[v6test] Teredo and NAT options

Thorsten Behrens sbehrens at gmx.li
Fri Jan 18 20:42:04 UTC 2008 

Hi Matthias!

changing the subject line, we're veering off into implementation 
details. Which is good, though, that'll all need to be understood 
clearly to get things going.

>> - Teredo does not support "PAT" aka "Hide-NAT". This means that an XP 
>> machine that is behind a home router won't work with Teredo, unless, 
>> possibly, the router is set to treat the machine is in a "DMZ", which 
>> sets up a one-to-one static NAT to that machine.
>> - Machines that are either directly on a public network or static-NATed 
>> will resolve IPv6 addresses through Teredo, and will be able to connect 
>> to IPv6 hosts
>> - The command to see Teredo data is "netsh int ipv6 show teredo", and 
>> the message indicating that a user is behind PAT is 
>> "Error                   : client behind symmetric NAT"
>>     
>
> I cannot confirm this. AFAIK it's only symmetric NAT that is not
> supported. I just setup a small test environment to check it and I am
> using a standard (cheep) home router doing NAT for home networks and XP
> SP2 did establish Teredo connectivity:
>   

I do not doubt you got it working. I wonder how you're configured 
exactly, though. I'm assuming your PC is set as a "DMZ device" in your 
home router, which would in essence give you a 1-to-1 NAT. Or maybe your 
router happens to do NAT in such a way that it works out for Teredo.

Let's get some terminology out of the way. RFC3489 
(http://tools.ietf.org/html/rfc3489) terminology for NAT is confusing. 
To someone like me who comes to NAT from an implementation / firewalling 
perspective, anyway.

"Symmetric NAT"

>>
 Symmetric: A symmetric NAT is one where all requests from the
      same internal IP address and port, to a specific destination IP
      address and port, are mapped to the same external IP address and
      port.  If the same host sends a packet with the same source
      address and port, but to a different destination, a different
      mapping is used.  Furthermore, only the external host that
      receives a packet can send a UDP packet back to the internal host.

 >>

This is what would happen in PAT / Hide-NAT implementations. 
192.168.1.2:1024 connects to www.google.com:80, and that is translated 
to external-ip:high-port-1. And when that connection is closed, the same 
192.168.1.2:1024 connects to www.novell.com:80, and that is translated 
to external-ip:high-port-2, or has a good chance to be, particularly 
when the number of internal devices being translated out goes up. And 
that means Teredo won't work in XP, in that situation.

What is supported by Teredo is Cone-NAT - that sounds like an open 
1-to-1 NAT to me - and restricted Cone NAT, which is defined as:

 >>

Restricted Cone: A restricted cone NAT is one where all requests
      from the same internal IP address and port are mapped to the same
      external IP address and port.  Unlike a full cone NAT, an external
      host (with IP address X) can send a packet to the internal host
      only if the internal host had previously sent a packet to IP
      address X.
>>

That could work out that way in a PAT / Hide-NAT situation if a) the implementation does not increment the source port on subsequent connections and b) there's only one device going out through any one address. The moment you have two devices, there is no guarantee that internal:port will map to external:port at all times - if external:port is in use by internal-2:port, then internal:port would receive external:port-2.

Hope I made sense there and you could follow me. That's why I'm saying "PAT / Hide-NAT does not work with Teredo in XP". It may be that could need a qualifier, as in "it may actually work, but it'll break along the way unpredictably". I'll class that as "does not work" as well, though.

Then again, maybe I am assuming too much. If there's a PAT implementation out there that translates internal:1-65536 to external:1-65536 on a one-to-one port basis as long as there is only one device asking, AND the user only has one PC - not inconceivable in a home situation - then Teredo may well work in that situation, as the NAT behaves more like a static NAT than a PAT.

Your point is, partially, with qualifiers, taken :).

Thorsten

More information about the V6test mailing list