What is the problem with NATs and Firewalls?Those network boxes (routers applying NAT or firewalls applying security policies) restrict the type of flows that you can establish. For example a NAT router typically allows any connection from the intranet to the internet but not in the other direction, or corporate firewalls typically allow only TCP traffic.
What are the tools we have for NAT and Firewall traversal?We have STUN that is basically a ping-pong or echo protocol that can be used for two purposes:
- Find out the public address of a device as seen by a STUN server in the public internet
- Make connectivity checks to test if a destination IP:port is visible/reachable from a source IP:port
How does ICE works?ICE is not a NAT/FW solution but a framework to negotiate/find the best solution among the already available NAT/FW traversal tools (STUN and TURN basically).
This framework is mostly used in VoIP services to establish a direct channel for the VoIP.
ICE solution is a solution based on multiple steps:
- Gathering: Each peer finds all the potential addresses that owns and can use to establish a direct connection. For example the endpoint gathers the IP addresses of local interfaces (including VPNs for example), find its public IP address using a STUN server or create a tunnel using TURN to get a publicly available IP:port.
- Ordering of candidates: Candidates are ordered taking into account the expected delay/performance associated to each one. So local addresses are always prioritized over tunneled addresses.
- Connectivity Checks: Each client start sending connectivity checks in the priorization order defined in the previous step until one of them succeeds. Those connectivity checks are done using STUN and a test is succeded if you get a STUN response to your STUN request.
- Actual traffic can be exchanged between both endpoints using the source and destination detected in the previous step.