After searching a while, I'm still not able to find a logical explanation on why is it called symmetric NAT.
Where lies the link between symmetric NAT and that each request is mapped to a unique external source IP address and port? Is there any at all?
tl;dr It comes from STUN and is symmetric because it identifies a 1:1 relationship between NAT mapping and L4 flow.
The name symmetric NAT is as far as I know introduced by the original STUN RFC 3489, with the following definition:
A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.
This may not clarify things if you are not that familiar with NAT and the whole concept of STUN. Let me try to build this up.
The first important concept is the 5-tuple (protocol, host port, server port, host address, server address) where protocol is most commonly either UDP or TCP. This 5-tuple is used to identify a L4 protocol flow. I use host and server terminology to simplify some things and avoid directional terms such as source and destination.
Now, the whole concept of a NA(P)T device is to dynamically replace the (host port, host address) on the internal network (inside) with a (NAT port, NAT address) on the external network (outside). The state of such a translation is also called a NAT mapping. At its most simple the NAT function does not care about protocol, server ip, and server port. In this case multiple Layer 4 protocol flows may use the same NAT mapping, as long as the host ip and host-port used on the inside are the same. This N:1 model of multiplexing/demultiplexing flows to mappings is often represented via a funnel or cone.
The biggest alternative is to create a mapping for each new 5-tuple. So even if for example all of protocol, host ip, host port, and server ip are the same but server port is different, a new mapping will be created and the resulting NAT ip, NAT port will be different. There is thus a full 1:1 symmetry between a layer 4 flow and a NAT mapping.
Not relevant to the question, but just some history why this term is actually important for the STUN RFC and not left as an implementation detail. One of the goals of stun was to enable P2P connections between two clients behind NAT. The idea was that for many applications (e.g. VoIP) there would only be initial communication via servers, but all remaining communication would be P2P. To set up this P2P, the clients would make a connections to a stun server, which does three things:
Then, the client would send the learned port+IP via the application (voip) server to the other client, and now that can be used to set up a P2P connection.
In practice this barely works, and stun as described there was obsoleted and replaced by RFC 5389. In addition, many NAT implementations have added Application-level Gateways to solve certain protocols directly. On top of that there are specific protocols to create NAT mappings on demand, most prominently UPnP IGD and PCP. But, as often happens, some of the original STUN concepts stuck forever anyway :).
host address and NAT address, and any number of connections (5-tuples) can be pushed through that single mapping -- hence, it is not a symmetric relationship between mappings and connections. Where as a NA(P)T / Dynamic PAT has a mapping for each connection, hence a symmetric relationship. Is that basically what you are saying? (PS, also, you mention STUN, but I'm not sure where you explain exactly how that is involved in the rest of your answer).
– Eddie
Apr 15 '20 at 01:13
It sounds/feels like symmetric NAT should be something like
Source IP: 192.168.1.10 Source Port:32567 --NAT--> IP:88.88.88.1 Source Port:32567
where the Router uses the same port as the device during NAT, which makes it look symmetric. (It is not!)
Don't think it as the result wise but by NAT operation wise. It is symmetric because both IP address and Source port is translated to a new IP address and a new port like;
Source IP: 192.168.1.10 Source Port:32567 --NAT--> IP:88.88.88.1 Source Port:23447(Dest A)
Source IP: 192.168.1.10 Source Port:56543 --NAT--> IP:88.88.88.1 Source Port:18234(Dest B)
If your home modem is not doing Symmetric NAT
Source IP: 192.168.1.10 Source Port:32567 --NAT--> IP:88.88.88.1 Source Port:32567(Dest A)
Source IP: 192.168.1.10 Source Port:56543 --NAT--> IP:88.88.88.1 Source Port:56543(Dest B)
Then this is not symmetric. The IP address is modified but port stays the same.
Please note that if you have a block of public IP addresses you can choose to NAT to this block and choose different IP address for each connection like;
Source IP: 192.168.1.10 Source Port:32567 --NAT--> IP:88.88.88.3 Source Port:23447(Dest A)
Source IP: 192.168.1.10 Source Port:56543 --NAT--> IP:88.88.88.7 Source Port:18234(Dest B)
NOTE: In the examples, 192.168.1.10 is your PC IP 88.88.88.1 is your routers public IP.
My understanding:
Symmetric NAT uses new sockets if the destination IP address or the destination port number changes.
A socket consist of the following:
The NAT is asymmetric if the connection is unique for any combination of protocol and local address and local port, no matter what the destination IP address or the destination port number is.
The NAT is symmetric if the connection is unique for any unique combination of protocol, local IP address, local port number, destination IP address and destination port number.
