classification of net 'mid-box'

Note:

   This classification generally applies only to

 UDP traffic, since NATs and firewalls reject incoming TCP

 connection attempts unconditionally unless specifically configured to

 do otherwise.

 

Basic NAT

{

      A Basic NAT maps an internal host's private IP address to a

      public IP address without changing the TCP/UDP port

      numbers in packets crossing the boundary.  Basic NAT is generally

      only useful when the NAT has a pool of public IP addresses from

      which to make address bindings on behalf of internal hosts.

 

}else NAPT   (most commonly)

{

  Cone NAT

  {

Full Cone NAT

{

           After establishing a public/private port binding for a new

            outgoing session, a full cone NAT will subsequently accept

            incoming traffic to the corresponding public port from ANY

            external endpoint on the public network.  Full cone NAT is

            also sometimes called "promiscuous" NAT.

}or

        Restricted Cone NAT

{

           A restricted cone NAT only forwards an incoming packet directed to

            a public port if its external (source) IP address matches the

            address of a node to which the internal host has previously sent

            one or more outgoing packets.  A restricted cone NAT effectively

            refines the firewall principle of rejecting unsolicited incoming

            traffic, by restricting incoming traffic to a set of "known" 

            external IP addresses.

        }or

Port-Restricted Cone NAT

{

           A port-restricted cone NAT, in turn, only forwards an incoming

            packet if its external IP address AND port number match those of

            an external endpoint to which the internal host has previously

            sent outgoing packets.  A port-restricted cone NAT provides 

            internal nodes the same level of protection against unsolicited

            incoming traffic that a symmetric NAT does, while maintaining a

            private port's identity across translation.

}

  }else Symmetric NAT

  {

        A symmetric NAT, in contrast, does not maintain a consistent

        port binding  between (private IP, private port) and (public IP,

        public port) across all sessions. Instead, it assigns a new

        public port to each new session.  For example, suppose Client A

        initiates two outgoing sessions from the same port as above, one

        with S1 and one with S2.  A symmetric NAT might allocate the

        public endpoint 155.99.25.11:62000 to session 1, and then allocate

        a different public endpoint 155.99.25.11:62001, when the

        application initiates session 2.  The NAT is able to differentiate

        between the two sessions for translation purposes because the

        external endpoints involved in the sessions (those of S1

        and S2) differ, even as the endpoint identity of the client 

        application is lost across the address translation boundary.

  }

}

 

 摘自RFC2026，略有整理 (draft-ford-midcom-p2p-01)

 

by ga6840