Matthew Toseland wrote:
> I was
> under the impression that the difference between port restricted and
> symmetric was precisely this - that a symmetric NAT would allocate a
> new port for every { source port, source IP, dest port, dest IP },
> whereas a port restricted cone will usually reuse the port, and just
> ignore packets coming from IPs other than ones we have sent packets to?That sounds right, but to muddy the waters even further some people have abandoned the "full cone/restricted cone/port restricted cone/symmetric" terminology because it doesn't cover all possible combinations of mapping and filtering behaviour - see tables 6 and 8 of the STUNT paper: http://nutss.gforge.cis.cornell.edu/pub/imc05-tcpnat.pdf Roughly speaking, it looks like 70% of NATs can punch UDP holes to each other, and some of the 70% can punch holes to some of the remaining 30%. This is much worse than I thought - the real world success rate could be anywhere between 49% and 91%, depending on the value of "some". Port prediction works for 94% of NATs after a few retries, but it requires out-of-band communication... Cheers, Michael
