[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re: Interactive Connectivity Establishment (ICE))

Dan Wing dwing at cisco.com
Tue Nov 15 13:22:14 CST 2005 

> "Dan Wing" <dwing at cisco.com> writes:
> >> >         Another big problem with UPnP is the double-nat problem.
> >> >Put a device behind two UPnP NATs and you can't open a port 
> >> >through both.
> >> >With STUN/etc, you can open ports through any number of NATs.
> >> 
> >> Except if one of those NAT's is symmetric (which is 90% of 
> >> all routers are) then it maybe broke.
> >
> >draft-jennings-behave-test-results,
> ><http://www.ietf.org/internet-drafts/draft-jennings-behave-te
> st-results-01.t
> >xt>, shows test results of a couple dozen NATs.  Only one 
> NAT was found to
> >be symmetric.  
> >
> >Do you have other data to share?
> 
>         That data is mostly from 2002/2003 NATs, and the newer testing
> is almost all "odd" routers (not from the major players in the retail
> market: Netgear, DLink, Linksys, Belkin, etc) - and the two 
> main retail
> routers there (Netgear 814v2 and Linksys BEFSR81) aren't new.
> 
>         It's nowhere near 90%, or even 50% - but the number 
> (especially in
> "popular" routers) is climbing.  The Netgear WGR614 (not the 
> RP614 in the
> draft) is symmetric in all of the recent variations 
> (v4/v5/v6), for example.  
> v2 was Cone I think.

Thanks.  I'll see if Cullen (the author of
draft-jennings-behave-test-results) can get those routers and do another
round of tests.  Having accurate information is useful for everyone.

In any event, one of ICE's techniques is to use a media relay (a "TURN
server") when necessary -- such as when you're behind a symmetric NAT.  Of
course, somebody's bandwidth and CPU resources are being used to provide
media relay services, so that someone will likely want to be paid, somehow,
for providing that media relay service.  Depending on how that service is
billed, it may be cheaper to purchase a NAT that doesn't require an external
media relay.  As media progresses from 100kb/sec of G.711 voice to 6Mb/sec
of high-definition multi-screen video, operating a media relay will continue
to be expensive.

The IETF BEHAVE document draft-ietf-behave-nat-udp-04.txt specifies
non-symmetric NAT behavior in order to avoid media relays.  When that
document goes to RFC vendors can declare a NAT device to be 'compliance with
RFCxxx' and consumers can decide to purchase those RFC-compliant devices,
decide to pay (directly or indirectly) for a media relay service with a
non-RFC-compliant device or with their RFC-compliant device (if they feel
the media relay and symmetric NAT behavior offer 'better security').

-d

More information about the Voipsec mailing list