Establishment (ICE) [MMUSIC-ICE], Client-initiated
   connections for SIP [SIP-OUTBOUND], and NAT Behavior Discovery
   [BEHAVE-NAT].  Other STUN usages may be defined in the future.

Related Solutions

Nat – Why using Dynamic ip and port when using U-Turn NAT

Because they're in the same zone -- and thus the same subnet, the source must be rewritten to get the replies to pass back through NAT instead of being a direct reply.

When a local lan client attempts to connect to the public server address, the traffic will flow to the firewall. The firewall will rewrite the destination and forward the traffic to the local lan server address. If the firewall doesn't change the source as well, the server will see the source as being on the local lan, and it's replies will be sent direct to the local lan client using the local lan server address. Without it passing back through the firewall, the traffic will not make sense to the client (wrong tcp sequence numbers, and wrong IP address.)

NAT and Port Forwarding – How NAT, Port Forwarding, and TCP/IP Work

There is a general misconception between NAT (Network address translation) and PAT (Port Address Translation), which is what we mostly use in our home routers.

NAT
Let's assume we have a network with the following topology:

Private_Network <-------> Router <-------> The_Internet

The interface of the Router that is connected to the Private_Network has a private IP address, i.e. one that is not unique in The_Internet. On the other hand, in the case of NAT, Router has multiple interfaces connected to The_Internet. Each interface has a unique IP address in The_Internet. Now let's assume that Host_A and Host_B are in the Private_Network and they both want to access Website_X in The_Internet at the same time. The IPs and the ports of Host_A's packet will be:

Source IP: Host_A's private IP
Source Port: A port on Host_A
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to

and in the same way for a packet coming from Host_B.
If the Source IP is left unchanged, then Website_X will reply to an IP address that is private, i.e. not unique, and therefore the packet will never be able to find it's way back. In order to solve that problem, the Router checks whether one of his unique IP addresses connected to The_Internet is not used. If that is the case, it does the following mapping:

Host_A's private IP ======= Router's_unique_IP_K

and now the packet that started from Host_A going to Website_X and is now leaving the interface of the Router connected to The_Internet will have the form:

Source IP: Router's_unique_IP_K
Source Port: A port on Host_A
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to

Thus you can understand that there is an one-to-one association from private IPs to public IPs. Therefore when a packet arrives from Website_X to the Router, this association is checked and the destination IP address is changed back to the private one and delivered successfully to the right host.
As you can see, this method is quite simple, but it has one big disadvantage: each private host has to have a unique IP address reserved, which is expensive, thus we select to have fewer unique IP addresses than hosts in the private network. Therefore if all the private hosts attempt to access The_Internet at the same time, only a subset of them, equal to the number of the available public IP addresses that the Router has, will have access and the rest will be denied.
In order to counter that we created PAT.

PAT
PAT is what the vast majority of our home routers is using. The basic limitation is that the Router has a single unique IP address with which it connects to The_Internet, but we still want to allow multiple hosts from the private network to access The_Internet at the same time.
The way we do that is "similar" to the way NAT does it with a key difference: instead of the Router holding a pool of IP address, it holds a pool of port numbers. More precisely, a packet arriving at the Router from Host_A in the Private_Network destined to Website_X in The_Internet will have the following format:

Source IP: Host_A's private IP
Source Port: A port on Host_A
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to

Now the Router will do two tasks:

It will change the Source IP to the Router's unique public IP AND
It will change the Source Port to a port from a pool that the Router is maintaining and is not already used, e.g. Port_Z

and now the packet that started from Host_A going to Website_X and is now leaving the interface of the Router connected to The_Internet will have the form:

Source IP: Router's_unique_IP_K
Source Port: Port_Z
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to

and the Router will keep the following mapping:

Host_A's private IP AND a port on Host_A ======= Port_Z

Why does this work?
Now when a packet comes back, the Router simply checks the destination port number and changes the destination IP address and the destination port number according to the pre-mentioned mapping and the packet gets delivered successfully.

What if I run multiple applications on the same Host?
Different applications will have different ports, by definition, thus they will mapped to a different port from the Router.

What if multiple Hosts attempt to access The_Internet at the same time and they all use the same application?
Different Hosts will have different private IP addresses, by definition, thus they will mapped to a different port from the Router.

PAT is dangerously balancing in a grey space of cross-layer. Port numbers are part of the Transport Protocol while Routers are allowed to operate up to the Internet Protocol. So technically speaking is something that is not allowed by the protocols. Therefore there are, at least theoretically, potential dangers: the port pool is limited. Therefore if my private network consists of 1000 Hosts and each one is running port_pool/10 applications, the mapping table at the router will run out of available entries and access to applications will be denied.

This answer greatly exceeded my intended length, but I hope it was helpful.

Best Answer

Related Solutions

Nat – Why using Dynamic ip and port when using U-Turn NAT

NAT and Port Forwarding – How NAT, Port Forwarding, and TCP/IP Work

Related Topic