switch theme

STUN - Magic Potion Against NAT

Written on : 2024-08-27

Est. Reading time:

WHY NAT!!!

I have a deep hatred for NATs. NAT - Network Address Traversal, a technology that in part allows the internet to scale. The most common type of NAT you and I deal with are called port-restricted NAT. In this type of NAT, ports on external IP addresses are mapped to IP addresses and ports in the local network. Hence, forms your diffrence of LAN and WAN.

In short, NAT allows external traffic reach the right host/system/pc in your LAN.

Well, why do I hate NAT? I'm a tinkerer, I like to mess with things to see what the outcomes are. Furthermore, I like to build things. I want to put things I build and break out to the wide world of internet. But alas, I can't.

Well you might go: "Navin you dunce, just create a NAT mapping, and you're done!" err...You are right, partially. If you were right would this blog exist?

CGNAT : GOD NO...

CGNAT- Carrier Grade NAT. Wait, 'Carrier'? Yes, your carrier (Airtel, Telus, Jio etc) can use CGNAT. CGNATs are just like NAT inside your wimpy router just...on steroids. By definition :

Carrier-grade NAT, also known as large-scale NAT, is a type of network address translation used by ISPs in IPv4 network design

CGNAT also helps the ISP cheap out on buying IP addresses. They can just buy 1 public IP and theoretically supply internet to 65535 users. Traffic for each user routed through a single port.

Can't I create those mappings in CGNAT? No, I cannot. CGNAT is completely controlled by the ISP. Well, If we cannot create a mapping, how are we getting data back from servers?

Programmatic NAT mapping. Everytime you make a request outside your network, the ISP creates a mapping for you. The observing server will see the public IP and port that the mapping is built under. As long as the server replies to this address and port, your ISP knows who inside the network (their customers) should the data be forwarded to.

STUN: The cheat

We use this very property of the ISP of Programmatic NAT mapping creation. We have servers whose whole purpose is to observe your public address and the created port. These are called STUN server. STUN servers respond with this data.

You now know how people outside the network can reach you. You can share this and everything good again, right? Umm...No :(

There are different types of NAT mappings :

Endpoint-Independent Mapping

One mapping is created for each sender inside the NAT. If you send two packets to two different remote addresses, the NAT mapping will be re-used. Both remote hosts would see the same source IP and port. If the remote hosts respond, it would be sent back to the same local listener. This is the best-case scenario.

Address Dependent Mapping

A new mapping is created every time you send a packet to a new address. If you send two packets to different hosts, two mappings will be created. If you send two packets to the same remote host but different destination ports, a new mapping will NOT be created.

Address and Port Dependent Mapping

A new mapping is created if the remote IP or port is different. If you send two packets to the same remote host, but different destination ports, a new mapping will be created.

So it is possible that only the server you made request to (i.e the STUN server) can send things to you if your ISP doesn't use an Endpoint-Independent mapping. Ahhhh...the complexities, make me go mad.

For users that are behind a bad NAT mapping, the STUN server also makes a mapping which is shared with the user. Now other users can send their data to this STUN server and the STUN server in turn forwards the traffic to you. At this point is should be called a proxy, but we are fancy and we instead call it TURN server.

So STUN is a best effort protocol. If things dont work out, it falls back to TURN server.

Do note, STUN and TURN server are the same (i.e same address and port).

STUN/TURN: Is this used?

Widely! STUN and TURN are used a lot, especially by the likes of Gmeet and Zoom. Server (TURN) for handle huge volumes of video streams is no joke, hence this best effort STUN saves them a lot of dollah bills (Ka-ching)

Conclusion

I still hate NAT, maybe IPv6 will be our saviour...I swear to god if they implement NAT for IPv6, I WILL RAGE (and write another post). IPv6 has its own set of problems with tunneling through IPv4 networks and stuff.

But in all the world of STUN and TURN have made me more interested in network protocols and making me want to pick more (BGP...etc.)

Adios.


References: