Check the compatibility of your NAT (network address translator) and P2P protocols

Source: Internet
Author: User
Document directory
  • The Technique
  • Required NAT behavior
  • Changes in Version 2

Nat check
Version 3, with TCP support!
Check the compatibility of your NAT (network address translator) and P2P protocols
Nat check by Bryan Ford, Web magic by Dave Anderson
Hosted by MIDCOM-P2P project on SourceForge

In the current IPv4 environment, the implementation of P2P protocol is technically more important than how to traverse NAT and ensure stable connection performance. It is necessary to clarify several concepts first.
Firewall, Nat, loopback tanslation (refer to

Nat check is a small program that can automatically detect your Nat support for the P2P protocol. Version 3 can detect the following features:

  1. TCP/UDP consistent translation
  2. TCP simultaneous open
  3. TCP/UDP loopback Translation
  4. TCP unsolicited connections filtered
  5. UDP unsolicited messages filtered

You can download and compile this C program: natcheck. C (if it is a 64-bit computer, you can add the compilation parameter "-dhave_stdint" or directly modify the program's # define)
If you want to run Nat check on Windows, first install the GCC environment mingw on Windows, and then use the-lws2_32 compilation option to compile)


Technical explanation is a simple technique and has been widely used in many online games and other P2P applications. You can view previous discussions here and here.
The technique assumes that three machines in the communication are A, B, and C. Host a is a "well-known" intenet server with a fixed IP address. It acts as the "introducer" for B and C communications. Both B and C are behind NAT (probably the same Nat) and only have private IP addresses. B wants to establish a direct P2P connection with C through the help of. To initiate a P2P connection to C, B first sends a message (UDP packet containing the request command, B's local address, and UDP port) to ), request "introduces" C. A sets the real IP address and UDP port (private IP address and port) of C and the IP address and port observed by a (the Public IP address and port of C after Nat translation) reply to B, and a sends the "Address/port" information of B to C. (Here C needs to send UDP response to a immediately. Otherwise, a cannot know the correct public port of C because the session on Nat has expired) now both B and C know the need to establish a P2P connection, and know the other's public IP Address/port and local IP/port. The dual-producer tries to send a UDP packet directly to the other party. If the two machines are exactly behind one Nat, the public IP addresses reported by the two machines are the same. In this case, B and C can establish a direct connection based on the Intranet address/port. In most cases, B and C are in different subnets, and their respective Intranet addresses/ports are meaningless. At this time, B and c need to send UDP requests to the Public Address/port of the other party (at this time, their respective local UDP ports should be the same port when they send UDP messages to, in this way, Nat-cone nat-will reuse the public network port and initiate a new session). Now, both Nat servers have the destination IP address/port as the UDP connection session of the other server, therefore, the UDP packets arriving at this time will not be filtered out. Because the connection is initiated successively, the first several UDP packets arriving at the peer NAT will be filtered out because the destination address/port is inconsistent. Once a new session (hole) is enabled on both sides of the NAT, The UDP packet will be unobstructed, so that the P2P connection between B and C will be established. The implementation of required NAT behavior and above has an important premise, that is, Nats must meet one condition: for each pair of internal IP/port (UDP ), nat only allocates a unique public IP/port, instead of assigning a new UDP public port to each new UDP session. The session on Nat is defined by the source address/port pair and the target address/port pair. If the two parts of two UDP packets are the same, Nat considers them as a session and then releases them. Otherwise, the packets will be filtered out. RFC 3022 explicitly allows and suggests that NATs behave in the former, "desirable" fashion, by maintaining a single (Public IP, public port) mapping for a given (internal IP, internal port) combination independent of the number of active sessions involving this mapping. this behavior not only benefits UDP application compatibility, but also helps Nat save valuable public port addresses. Because the packets can be filtered at the session level, there is no security issue. The only consideration for not using this behavior in Nat is probably to save time. After all, it is much easier to implement a new port in a new session. Unfortunately, RFC 3022 does not RequireNats to implement the desirable behavior. The purpose of writing this applet is to know how many NATs on the Internet support this behavior. You can submit the test results here or view the accumulated results. Changes in version 2 version 2 of NAT check contains the following enhancements:
  • I no longer try to guess the NAT type. The basic Nat is still natp. Because most natp instances prefer the same port when binding public/private ports, which is the same as basic Nat. In this case, Nat check will mistakenly assume that Nat is of the basic type. The only method is to run Nat check on two machines in the same private network at the same time.
  • One feature of NAT can be tested: loopback translation (the name of the original author ). if Nat supports back-to-loop translation, a host can access another host in the private domain located in the same Nat using the public address and port assigned by Nat. Most Nat services may not support this function, but it will become more and more important, because many P2P clients are located after their own Nat and public Nat configured by the ISP. (Twice-Nat) [Note: The term "twice-Nat" here comes from natcheck. c, "Bad for P2P over twice-Nat", when Nat does not support loopback translation, P2P over twice-Nat may be faulty. In my understanding, twice-NAT refers to two-layer Nat instead of twice Nat, which is a new feature of NAT. You can change the source address (port) of the IP packet at the same time) and the destination address (port) to solve the problem of overlapping IP addresses and external IP addresses in NAT (IP overlapping)]
  • Enable the "-V" command line option of NAT check, and you will see detailed feedback during the testing process of the supervisor.
What Nat check does

