The Broadband Forum is a non-profit industry consortium dedicated to developing broadband network specifications. Members include telecommunications networking and service provider companies, broadband device and equipment vendors, consultants and independent testing labs (ITLs). Service provider members are primarily wire-line service providers (non-mobile) telephone companies .
74-607: Technical Report 069 ( TR-069 ) is a document by the Broadband Forum that specifies the CPE WAN Management Protocol ( CWMP ). CWMP is an application layer protocol for remote management and provisioning of customer-premises equipment (CPE) connected to an Internet Protocol (IP) network. It provides support functions for auto-configuration, software or firmware image management, software module management, status and performance managements, and diagnostics. CWMP
148-677: A group of public IP addresses. NAT hairpinning , also known as NAT loopback or NAT reflection , is a feature in many consumer routers where a machine on the LAN is able to access another machine on the LAN via the external IP address of the LAN/router (with port forwarding set up on the router to direct requests to the appropriate machine on the LAN). This notion is officially described in 2008, RFC 5128 . The following describes an example network: If
222-451: A patch available to enable RFC 4787 support but this has not yet been merged. The NAT traversal problem arises when peers behind different NATs try to communicate. One way to solve this problem is to use port forwarding . Another way is to use various NAT traversal techniques. The most popular technique for TCP NAT traversal is TCP hole punching . TCP hole punching requires the NAT to follow
296-512: A Symmetric NAT as having an Address- and Port-Dependent Mapping . For the second bullet in each row of the above table, RFC 4787 would also label Full-Cone NAT as having an Endpoint-Independent Filtering , Restricted-Cone NAT as having an Address-Dependent Filtering , Port-Restricted Cone NAT as having an Address and Port-Dependent Filtering , and Symmetric NAT as having either an Address-Dependent Filtering or Address and Port-Dependent Filtering . Other classifications of NAT behavior mentioned in
370-468: A checksum that covers all the data they carry, as well as the TCP or UDP header, plus a pseudo-header that contains the source and destination IP addresses of the packet carrying the TCP or UDP header. For an originating NAT to pass TCP or UDP successfully, it must recompute the TCP or UDP header checksum based on the translated IP addresses, not the original ones, and put that checksum into the TCP or UDP header of
444-482: A key part of the forum's work, are no longer its only work. For instance, the forum produced work specific to passive optical networking (PON). Its Auto-Configuration Server specification TR-069 , originally published in 2004, was adapted for use with set-top box and Network Attached Storage units. The Forum's TR-101 specification (2006) documents migration toward an Ethernet -based DSL aggregation model (Ethernet DSLAMs ). In May 2009, IP/MPLS Forum merged with
518-490: A methodology for testing a device accordingly. However, these procedures have since been deprecated from standards status, as the methods are inadequate to correctly assess many devices. RFC 5389 standardized new methods in 2008 and the acronym STUN now represents the new title of the specification: Session Traversal Utilities for NAT . It is similar to an address restricted cone NAT, but the restriction includes port numbers. Many NAT implementations combine these types, so it
592-521: A one-to-one translation of IP addresses (RFC 1631). RFC 2663 refers to this type of NAT as basic NAT , also called a one-to-one NAT . In this type of NAT, only the IP addresses, IP header checksum , and any higher-level checksums that include the IP address are changed. Basic NAT can be used to interconnect two IP networks with incompatible addresses. Most network address translators map multiple private hosts to one publicly exposed IP address. Here
666-399: A packet is sent to 203.0.113.1 by a computer at 192.168.1.100 , the packet would normally be routed to the default gateway (the router) A router with the NAT loopback feature detects that 203.0.113.1 is the address of its WAN interface, and treats the packet as if coming from that interface. It determines the destination for that packet, based on DNAT (port forwarding) rules for
740-482: A popular and essential tool in conserving global address space in the face of IPv4 address exhaustion . One Internet-routable IP address of a NAT gateway can be used for an entire private network . As network address translation modifies the IP address information in packets, NAT implementations may vary in their specific behavior in various addressing cases and their effect on network traffic. Vendors of equipment containing NAT implementations do not commonly document
814-405: A private network. When a computer on the private (internal) network sends an IP packet to the external network, the NAT device replaces the internal source IP address in the packet header with the external IP address of the NAT device. PAT may then assign the connection a port number from a pool of available ports, inserting this port number in the source port field. The packet is then forwarded to
SECTION 10
