NAT Traversal

Description

NAT Traversal (NAT-T) refers to mechanisms that enable application protocols to establish and maintain connections through one or more NAT devices, which normally break the assumption of end-to-end IP connectivity. In 3GPP networks, NAT-T is particularly crucial because the User Equipment (UE) is typically behind a NAT function in the PGW (4G) or UPF (5G). Protocols like SIP for IMS voice/video, ESP for IPsec VPNs, and others that carry IP addresses and port numbers within their payloads or use specific port negotiation schemes will fail unless NAT-aware techniques are employed.

The architecture involves both network-based and endpoint-based solutions. A key network-based component is the Application Layer Gateway (ALG), often integrated into the NAT device (PGW/UPF) or a separate network function. For SIP, an IMS-ALG (or IMS-AGW) modifies SIP/SDP messages, translating the private IP:port information in the message body to match the public IP:port used by the NAT mapping. For IPsec, the NAT-T mechanism defined in IETF RFCs (like RFC 3947/3948) encapsulates ESP packets inside UDP, as NATs can typically handle UDP statefully, and includes a NAT detection payload during IKEv2 negotiation.

How it works: For IMS services, when a UE initiates a SIP REGISTER or INVITE, the SIP ALG inspects the packet, creates a NAT binding for the media ports, and rewrites the SDP 'c=' and 'm=' lines to reflect the public address. This allows the remote party to send media streams to the correct public IP:port, which the NAT then forwards to the UE. For IPsec VPNs (e.g., for enterprise access), the UE and security gateway use IKEv2 with NAT-T capabilities. They detect the presence of a NAT device during the IKE_SA_INIT exchange (via NAT-D payloads) and then switch to encapsulating subsequent IKE and ESP traffic in UDP port 4500, which traverses the NAT successfully. The 3GPP network may also employ Session Border Controllers (SBCs) or Interworking Functions that perform similar traversal functions for inter-operator or access-network boundaries.

Purpose & Motivation

NAT-T was developed to solve the fundamental problem that NAT breaks many IP-based applications. As 3GPP networks universally adopted NAT to conserve IPv4 addresses, it inadvertently disrupted services that were becoming essential, such as Voice over IP (VoIP) via IMS and secure remote access via IPsec VPNs. These protocols rely on knowing the true endpoint addresses for direct communication, which NAT obscures. Without NAT-T, IMS calls would fail as media streams could not be established, and VPN tunnels could not be negotiated, severely limiting the utility of mobile data networks for real-time and secure communications.

The creation of NAT-T techniques within 3GPP (and adoption from IETF) was motivated by the commercial rollout of all-IP services like VoLTE. Operators needed to guarantee that voice service worked reliably for every subscriber, regardless of being behind a NAT. It addressed the limitations of simple NAT, which was designed for client-server web browsing but not for peer-to-peer or symmetric protocol flows. NAT-T ensured that the network's address conservation strategy did not come at the cost of breaking advanced services, enabling the full vision of an all-IP core network supporting a rich set of multimedia and enterprise applications.

Key Features

• Enables SIP/SDP-based protocols (e.g., IMS VoLTE/VoNR) to work through NAT
• Supports IPsec VPN (IKEv2/ESP) traversal using UDP encapsulation (port 4500)
• Utilizes Application Layer Gateways (ALGs) to modify protocol payloads in transit
• Incorporates NAT detection mechanisms during connection establishment (e.g., NAT-D in IKE)
• Works with ICE (Interactive Connectivity Establishment) for endpoint-assisted traversal
• Standardized in 3GPP for interoperability across vendor equipment and operators

Evolution Across Releases

Defining Specifications