Natcheck. C is essentially a "ping", which is a well-known UDP port for two different servers located on the Internet. Both servers run the same program natserver. C. In addition, there is a third "Conspiring" server running natbouncer. C. As long as the previous two servers receive a UDP request, in addition to directly replying to the client program, they will also send a copy to the third server, the third server will reply the package to the client. The package sent by the third server is not what the client expects, is initiated by the other party ("unsolicited "). This "Bounce" process mainly tests the security performance of NAT and checks whether it filters out these "unsolicited" packets.

Natcheck. C will bind the same local port to send some UDP packets to the first two public network servers at the same time, determine whether the NAT Gateway implements the "desirable behavior" mentioned above based on whether the public IP address and port of the client are the same in the response packet of the two servers ", that is, multiple sessions initiated by the same internal IP/port only share one public IP/port pair mapped to the nat.

Related Links
  • Dan Kegel's NAT/P2P page
  • IETF midcom Working Group
  • Nat-peer-Games group on Yahoo!
  • P2P area at the Global Grid Forum
  • NAT/firewall page at the P2P working group page (inactive)

The firewall limits the communication between the private network and the public network. It mainly discards the packets that are considered unauthorized by the firewall. The firewall only checks the data of the packets, the IP address and TCP/UDP port information in the data packet are not modified.
Network Address Translation (NAT)
When a packet passes, the network address converter not only checks the packet information, but also modifies the IP address and port information in the packet header. In this way, the machine that is in Nat can share several public IP addresses (usually one ). There are two main types of network address converters:

  1. Basic NAT: Basic Nat converts the private IP address of a private host to a public IP address, but does not convert the TCP/UDP port information. Basic Nat is generally used when Nat has many public IP addresses, it binds the public IP address with the internal host, so that the external can use the public IP address to access the internal host.
  2. Network Address/port translator napt: This is the most common situation. The network address/port converter checks and modifies the packet IP address and TCP/UDP port information, more internal hosts can use a public IP address at the same time.
Refer to the [NAT-TRAD] and [NAT-TERM] documents for more information on Nat classification and terminology. In addition, [stun] has recently made more definitions about napt classification and terminology. When an intranet host opens an out-of-office TCP or UDP session through NAT, napt assigns this session a public IP address and port to receive packets from the Internet, and the host is notified through conversion. In this way, napt establishes a port binding between [private IP: Private Port] and [Public IP: public port.

Port binding specifies that napt will perform address translation tasks during the lifetime of this session. There is a problem in the middle. If a P2P application sends multiple sessions to different Internet hosts from a [private IP Address: Port] on the internal network, what Will Nat do? See the following solutions.

  • Cone NAT: When a [private IP: Port]-[Public IP: Port] port is bound, for a session from the same [private IP: Port, the conical Nat server allows the application that initiates the session to repeat the port binding until the session ends (Port binding ).
  • Symmetric NAT (symmetric Nat): symmetric Nat is very different from cone Nat. Instead of binding ports to sessions, it allocates a new public network port to each new session. (Because it is difficult to correctly know the specific value of the newly allocated public port, the P2P UDP hole punch technology mentioned in this article is not applicable to such Nat. In fact, symmetric Nat is rare)

Loopback Translation)
When the NAT Intranet Machine wants to access the machine in the same LAN through a public address, the NAT device is equivalent to doing Nat twice, before the package arrives at the target machine, convert the private address to the public address, and then convert the public address back to the private address. We call a NAT device with the upstream translation function a "loop translation" device.
For more information, refer to for technical details


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.