NAT Hole Punching in Computer Network

Prerequisite – Network Address Translation (NAT) 

What is NAT hole punching ? 

The main restriction or disadvantage for a Device under a NAT is that it cannot accept outbound connections. And if any such attempt is made a NAT makes sure that the message reaches the trash can. This restriction is overcome a method known as Hole Punching. In this method a node outside a NAT, with a publicly reachable Static IP is used, It is called a Rendezvous server. It is used to establish a connection between two nodes which are either both behind different NATs or both behind same NAT or one behind a NAT and other not behind a NAT or nodes under multiple NATs. 

What is it used for ? 

Since most computers in the world are behind some kind of NAT this method is widely used in P2P (Peer to Peer) architectures. The establishment of a P2P network requires direct connection between any two nodes. Hole Punching is the most important concept one has to learn when creating a P2P network. Network firewalls can be bypassed using this concept. Hole Punching is very safe as Connection must be initiated from both ends, hence consent of both users is required. 

How is it done ? 

The detailed explanation of NAT hole punching using Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and for Internet Control Message Protocol (ICMP). This article explains the basic concepts of hole punching. 

We will discuss how to establish connection between two node using NAT hole punching for the below cases.

1. Peers Behind Common NAT
2. Peers Behind Different NATs
3. Peers Behind Multiple levels of NATs

The basic story of a NAT Hole Punch is that, when both the Nodes who want to connect to each other send a message to the server. Server responds to both nodes with each other’s IP address and Ports (Endpoints). Both Nodes try to establish a connection with each other by sending a message to each other, The messages are discarded by the receiver side NATs but the sender side NATs note down the address to which message is sent and any incoming messages from that address will be considered as a reply to this message and will be routed to the source endpoint. Both Nodes again try connecting to each other by sending a message. But now the messages are received successfully as the NAT thinks that this message is a reply to the previous(failed) message.BOOM! a connection is established and a HOLE IS PUNCHED. 

Terminology:

• A : Node 1
• B : Node 2
• S : Rendezvous Server

Steps:

1. A send S a requests connection to B.
2. S sends A’s address to B and B’s address to A.
3. A sends garbage message to B and B sends garbage message to A. (Both Get discarded by their respective NATs)
4. Step 3 is repeated.
5. Connection Established.

The above given NAT hole punching method can be used for any of the cases, either both nodes are behind the same NAT or both nodes are behind the different NATs or even if both nodes are behind multiple levels of NATs. 

Maybe the only disadvantage of NAT hole punching is that, a publicly reachable server with static ip is always required. An architecture called pwnat was proposed to overcome this, but pwnat only works when either one of the two nodes is not behind a NAT.