#1732876709329888-646: A single local port with many remote hosts. This additional tracking increases implementation complexity and computing resources at the translation device. Because the internal addresses are all disguised behind one publicly accessible address, it is impossible for external hosts to directly initiate a connection to a particular internal host. Applications such as VOIP , videoconferencing , and other peer-to-peer applications must use NAT traversal techniques to function. Pure NAT, operating on IP alone, may or may not correctly parse protocols with payloads containing information about IP, such as ICMP . This depends on whether
962-488: A specific internal address and port. RFC 4787 makes a distinction between NAT mapping and NAT filtering. Section 4.1 of the RFC covers NAT mapping and specifies how an external IP address and port number should be translated into an internal IP address and port number. It defines Endpoint-Independent Mapping, Address-Dependent Mapping and Address and Port-Dependent Mapping, explains that these three possible choices do not relate to
1036-412: Is PAT or NAT overloading and maps multiple private IP addresses to a single public IP address. Multiple addresses can be mapped to a single address because each private address is tracked by a port number. PAT uses unique source port numbers on the inside global IP address to distinguish between translations. PAT attempts to preserve the original source port. If this source port is already used, PAT assigns
1110-514: Is a Cisco proposal that combines Address plus Port translation with tunneling of the IPv4 packets over an ISP provider's internal IPv6 network. In effect, it is an (almost) stateless alternative to carrier-grade NAT and DS-Lite that pushes the IPv4 address /port translation function (and the maintenance of NAT state) entirely into the existing customer premises equipment NAT implementation. Thus avoiding
1184-637: Is a bidirectional SOAP - and HTTP -based protocol, and provides the communication between a CPE and auto configuration servers (ACS). The protocol addresses the growing number of different Internet access devices such as modems , routers , gateways , as well as end-user devices which connect to the Internet, such as set-top boxes , and VoIP -phones. TR-069 was first published in May 2004, with amendments in 2006, 2007, 2010, July 2011 (version 1.3), and November 2013 (version 1.4 am5) Other technical initiatives, such as
1258-478: Is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device . The technique was initially used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced but could not route the network's address space. It has become
1332-409: Is a typical configuration: All IP packets have a source IP address and a destination IP address. Typically, packets passing from the private network to the public network will have their source address modified, while packets passing from the public network back to the private network will have their destination address modified. To avoid ambiguity in how replies are translated, further modifications to
1406-520: Is also called port forwarding , or DMZ when used on an entire server , which becomes exposed to the WAN, becoming analogous to an undefended military demilitarized zone (DMZ). The meaning of the term SNAT varies by vendor: Secure network address translation (SNAT) is part of Microsoft's Internet Security and Acceleration Server and is an extension to the NAT driver built into Microsoft Windows Server . It provides connection tracking and filtering for
1480-525: Is also negotiated with the device in advance (e.g. previous provisioning session) to prevent the usage of CPEs for DDoS attacks on the provisioning server (ACS). After confirmation is sent by the device the provisioning session should be started as soon as possible and not later than 30 seconds after confirmation is transmitted. The CWMP protocol also defines a mechanism for reaching the devices that are connected behind NAT (e.g. IP-Phones, Set-top boxes ). This mechanism, based on STUN and UDP NAT traversal,
1554-478: Is better to refer to specific individual NAT behavior instead of using the Cone/Symmetric terminology. RFC 4787 attempts to alleviate confusion by introducing standardized terminology for observed behaviors. For the first bullet in each row of the above table, the RFC would characterize Full-Cone, Restricted-Cone, and Port-Restricted Cone NATs as having an Endpoint-Independent Mapping , whereas it would characterize
SECTION 20
#17328767093291628-507: Is built on top of a defined set of simple operations. Each order is considered atomic, though there is no support of transactions. If the device cannot fulfill the order a proper error must be returned to the ACS – the device should never break the provisioning session. For a more complete list of operations and an analysis of the protocol, see The compromise of an ISP ACS or the link between an ACS and CPE by unauthorized entities can yield access to
1702-465: Is defined in document TR-069 Annex G (formerly in TR-111). Amendment 5 of the protocol introduces alternative method of executing Connection Request via NAT based on XMPP (see Annex K of TR-069 Amendment 5 for details). Most of the configuration and diagnostics is performed through setting and retrieving the value of the device parameters. These are organized in a well defined hierarchical structure that
1776-489: Is forwarded to the inside network. Otherwise, if the destination port number of the incoming packet is not found in the translation table, the packet is dropped or rejected because the PAT device doesn't know where to send it. IEEE Reverse Address and Port Translation (RAPT or RAT) allows a host whose real IP address changes from time to time to remain reachable as a server via a fixed home IP address. Cisco 's RAPT implementation
