NAT Behavior Discovery Using STUN (RFC 5780)

November 18, 2013 | By Netmanias (tech@netmanias.com)

SUMMARY
This document will explain what algorithms for discovering NAT behaviors are defined in RFC 5780.

Our previous document described the NAT behavior discovery algorithms defined in RFC 3489. This document will explain what algorithms for discovering NAT behaviors are defined in RFC 5780.  

 

Again, to fully understand what's discussed below, we recommend you read the following posts first: 


1. NAT Behavioral Requirements, as Defined by the IETF (RFC 4787) - Part 1. Mapping Behavior
2. NAT Behavioral Requirements, as Defined by the IETF (RFC 4787) - Part 2. Filtering Behavior
3. STUN (RFC 3489) Vs. STUN (RFC 5389/5780)

 


1. STUN Protocol

 

STUN is a simple protocol that allows a client (a STUN client) to send a server (a STUN server) a Binding Request message, and the server to send a Binding Response back to the client. And that's it!  
In order for a server to discover NAT types (Mapping & Filtering Behavior), the server must have two public IP addresses and two source ports (usually 3478 and 3479). One set of the information is called Primary IP/Port (e.g. 1.1.1.1:3478), and the other is called Alternate IP/Port (e.g. 2.2.2.2:3479).
The two messages between the client and server include the following attributes:

 

[Client -> Server] Binding Request message's Attribute


CHANGE-REQUEST: It is used to discover filtering behaviors of a NAT, and consists of "Change IP" and "Change Port" flags. If a client sends a server a Binding Request message with these flags set as 0, the server uses the Destination IP/Port of the message as the Source IP/Port (e.g. 1.1.1.1:3478) of the Binding Response it sends. However, if these flags are set as 1, the server responds by using its alternate IP/Port (e.g. 2.2.2.2:3479).


[Client <- Server] Binding Response message's Attribute


MAPPED-ADDRESS: The Source IP/Port values of the Binding Request message that a server received are used in this attribute field. If there is no NAT, this field will have the same values as the Source IP/Port of the client. But, if there is a NAT, this field will have other values mapped by the NAT. 
RESPONSE-ORIGIN: The Source IP/Port values of the Binding Response message that the server sends are used in this attribute field. 
OTHER-ADDRESS: As mentioned above, a server has two sets of IP/Port values. The other alternate IP/Port that the server has, not the Destination IP/Port of the Binding Request message (i.e. the server's IP/Port), is used in this attribute field. 
XOR-MAPPED-ADDRESS: The same values used in MAPPED-ADDRESS field are encoded by XOR operation, and then used in this field. The client that receives this also performs XOR operation to find out the MAPPED-ADDRESS value. Some NATs modify this value if there happens to be an IP address in a payload (in the MAPPED-ADDRESS attributes field of Binding Request/Response messages) that is same as the one in the IP header, as a result of faulty ALG implementation. Such modification may result in wrong MAPPED-ADDRESS values. In order to prevent erroneous detection of NAT types resulting from such faulty ALG implementation, XOR-MAPPED-ADDRESS is defined. Thus, although MAPPED-ADDRESS values are not actually used in RFC 5780, they are included anyway for the purpose of maintaining backward compatibility with RFC 3489.

 

 

2. NAT Mapping Behavior
 
The algorithms for discovering a NAT's mapping behavior are defined in RFC 5780 as follows. Based on the followings, we will describe how we test mapping behaviors of different NATs.  

 
 
 

4.3  Determining NAT Mapping Behavior

This will require at most three tests.  In test I, the client performs the UDP connectivity test.  The server will return its alternate address and port in OTHER-ADDRESS in the binding response.  If OTHER-ADDRESS is not returned, the server does not support this usage and this test cannot be run. The client examines the XOR-MAPPED-ADDRESS attribute.  If this address and port are the same as the local IP address and port of the socket used to send the request, the client knows that it is not NATed and the effective mapping will be Endpoint-Independent.

In test II, the client sends a Binding Request to the alternate address, but primary port.  If the XOR-MAPPED-ADDRESS in the Binding Response is the same as test I the NAT currently has Endpoint-Independent Mapping.  If not, test III is performed: the client sends a Binding Request to the alternate address and port.  If the XOR-MAPPED-ADDRESS matches test II, the NAT currently has Address-Dependent Mapping; if it doesn't match it currently has Address and Port-Dependent Mapping.

 

 

2.1 Test (Discovery) Procedure

 

 

2.2 No NAT

 

 

Test I

 

2.3 Endpoint-Independent Mapping NAT (EIM-NAT)

 

 
Test I

Test II

 

2.4 Address-Dependent Mapping NAT (ADM-NAT)

 

 


Test I

Test II

Test III

 
2.5 Address and Port-Dependent Mapping NAT (APDM-NAT)

 

 


Test I

Test II

Test III

 

3. NAT Filtering Behavior

 

The algorithms for discovering a NAT's filtering behavior are defined in RFC 5780 as follows:

 
 

4.4  Determining NAT Filtering Behavior

In test I, the client performs the UDP connectivity test.  The server will return its alternate address and port in OTHER-ADDRESS in the binding response.  If OTHER-ADDRESS is not returned, the server does not support this usage and this test cannot be run.

In test II, the client sends a binding request to the primary address of the server with the CHANGE-REQUEST attribute set to change-port and change-IP.  This will cause the server to send its response from its alternate IP address and alternate port.  If the client receives a response, the current behavior of the NAT is Endpoint-Independent Filtering.

If no response is received, test III must be performed to distinguish between Address-Dependent Filtering and Address and Port-Dependent Filtering.  In test III, the client sends a binding request to the original server address with CHANGE-REQUEST set to change-port.  If the client receives a response, the current behavior is Address-Dependent Filtering; if no response is received, the current behavior is Address and Port-Dependent Filtering.

 

3.1 Test (Discovery) Procedure

 

 
3.2 Endpoint-Independent Filtering NAT (EIF-NAT)

 

 
Test I

Test II


3.3 Address-Dependent Filtering NAT (ADF-NAT)

 

 
Test I

Test II

Test III

 
3.4 Address and Port-Dependent Filtering NAT (APDF-NAT)

 

 
Test I

Test II

Test III

 

4. Summary

 

The procedures for discovering mapping and filtering behaviors of a NAT can be summarized as follows:
A NAT's mapping behavior can be detected by switching the Primary IP (and Port, if needed later) value into the Alternate IP (and Port) value in the Binding Request message.  
that a client sends, and checking the XOR-MAPPED-ADDRESS value of the Binding Response message that the client receives. 
A NAT's filtering behavior can be detected by switching the values of CHANGE-REQUEST flags in the Binding Request message that a client sends, and checking whether a response to the message is received or not. 

 

 

RFC 5780 NAT Behavior Discovery Tools Used in Our Test