10

There is an answer explaining in simple terms how a router works translating requests from the local network to outside and back (https://superuser.com/questions/105838/how-does-router-know-where-to-forward-packet) what is not clear - for how long a record in the NAT is kept?

For example, if I send a UDP request to 25.34.11.56:3874 and my local endpoint is 192.168.1.21:54389 the router rewrites the request packet and adds a record to the NAT. Let's say the external endpoint will be 68.55.32.89:34535. Then the computer which received my request responds to the 68.55.32.89:34535 and the packet it forwarded to the local 192.168.1.21:54389 in accordance with the NAT record. What happens after that to the records?

What if the 25.34.11.56:3874 decides to send a request to my external endpoint 68.55.32.89:34535 after 10 or 100 minutes? Will it still be forwarded by the router to the 192.168.1.21:54389?

Let's say there is another remote computer with the endpoint 55.43.77.98:8765. What will happen if this computer sends a request to my external endpoint 68.55.32.89:34535? Will it be forwarded to the local 192.168.1.21:54389 or will it be filtered out by the router because the remote endpoint does not match 25.34.11.56:3874 which was initially used for the first request and for the NAT record?

Community
  • 1
  • 1
alex.49.98
  • 609
  • 5
  • 13
  • The Tribler team made some measurements on NAT/firewall characteristics 2008: [Link](http://www.tribler.org/NATMeasurements/) This thread on Hacker News also has some insights on NAT traversal: [Link](https://news.ycombinator.com/item?id=8176145) – Encombe May 23 '15 at 13:23

1 Answers1

11

It depends.

According to Section 4.3 of RFC 4787, the UDP timeout of a NAT should not be smaller than 2 minutes (120 seconds), except for selected, well-known ports. In practice, however, routers tend to use smaller timeouts. For example, OpenWRT 14.07 uses a timeout of just 60 seconds.

For TCP, the timeouts can be much larger, since TCP connections are usually terminated by an explicit FIN/FIN-ACK exchange. For established TCP connections, Section 5 of RFC 5382 specifies a timeout of no less than 2 hours 4 minutes (7204 seconds), and OpenWRT uses 7440 seconds.

Concerning your second question, most NATs maintain mappings that are specific to a pair of endpoints (socket addresses). If a host A inside the NAT sends a datagram to socket adress B, then the mapping will only apply to communication between A and B — a different host C outside the NAT will not be able to use that particular mapping to send data to A. (Some so-called full cone NATs allow that, but they are fairly rare.)

Community
  • 1
  • 1
jch
  • 5,382
  • 22
  • 41
  • This entirely answers the part of the question regarding how long the record lives in the NAT. What about the other part? Would 55.43.77.98:8765 be able to reach my local 192.168.1.21:54389 if the local host sent initial request to 25.34.11.56:3874, for example, and as a result a record in the NAT was created to allow 25.34.11.56:3874 to respond back? – alex.49.98 May 22 '15 at 19:19
  • Edited, hopefully better. – jch May 22 '15 at 19:53
  • Is cone NAT really going away? [This recent Hacker News Post says:](https://news.ycombinator.com/item?id=8178961) "Linux, BSD, and most home routers are full cone. Apparently my cellular tethering feature is also full cone. Most importantly, every carrier-grade NAT I've seen (used on cellular nets and by some ISPs) is full cone." – Encombe May 24 '15 at 04:32
  • That particular hackernews author doesn't know what he's speaking about. He thinks that any NAT that's not symmetric is full cone. – jch May 24 '15 at 06:09
  • He's the developer behind zerotier.com so he ought to know. My anecdotal experience is that cone NAT gets more common, not that it's going away. Also RFC4787 REQ-1 MUST have "Endpoint-Independent Mapping" + REQ-8 RECOMMENDED "Endpoint-Independent Filtering" = full cone NAT. Carrier Grade NAT seems to almost always be full cone NAT – Encombe May 24 '15 at 14:13
  • Full-cone NAT requires "endpoint-independent filtering" in addition to "endpoint-independent mapping". Most NATs I've seen in the wild have "endpoint-dependent filtering". See REQ-8 in Section 5 of RFC 4787. – jch Feb 18 '23 at 12:24