1850-409: Is more or less common to all device models and manufacturers. Broadband Forum publishes its data model standards in two formats - XML files containing a detailed specification of each subsequent data model and all of the changes between their versions and PDF files containing human-readable details. Supported standards and extensions should be clearly marked in the device data model. This should be in
1924-415: Is no need to use a third party (like STUN) to discover the NAT port since the application itself already knows the NAT port. However, if two internal hosts attempt to communicate with the same external host using the same port number, the NAT may attempt to use a different external IP address for the second connection or may need to forgo port preservation and remap the port. As of 2006 , roughly 70% of
1998-502: Is present), wrong parameter access level and correctly using only defined valid values. For example, for the field that indicates supported standard of WLAN protocols, the value 'g' should indicate support of 802.11b and 802.11g, and 'g-only' support only of 802.11g. Even though values such as 'bg' or 'b/g' are not legal according to the Broadband Forum standards, they are very commonly found in device data models. The whole provisioning
2072-436: Is recommended where maximum application transparency is required while Address-Dependent Filtering is recommended where more stringent filtering behavior is most important. Some NAT devices are not yet compliant with RFC 4787 as they treat NAT mapping and filtering in the same way so that their configuration option for changing the NAT filtering method also changes the NAT mapping method (e.g. Netgate TNSR ). The PF firewall has
2146-488: Is reported by the device in GetParameterNamesResponse message. The device should not permit the change of any parameter marked as read-only. Data model specifications and extensions clearly mark required status of most of the parameters. Values applicable for the parameter, their type and meaning are also precisely defined by the standard. Some parts of the data model require the existence of multiple copies of
2220-415: Is required for security reasons, data such as the username and the password needs to be provided. All communications and operations are performed in the scope of the provisioning session. The session is always started by the device (CPE) and begins with the transmission of an Inform message. Its reception and readiness of the server for the session is indicated by an InformResponse message. That concludes
2294-483: Is that it mitigates IPv4 address exhaustion by allowing entire networks to be connected to the Internet using a single public IP address. Network address and port translation may be implemented in several ways. Some applications that use IP address information may need to determine the external address of a network address translator. This is the address that its communication peers in the external network detect. Furthermore, it may be necessary to examine and categorize
TR-069 - Misplaced Pages Continue
2368-571: The Home Gateway Initiative (HGI), Digital Video Broadcasting (DVB) and WiMAX Forum endorsed CWMP as the protocol for remote management of residential networking devices and terminals. CWMP is a text based protocol. Orders sent between the device (CPE) and auto configuration server (ACS) are transported over HTTP (or more frequently HTTPS). At this level (HTTP), the CPE acts as client and ACS as HTTP server. This essentially means that control over
2442-527: The NAT444 and statefulness problems of carrier-grade NAT, and also provides a transition mechanism for the deployment of native IPv6 at the same time with very little added complexity. Hosts behind NAT-enabled routers do not have end-to-end connectivity and cannot participate in some internet protocols. Services that require the initiation of TCP connections from the outside network, or that use stateless protocols such as those using UDP , can be disrupted. Unless
2516-431: The empty HTTP-request by the device will contain a CWMP-request from the ACS. This will subsequently be followed by an HTTP-request containing a CWMP-response for the previous CWMP-request. Multiple orders may be transmitted one-by-one. This stage (and the whole provisioning session) is terminated by an empty HTTP-response from the ACS indicating that no more orders are pending. There are certain events that will trigger
2590-439: The port preservation design for TCP. For a given outgoing TCP communication, the same port numbers are used on both sides of the NAT. NAT port preservation for outgoing TCP connections is crucial for TCP NAT traversal because, under TCP, one port can only be used for one communication at a time. Programs that bind distinct TCP sockets to ephemeral ports for each TCP communication, make NAT port prediction impossible for TCP. On
2664-966: The Broadband Forum. It had promoted the Frame Relay and Multiprotocol Label Switching technologies. Technical work of IP/MPLS Forum continued in a newly created "IP/MPLS and Core" Working Group of the Broadband Forum. The historical specifications from the IP/MPLS Forum's predecessors, ATM Forum , Frame Relay Forum, MFA Forum, and MPLS Forum, are archived on the Broadband Forum's website, under IP/MPLS Forum specifications. Broadband Forum issued Femto Access Point Service Data Model TR-196 during April 2009 and version 2 released during November 2011. Broadband Forum specified in TR-348 for Hybrid Access Networks an architecture that enables network operators to efficiently combine XDSL and LTE . Network address translation Network address translation ( NAT )
