Microsoft DirectX 9.0 SDK Update (Summer 2003) |
Network Address Translation, Firewalls, and Proxies
Network Address Translation (NAT) is a mechanism with which one network can be connected to another. This is commonly used to connect a private home or office network to the Internet. The gateway between these two networks modifies packets sent from the private network to computers on the Internet so that they appear to have been sent by the gateway. When packets are sent back from the Internet to the gateway, the gateway forwards the packet on to the associated private computer.
The two main reasons these NAT gateways are used are as follows:
- Improved security and access control. NAT devices provide a central point through which all traffic from the unmanaged Internet must flow to reach the presumably secure home network. The NAT software frequently has capabilities to filter out any packets that are potentially harmful, as described below.
- Increased address space. The explosion in popularity of the Internet means an incredible demand for addresses. Internet Protocol, version 4 (IPv4), the underlying protocol for today's Internet, is rapidly running out of available unique addresses. NAT devices allow the private computers to "share" a single Internet Protocol (IP) address. Each computer does actually have its own IP address, but that address is only valid within the home network. Any computer outside the home network uses the NAT device's public address to communicate with those inside the home network.
Firewalls are devices or software that inspect incoming or outgoing packets, and reject those that are not allowed by the firewall administrator. Most of them drop incoming packets that did not have a previous outgoing packet to the same port for security reasons. In this respect they behave like NAT devices, which can't forward packets without knowing their intended target. Many NAT devices also implement firewall capabilities.
Proxies relay requests to the external network on behalf of computers on the internal network. They can cache some requests like World Wide Web traffic for improved response time. They also typically work in conjunction with proxy client software installed on the internal computers for increased access control. Because external computers only see the proxy's external address, proxies can be thought of as performing NAT for the internal computers.
Unfortunately, all of these mechanisms are often at odds with providing a seamless network gaming experience. For example, having both a private address as well as a shared public address can make it hard to send packets to the appropriate destination. Sometimes the user is forced to enable forwarding for a particular port in order to play online. But until the next version of the Internet Protocol, version 6 (IPv6) becomes widely deployed, issues like address sharing will only grow more common.
Microsoft® DirectPlay® provides many features such as Universal Plug and Play (UPnP) support that take the hard work out of supporting NAT. This section includes the following topics.
- Quick NAT Compatibility Guidelines. Quick guidelines that all game developers should consider to maximize NAT compatibility.
- Topology Specific NAT Issues. Breakdown of the issues affecting each topology architecture.
- Using the IDirectPlay8NATResolver Interface. Help implementing IDirectPlay8NATResolver servers.
- Notes Regarding Firewalls and Proxies. A few notes about how NATs affect firewalls and proxies.
- NAT Troubleshooting Techniques for Developers and End Users. Troubleshooting techniques for developers and end users.