NAT Traversal in Internet Gateways (Windows Embedded CE 6.0)
1/6/2010
Internet gateways support NAT traversal by supporting the Internet Gateway Device (IGD) specification defined by the Internet Gateway Working Committee of the Universal Plug and Play Forum. The following list shows the assumptions about IGDs made by NAT traversal APIs in Windows Embedded CE:
IGDs only advertise one external interface at a time. Though it is technically acceptable for Internet Gateway Devices to advertise multiple external interfaces, the NAT Traversal APIs use only the first one.
IGDs support port mappings that allow any remote IP address to send packets to internal clients.
IGDs support port mappings with the broadcast address listed as the client.
According to the IGD specification, it must be possible to set the internal client to the broadcast IP address 255.255.255.255. This enables multiple NAT clients to use the same well-known port simultaneously.
In Windows CE .NET 4.2 and later, to enable NAT clients to simultaneously use the same well-known port, the Internet gateway device maps the internal client to a subnet address rather than to the broadcast IP address 255.255.255.255. By using this mapping, packets arrive as subnet broadcast packets to the private host and not with the 255.255.255.255 as the destination address. For this scenario to work, broadcast forwarding must be enabled in the registry for the gateway.Security Note: If the IP firewall is not included in the gateway configuration, broadcast forwarding is disabled. Enabling the broadcast forwarding can pose a security threat to the private network devices if the firewall is not present. The following excerpt from the common.reg file shows the registry setting to use to enable broadcast forwarding:
; @CESYSGEN IF CE_MODULES_FW6 ; Enable broadcast forwarding only if firewall is present. ; Broadcast forwarding is needed to support NAT broadcast port mappings ; but it could be potentially exploited ; if the device is not protected by firewall. [HKEY_LOCAL_MACHINE\COMM\Tcpip\Parms] "ForwardBroadcasts"=dword:1 ; @CESYSGEN ENDIF
IGDs support different numbers for the external port of the NAT and internal port of the client.
IGDs advertise with a version number of 1.
Static port mappings, or port mappings with a duration set to infinity, persist indefinitely, surviving reboots, IP address changes, and the presence of the client on the server.