2738-568: The Forum created TR-001 (1996) system reference model, which together with later TR-012 (1999) core network architecture, recommended PPP over an ATM transport layer as the best practice for a DSL ISP. This was subsequently refined in TR-025 and TR-059. Starting in 2004, the Forum expanded its work into other last mile technologies including optical fiber . On 17 June 2008 it changed its name to "Broadband Forum". DSL-related specifications, while still
2812-507: The NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination. Some protocols can accommodate one instance of NAT between participating hosts ("passive mode" FTP , for example), sometimes with the assistance of an application-level gateway (see § Applications affected by NAT ), but fail when both systems are separated from the internet by NAT. The use of NAT also complicates tunneling protocols such as IPsec because NAT modifies values in
2886-420: The NAT. Destination network address translation (DNAT) is a technique for transparently changing the destination IP address of a routed packet and performing the inverse function for any replies. Any router situated between two endpoints can perform this transformation of the packet. DNAT is commonly used to publish a service located in a private network on a publicly accessible IP address. This use of DNAT
2960-434: The RFC include whether they preserve ports, when and how mappings are refreshed, whether external mappings can be used by internal hosts (i.e., its hairpinning behavior), and the level of determinism NATs exhibit when applying all these rules. Specifically, most NATs combine symmetric NAT for outgoing connections with static port mapping , where incoming packets addressed to the external address and port are redirected to
3034-593: The TR-069-enabled devices of a service provider 's entire subscriber base. Customer information and device operation would be available to the potential attackers, including other MAC addresses on client's networks. Covert redirection of DNS queries to a rogue DNS server might be possible, and even surreptitious firmware updates with backdoor features. TR-069 ACS software has been found to be often implemented insecurely. Flaws in combined implementations of TR-064 (LAN side DSL CPE configuration) and TR-069 (CWMP), that reused
TR-069 - Misplaced Pages Continue
3108-446: The additional network connections needed for the FTP , ICMP , H.323 , and PPTP protocols as well as the ability to configure a transparent HTTP proxy server . Dynamic NAT, just like static NAT, is not common in smaller networks but is found within larger corporations with complex networks. Where static NAT provides a one-to-one internal to public static IP address mapping, dynamic NAT uses
3182-621: The broadband market. Its initial main purpose was the establishment of new standards around digital subscriber line communication products such as provisioning . This cooperation has brought different standardizations for ADSL , SHDSL , VDSL , ADSL2+ and VDSL2 . The group was established in 1994 as the ADSL Forum , but became the DSL Forum in 1999. It was renamed after the digital subscriber line (DSL) family of technology, also known collectively as xDSL. Among its early design documents,
3256-477: The clients in P2P networks employed some form of NAT. Every TCP and UDP packet contains a source port number and a destination port number. Each of those packets is encapsulated in an IP packet, whose IP header contains a source IP address and a destination IP address. The IP address/protocol/port number triple defines an association with a network socket . For publicly accessible services such as web and mail servers
3330-457: The data model. If an instance is added to an object, an identifier is assigned. After being assigned, identifiers cannot change during the life-cycle of the device, except by factory reset. Even though the list of the parameters and their attributes is well-defined, most of the devices do not follow standards completely. Most common problems include missing parameters, omitted instance identifiers (for multi-instance objects where only one instance
3404-413: The destination. If the data were sent to port 80 and a DNAT rule exists for port 80 directed to 192.168.1.2 , then the host at that address receives the packet. If no applicable DNAT rule is available, the router drops the packet. An ICMP Destination Unreachable reply may be sent. If any DNAT rules were present, address translation is still in effect; the router still rewrites the source IP address in
3478-462: The device is verified based on a shared secret (password) at the HTTP level. Passwords may be negotiated between the parties (CPE-ACS) at every provisioning session. When the device contacts the ACS for the first time (or after a factory-reset) default passwords are used. In large networks it is the responsibility of the procurement to ensure each device is using unique credentials, their list is delivered with
3552-463: The devices themselves and secured.. Initialization and control of the provisioning session flow is the sole responsibility of the device, but it is possible for the ACS to request a session start from the device. The connection request mechanism is also based on HTTP. In this case the device (CPE) is put in the role of HTTP-server. The ACS requests a connection from the device by visiting a negotiated URL and performing HTTP Authentication. A shared secret
