NAT Configuration
The roclub Connector heavily depends on NAT traversal to enable communication for Video Conferencing and also connecting to the roclub Controlplane Platform.
The details of NAT types are very complex. For context information regarding the requirements for the roclub connector, is recommended to read RFC4787.
The functionality and performance of the roclub connector can be limited by the customer network. NAT configuraton and restrictions are a major contributing force. Research from IETF divides NAT into two different types: the easy variant “Endpoint-Independent Mapping” (EIM), and the hard variant “Endpoint-Dependent Mapping” (EDM).
Endpoint-Independent and Endpoint-Dependent Mapping
NAT Endpoint-Independent Mapping is a NAT configuration in which the same internal private IP address and port is consistently mapped to the same external public IP address and port, regardless of the destination IP address or port of the outgoing packets.
NAT Endpoint-Dependent Mapping is a NAT configuration in which the mapping of an internal private IP address and port to an external public IP address and port depends on the specific destination IP address and port. As a consequence, different external mappings may be created for different destinations.
Taking into account firewall configurations and NAT mapping types, the following NAT Cone types result:
| Firewall | Endpoint-Independent NAT mapping | Endpoint-Dependent NAT mapping (all types) |
|---|---|---|
| Endpoint-Independent | Full Cone NAT | N/A |
| Endpoint-Dependent (dest. IP only) | Restricted Cone NAT | N/A |
| Endpoint-Dependent (dest. IP and port) | Port-Restricted Cone NAT | Symmetric NAT |
NAT traversal on Symmteric NATs cannot work with only STUN. The video conferencing, this means falling back to TURN, an authentication based relay server, potentially increasing latency. This is the golden standard for Video Conferencing (WebRTC) scenarios.
For communicating to Controlplane we use DERP servers. It is a general purpose protocol using HTTP, resulting in high compatibility with corporate networks.
To achieve optimal performance in Symmetric NAT scenarios, consider the following steps:
- Enable UPnP, NAT-PMP, or PCP to facilitate automatic port mapping.
- Additionally, manually opening port 41641/UDP can help bypass the need for traffic relaying, improving performance for Remote Operators. This port is used for direct peer-to-peer communication, enabling efficient NAT traversal and reducing latency by establishing direct connections between devices.
NAT-PMP (NAT Port Mapping Protocol)
NAT-PMP is a lightweight protocol developed by Apple to allow devices to automatically configure port mappings on a NAT gateway. It simplifies port forwarding and public IP discovery, making it useful for applications like gaming and peer-to-peer networking.
Reference:
RFC 6886: NAT Port Mapping Protocol (NAT-PMP)
UPnP (Universal Plug and Play)
UPnP is a broader protocol suite that enables devices to discover and interact with each other on a network, including automatic port forwarding via its Internet Gateway Device (IGD) component. It is widely supported but has faced criticism for security vulnerabilities due to its open nature.
Reference:
UPnP Forum IGD Specifications
PCP (Port Control Protocol)
PCP is a modern protocol designed to replace NAT-PMP and UPnP, offering more advanced features like mapping lifetimes, third-party port control, and support for IPv6. It is part of the IPv6 standards and provides better security and scalability for managing NAT traversal.
References:
RFC 6887: Port Control Protocol (PCP)
RFC 7291: DHCP Options for Port Control Protocol (PCP)
Carrier-grade NAT
Depending on the CGNAT of your ISP there could be problems involved regarding general connectivity. In some cases port-mapping protocols will fail, resulting in either hairpinning or relaying traffic.
Hairpinning is introducing complexity into NATting, resulting in scenarios where it won't work with certain NAT types or hardware. There is no clear why to get an indication before hand. During setup, roclub is checking the connectivity type and informing the customer of potential errors.
NAT Traversal and ICE
After all NAT traversal effort the connector needs to exchange routing information with both Video Conferencing Services and our Controlplane.
For this purpose, the ICE protocol is used (RFC8445). You can check NAT traversal and ICE candidate gathering via a tool provided by the WebRTC organisation.