Port triggering

From HandWiki
Short description: NAT traversal mechanism

Port triggering is a configuration option on a NAT-enabled router that controls communication between internal and external host machines in an IP network. It is similar to port forwarding in that it enables incoming traffic to be forwarded to a specific internal host machine, although the forwarded port is not open permanently and the target internal host machine is chosen dynamically.[1][2][3]

Description

When two networks communicate through a NAT-router, the host machines on the internal network behave as if they have the IP address of the NAT-router from the perspective of the host machines on the external network. Without any traffic forwarding rules, it is impossible for a host machine on an external network (host B) to open a connection to a host machine in the internal network (host A). This is because the connection can only be targeted to the IP of the NAT-router, since the internal network is hidden behind NAT. With port triggering, when some host A opens a connection to a host B using a predefined port or ports, then all incoming traffic that the router receives on some predefined port or ports is forwarded to host A. This is the 'triggering' event for the forwarding rule. The forwarding rule is disabled after a period of inactivity.[2]

Port triggering is useful for network applications where the client and server roles must be switched for certain tasks, such as authentication for IRC chat and file downloading for FTP file sharing.

Example

As an example of how port triggering operates, when connecting to IRC (Internet Relay Chat), it is common to authenticate a username with the Ident protocol via port 113.

When connecting to IRC, the client computer typically makes an outgoing connection on port 6667 (or any port in the range 6660–7000), causing the IRC server to attempt to verify the username given by making a new connection back to the client computer on port 113. When the computer is behind NAT, the NAT device silently drops this connection because it does not know to which computer behind the NAT it should send the request to connect. These two transport-level connections are necessary for the application-level connection to the IRC server to succeed (see Internet protocol suite). Since the second TCP/IP connection is not possible, the attempted connection to the IRC server will fail.

In the case of port triggering, the router is configured so that when an outbound connection is established on any port from 6660 to 7000, it should allow inbound connections to that particular computer on port 113. This gives it more flexibility than static port forwarding because it is not necessary to set it up for a specific address on your network, allowing multiple clients to connect to IRC servers through the NAT-router. Security is also gained, in the sense that the inbound port is not left open when not actively in use.

Disadvantages

Port triggering has the disadvantage that it binds the triggered port to a single client at a time. As long as the port is bound to that particular client, port triggering is effectively unavailable to all other clients. In FTP file sharing, for example, this means that no two clients can download files from an FTP server running on "active mode" simultaneously. For IRC, even though the authentication step happens very quickly, the port triggering timeout may still prevent other clients from logging into IRC servers. Port triggering is unsuitable for servers behind a NAT router because it relies on the local computer to make an outgoing connection before it can receive incoming ones. On some routers it is possible to have more than one client use port triggering and port forwarding, but not simultaneously.

See also

References