3626-399: The external network. The NAT device then makes an entry in a translation table containing the internal IP address, original source port, and the translated source port. Subsequent packets from the same internal source IP address and port number are translated to the same external source IP address and port number. The computer receiving a packet that has undergone NAT establishes a connection to
3700-413: The field Device.DeviceSummary or InternetGatewayDevice.DeviceSummary which is required starting from Device:1.0 and InternetGatewayDevice:1.1 respectively. If the field is not found InternetGatewayDevice:1.0 is implied. As of Device:1.4 and InternetGatewayDevice:1.6 new field ( '<RO>'.SupportedDatamodel ) for supported standard specification was introduced. The model is always rooted in
3774-421: The first available port number starting from the beginning of the appropriate port group 0–511, 512–1023, or 1024–65535. When there are no more ports available and there is more than one external IP address configured, PAT moves to the next IP address to try to allocate the original source port again. This process continues until it runs out of available ports and external IP addresses. Mapping of Address and Port
SECTION 50
#17328767093293848-411: The first packet of the fragmented set of packets. Alternatively, the originating host may perform path MTU Discovery to determine the packet size that can be transmitted without fragmentation and then set the don't fragment (DF) bit in the appropriate packet header field. This is only a one-way solution, because the responding host can send packets of any size, which may be fragmented before reaching
3922-454: The flow of the provisioning session is the sole responsibility of the device. [REDACTED] In order for the device to connect to the server, it needs to have certain parameters configured first. These include the URL of the server the device wants to connect to and the interval at which the device will initiate the provisioning session ( PeriodicInformInterval ). Additionally, if authentication
3996-500: The headers which interfere with the integrity checks done by IPsec and other tunneling protocols. End-to-end connectivity has been a core principle of the Internet, supported, for example, by the Internet Architecture Board . Current Internet architectural documents observe that NAT is a violation of the end-to-end principle , but that NAT does have a valid role in careful design. There is considerably more concern with
4070-428: The initial originating transmission is what establishes the required information in the translation tables. Thus a web browser within the private network would be able to browse websites that are outside the network, whereas web browsers outside the network would be unable to browse a website hosted within. Protocols not based on TCP and UDP require other translation techniques. An additional benefit of one-to-many NAT
4144-426: The internet. Ports are endpoints of communication unique to that host, so a connection through the NAT device is maintained by the combined mapping of port and IP address. A private address on the inside of the NAT is mapped to an external public address. Port address translation (PAT) resolves conflicts that arise when multiple hosts happen to use the same source port number to establish different external connections at
4218-408: The main phone number is the public IP address, and the individual extensions are unique port numbers. With NAT, all communications sent to external hosts actually contain the external IP address and port information of the NAT device instead of internal host IP addresses or port numbers. NAT only translates IP addresses and ports of its internal hosts, hiding the true endpoint of an internal host on
4292-467: The other hand, for UDP, NATs do not need port preservation. Indeed, multiple UDP communications (each with a distinct endpoint ) can occur on the same source port, and applications usually reuse the same UDP socket to send packets to distinct hosts. This makes port prediction straightforward, as it is the same source port for each packet. Furthermore, port preservation in NAT for TCP allows P2P protocols to offer less complexity and less latency because there
4366-478: The packets are required. The vast bulk of Internet traffic uses Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). For these protocols, the port numbers are changed so that the combination of IP address (within the IP header ) and port number (within the Transport Layer header ) on the returned packet can be unambiguously mapped to the corresponding private network destination. RFC 2663 uses
4440-537: The payload is interpreted by a host on the inside or outside of the translation. Basic protocols as TCP and UDP cannot function properly unless NAT takes action beyond the network layer. IP packets have a checksum in each packet header, which provides error detection only for the header. IP datagrams may become fragmented and it is necessary for a NAT to reassemble these fragments to allow correct recalculation of higher-level checksums and correct tracking of which packets belong to which connection. TCP and UDP, have
4514-402: The port and IP address specified in the altered packet, oblivious to the fact that the supplied address is being translated. Upon receiving a packet from the external network, the NAT device searches the translation table based on the destination port in the packet header. If a match is found, the destination IP address and port number is replaced with the values found in the table and the packet
SECTION 60
