NAT kyun exist karta hai: IPv4 mein sirf ~4 billion addresses hain. NAT ek poore ghar/office ko ek single public address share karne deta hai.
NAT incoming connections kyun tod deta hai: mapping tabhi create hoti hai jab andar ka host pehle send kare. Baahri insaan ke paas table mein koi entry nahi hoti, toh public IP par aane wala koi bhi unsolicited packet kahin nahi jaata aur drop ho jaata hai.
TunnelPacket=deliveryHouter∥original packet, now opaque[Hinner∥payload]
Yeh kyun kaam karta hai: path mein routers sirf outer header padhte hain. Woh inner packet kabhi inspect nahi karte, isliye woh ek IPv6 packet ko IPv4-only path se route kar sakte hain, ya ek private 10.x packet ko public Internet se paar kar sakte hain.
IPsec — L3 par kaam karta hai. Transport mode sirf payload encrypt karta hai; Tunnel mode poore inner IP packet ko encrypt karta hai (site-to-site VPN).
WireGuard / OpenVPN — modern, app-layer-ish, simpler key handling.
TLS-based (HTTPS) VPNs — port 443 par tunnel karta hai taaki normal web traffic jaisa lage.
NAT unsolicited incoming connections kyun block karta hai?
Translation entry tabhi create hoti hai jab inside host pehle send kare; baahri ka packet match nahi hota aur drop ho jaata hai.
STUN kya karta hai?
Ek public server se query karke host ko uska public IP:port batata hai jaise baahr se dikhta hai, uski NAT mapping reveal karta hai.
STUN ki jagah TURN par kab fallback karna padta hai?
Symmetric NAT ke saath (har destination ke liye naya port), direct hole punching fail ho jaati hai, toh ek relay (TURN) traffic forward karta hai.
ICE kya hai?
Ek framework jo candidate addresses (local, STUN-reflexive, TURN-relayed) gather karta hai aur pairs test karta hai taaki sabse achhha working connection choose kare (WebRTC mein use hota hai).
Tunneling/encapsulation define karo.
Ek complete packet ko doosre protocol ke payload ke roop mein wrap karna taaki woh ek aisi network cross kar sake jo use natively route ya accept nahi karti.
Ek router ek aisa inner packet kyun carry kar sakta hai jo woh samajhta nahi?
Outer header h wale tunnel mein effective inner MTU ka formula?
MTU_inner = MTU_path − h.
VPN ek plain tunnel concept mein kya teen cheezein add karta hai?
Encapsulation + Encryption + Authentication.
IPsec transport aur tunnel mode mein kya fark hai?
Transport mode sirf payload encrypt karta hai; tunnel mode poore inner IP packet ko encrypt karta hai (site-to-site ke liye use hota hai).
Steel-man: "VPN = anonymous" kyun galat hai?
Encryption sirf VPN server tak hoti hai, jo aapka traffic dekh sakta hai aur use clear mein exit kar sakta hai; tum sirf trust provider ko shift karte ho.
Hole punching ek general security hole kyun nahi banati?
Restricted-cone NAT sirf us specific peer IP:port ko andar aane deta hai jisse tumne baat ki; random attackers ke paas phir bhi koi mapping nahi hoti.
Recall Feynman: ek 12-saal ke bachche ko samjhao
Socho tumhare ghar mein ek secret door hai jo sirf andar se khulti hai (yeh NAT hai). Bahar ka dost knock karke andar nahi aa sakta. Trick 1: tum aur dost exactly ek saath call karte ho taaki dono doors ek saath khulein (hole punching). Trick 2: ek wrapping trick — apna letter doosre envelope ke andar rakhte ho post office ke address ke saath taaki postman deliver kar sake, chahe woh andar ka secret note na padh sake (tunneling). VPN wahi wrapping hai, lekin andar ka letter ek secret code mein hai jo sirf tumhara office padh sakta hai — toh postman use carry karta hai lekin snoop nahi kar sakta.