Worked examples — NAT traversal, VPN, tunneling
4.3.30 · D3· Coding › Computer Networks › NAT traversal, VPN, tunneling
The scenario matrix
Examples karne se pehle, chalte hain har possible case class enumerate karte hain jo yeh topic throw kar sakta hai. Neeche har example ek cell ke saath tagged hai jo woh fill karta hai.
| Cell | Case class | Kya cheez isse alag banati hai | Example |
|---|---|---|---|
| A | Simple encapsulation overhead | ek wrapper, positive-sized packet | Ex 1 |
| B | Stacked / double tunnel (VPN-in-tunnel) | overhead add hota hai | Ex 2 |
| C | Degenerate: inner packet exceeds effective MTU | fragmentation / drop | Ex 3 |
| D | Limiting case: tiny payload | overhead ratio → near 1 | Ex 4 |
| E | Limiting case: huge payload | overhead ratio → 0 | Ex 4 |
| F | NAT-type decision (kaunsa traversal kaam karega?) | full-cone vs symmetric | Ex 5 |
| G | STUN mapping read-off (public IP:port) | table arithmetic | Ex 6 |
| H | Real-world word problem (TURN ka throughput cost) | latency + bandwidth | Ex 7 |
| I | Exam twist: encryption payload ko expand karta hai | crypto overhead ≠ sirf header | Ex 8 |
Pehle matrix kyun? Taaki tum dekh sako ki koi hidden scenario nahi hai. Positive/normal, degenerate (too big), do limits (tiny/huge), aur discrete decision cases (NAT type) — har input space covered hai.
Do formulas jo hum baar baar use karte hain
Yahan sab kuch parent note ke do relations pe tika hai. Chalte hain unhe phir se anchor karte hain taaki koi bhi symbol unexplained na rahe.
"Ratio" kyun, sirf "bytes" kyun nahi? Ratio yeh batata hai "mera kitna fraction bandwidth wrappers par waste ho raha hai?" — ek percentage, packet sizes ke across comparable. Raw byte count yeh batata hai "kya yeh fit hoga?". Alag sawaal, alag tools.
Cell A — Simple encapsulation overhead
- Outer headers add karo. B. Yeh step kyun? GRE ek IP delivery header plus apna 8-byte GRE header stack karta hai; dono "outer" bytes hain jo wire carry karta hai.
- Effective inner MTU. B. Yeh step kyun? Inner packet outer ek ke andar fit hona chahiye; 28 B kisi bhi inner byte se pehle spend ho jaate hain.
- Kya 1400 fit hoga? ✓ — koi fragmentation nahi. Yeh step kyun? Hamesha ko se compare karo, 1500 se kabhi nahi.
- Overhead ratio. .
Verify: Wrapped packet = ✓ path mein fit hai. Overhead ka matlab hai ~98% wire bytes useful hain — ek mote 1400-byte packet ke liye reasonable hai.
Cell B — Stacked tunnels (double wrap)
- Saare outer bytes sum karo. B. Yeh step kyun? Har wrapper apne bahar wale ke liye opaque hai; wire ke nazariye se yeh sirf aur outer header hain. Bytes add hote hain.
- Effective inner MTU. B. Yeh step kyun? Dono layers usi 1500-B budget mein se khate hain.
- Fit check. ✓.
- Overhead ratio. .
Verify: Total on-wire = ✓. Overhead 5.8% > Ex 1 ka 1.96% — zyada wrappers, zyada waste, jaise expect kiya tha.
Cell C — Degenerate: inner packet too big

- Effective inner MTU. B. Yeh step kyun? IPsec tunnel mode poore inner IP packet ko plus ESP overhead ko wrap karta hai — yahan ek bhaari 73 B.
- Compare karo. . Wrapped packet B hoga — path ke liye too big. Yeh step kyun? Yahi exactly degenerate cell hai: inner size effective MTU se zyada hai.
- Outcome. Ya toh router use fragment karta hai (slow, kabhi kabhi Firewalls block karte hain) ya, agar inner packet mein Don't-Fragment bit set hai, toh use drop kar diya jaata hai aur ICMP "too big" return hota hai — jise firewall swallow kar sakta hai, jiski wajah se silent stall hota hai. Yeh step kyun? s01 dekho: red packet outer envelope ke mouth se lamba hai — woh poora andar nahi ja sakta.
- Sabse bada safe inner packet. B.
Verify: ✓ exactly fit hai. Ek aur byte () se ✗ — toh 1427 sach mein ceiling hai.
Cells D & E — Do limits (tiny aur huge payload)

- Tiny payload (cell D). . Yeh step kyun? Jab , fraction : almost saare bytes wrapper hain. Isi liye interactive traffic (SSH keystrokes, VoIP) tunnels ke through bandwidth-inefficient hota hai.
- Huge payload (cell E). . Yeh step kyun? Jab , : fixed wrapper ek giant payload ke against negligible ho jaata hai.
- Trend. s02 dekho: jaise left se right badhta hai, overhead curve ~100% se 0 ki taraf girta hai. Fixed header ek toll hai: ek bade truck ke liye sasta, ek tiny scooter ke liye mahenga.