#17328767093294588-495: The port number is important. For example, port 443 connects through a socket to the web server software and port 465 to a mail server's SMTP daemon . The IP address of a public server is also important, similar in global uniqueness to a postal address or telephone number. Both IP address and port number must be correctly known by all hosts wishing to successfully communicate. Private IP addresses as described in RFC 1918 are usable only on private networks not directly connected to
4662-465: The protocol defines multiple methods that may be invoked by the device on the ACS, only one is commonly found - TransferComplete - which is used to inform the ACS of the completion of a file transfer initiated by a previously issued Download or Upload request. This stage is finalized by transmission of empty HTTP-request to the ACS. In the third stage the roles change on the CWMP level. The HTTP-response for
4736-432: The provisioning session. These include: As vital data (like user names and passwords) may be transmitted to the CPE via CWMP, it is essential to provide a secure transport channel and always authenticate the CPE against the ACS. Secure transport and authentication of the ACS identity can easily be provided by usage of HTTPS and verification of the ACS certificate. Authentication of the CPE is more problematic. The identity of
4810-436: The same HTTP endpoint over public internet for Connection Requests without proper protections, were found in devices by various vendors and are exploited by Mirai-based botnet and other malware. Broadband Forum The DSL Forum was founded in 1994 with about 200 member companies in different divisions of the telecommunication and information technology sector. It is used as a platform for companies that operate in
4884-406: The same time. A NAT device is similar to a phone system at an office that has one public telephone number and multiple extensions. Outbound phone calls made from the office all appear to come from the same telephone number. However, an incoming call that does not specify an extension cannot be automatically transferred to an individual inside the office. In this scenario, the office is a private LAN,
4958-462: The security of the NAT as security is determined by the filtering behavior and then specifies "A NAT MUST have an 'Endpoint-Independent Mapping' behavior." Section 5 of the RFC covers NAT filtering and describes what criteria are used by the NAT to filter packets originating from specific external endpoints. The options are Endpoint-Independent Filtering, Address-Dependent Filtering and Address and Port-Dependent Filtering. Endpoint-Independent Filtering
5032-402: The session initialization stage. The order of the next two stages depends on the value of the flag HoldRequests . If the value is false the initialization stage is followed by the transmission of device requests, otherwise ACS orders are transmitted first. The following description assumes the value is false . In the second stage, orders are transmitted from the device to the ACS. Even though
5106-408: The single key named Device or InternetGatewayDevice depending on the manufacturer's choice. At each level of the structure objects and parameters (or array-instances) are allowed. Keys are constructed by concatenating the names of objects and parameter using '.'(dot) as a separator, e.g. InternetGatewayDevice.Time.NTPServer1 . Each of the parameters may be marked as writable or non-writable. This
5180-491: The specifics of NAT behavior. IPv4 uses 32-bit addresses, capable of uniquely addressing about 4.3 billion devices. By 1992, it became evident that that would not be enough. The 1994 RFC 1631 describes NAT as a "short-term solution" to the two most compelling problems facing the IP Internet at that time: IP address depletion and scaling in routing. By 2004, NAT had become widespread. The simplest type of NAT provides
5254-483: The subtree. The best examples are those describing tables, e.g. Port Forwarding Table. An object representing an array will only have instance numbers or alias names as its children. A multi-instance object may be writable or read-only, depending on what it represents. Writable objects allow dynamic creation and removal of their children. For example, if an object represents four physical ports on an Ethernet switch, then it should not be possible to add or remove them from
5328-414: The term network address and port translation ( NAPT ) for this type of NAT. Other names include port address translation ( PAT ), IP masquerading , NAT overload , and many-to-one NAT . This is the most common type of NAT and has become synonymous with the term NAT in common usage. This method allows communication through the router only when the conversation originates in the private network, since
5402-422: The type of mapping in use, for example when it is desired to set up a direct communication path between two clients both of which are behind separate NAT gateways. For this purpose, RFC 3489 specified a protocol called Simple Traversal of UDP over NATs ( STUN ) in 2003. It classified NAT implementations as full-cone NAT , (address) restricted-cone NAT , port-restricted cone NAT or symmetric NAT , and proposed
5476-411: The use of IPv6 NAT, and many IPv6 architects believe IPv6 was intended to remove the need for NAT. An implementation that only tracks ports can be quickly depleted by internal applications that use multiple simultaneous connections such as an HTTP request for a web page with many embedded objects. This problem can be mitigated by tracking the destination IP address in addition to the port thus sharing
#328671