Verify: Dono limits bracket hain: ✓. Function strictly decreasing hai mein, toh tiny maximum deta hai aur huge minimum deta hai. ✓
Cell F — Kaunsa traversal kaam karega? (NAT-type decision)
- Yaad karo har NAT kya karta hai. Full-cone: ek public port khula, koi bhi use kar sakta hai. Symmetric: har destination ke liye ek naya public port. Yeh step kyun? Traversal success poori tarah depend karta hai is baat par ki kya peer STUN se seekha port wahi port hai jo doosre peer tak pahunchne ke liye use hoga.
- P STUN se apna mapping seekhta hai. Lekin P ka NAT symmetric hai: woh port jo P STUN server se baat karte waqt dekhta hai, woh STUN server se alag hoga jo Q se baat karte waqt allocate hoga. Yeh step kyun? Q, P ke STUN-reflexive port par bhejta — lekin woh port sirf STUN server tak map karta hai, Q tak nahi. Q ka packet koi matching entry nahi milti → drop ho jaata hai.
- Reverse direction try karo. P, Q ke full-cone mapping par bhejta hai — yeh kaam karta hai (full-cone sab ko allow karta hai). Toh P→Q ek hole punch karta hai. Lekin two-way connection ke liye ICE ko ek working pair chahiye; Q→P step 2 ki wajah se fail hota hai. Yeh step kyun? Media connection ke liye dono directions chahiye; one-way success kaafi nahi hai.
- Decision. Symmetric × kuch bhi (sivaaye full-cone-with-luck ke) → TURN relay par fall back karo.
Verify: Parent rule se match karta hai: "Symmetric NAT → traversal often fails → use TURN." Relay hamesha kaam karta hai kyunki dono peers relay par outbound initiate karte hain, har ek apna valid hole punch karta hai. ✓
Cell G — STUN mapping read-off
- Reflexive candidate identify karo. Public mapping jo peer ko use karni hai woh hai
198.51.100.7:41000. Yeh step kyun? STUN ka poora kaam hai baahri view reveal karna — woh address jo NAT table is host par map karta hai. - Private wala kyun nahi?
192.168.1.20public Internet par non-routable hai (RFC 1918). Wahan aim kiya gaya peer packet kabhi peer ke apne LAN se bahar nahi jaayega. Yeh step kyun? Private ranges (192.168.x.x,10.x,172.16–31.x) har jagah reuse hoti hain; inhe globally address nahi kiya ja sakta. Dekho IPv4 exhaustion. - Advertise karo. Host peer ko signaling ke through bolta hai: "Mujhe
198.51.100.7:41000par reach karo."
Verify: Reply address = NAT ka outside mapping =
198.51.100.7:41000, table entry192.168.1.20:52000 ↔ 198.51.100.7:41000se match karta hai. ✓ Advertised port (41000) translated port ke equal hai, internal 52000 nahi. ✓
Cell H — Real-world word problem (TURN cost)
- Relay se total bitrate. Up + down = Mbps. Yeh step kyun? TURN har direction alag relay karta hai, toh dono legs relay bandwidth consume karti hain.
- Duration seconds mein. s.
- Total bits. bits. Yeh step kyun? bitrate × time = total bits. Units dhyan rakho: Mbps = bits/s.
- Gigabytes mein convert karo. bytes bytes GB ( bytes use karke). Yeh step kyun? Bandwidth bytes mein bill hota hai; bits ko 8 se divide karo.
- Cost. 0.3 \text{ GB} \times \0.10/\text{GB} = $0.03$.
Verify: Units cascade karte hain: \text{Mbit/s} \to \text{bit} \to \text{byte} \to \text{GB} \to \text{\}4\text{ Mbps}\times 600\text{ s} = 2400\text{ Mbit} = 300\text{ MB} = 0.3\text{ GB}, cost \0.03. Per call sasta — lekin hazaaron concurrent calls se multiply karo aur TURN wahi reason ban jaata hai kyun engineers direct traversal prefer karte hain. ✓
Cell I — Exam twist: encryption payload ko expand karta hai
- Pehle padding. ESP (payload + 2 trailer bytes) encrypt karta hai aur 16-byte multiple tak pad karta hai. Pad se pehle encrypted region = B. 1402 se upar 16 ka agla multiple hai. Pad bytes = B. Yeh step kyun? Block ciphers (TLS/IPsec often AES use karte hain 16-byte blocks ke saath) require karte hain ki input length blocks ka whole number ho — yeh real overhead hai jo payload ko grow karta hai, unlike ek fixed header.
- Har added byte sum karo. B. Yeh step kyun? Encryption overhead = headers + IV + padding + authentication tag — jo students sirf IP header count karte hain woh yeh exam question galat karte hain.
- Fit check. Wrapped = ✓.
- Overhead ratio. .
Verify: ko 16-multiple tak round up karo: , toh agla multiple hai, pad ✓. Total ✓. On-wire ✓, koi fragmentation nahi. ✓
Recall
Recall "Fit hoga ya nahi" vs "kitna wasteful" ke liye kaunsa formula?
Fit ::: ko se compare karo. Waste ::: overhead ratio .
Recall Ex 3:
, path 1500 ke saath sabse bada safe inner packet? B ::: (1428 se 1501 overflow ho jaata).
Recall Ex 4: payload → 0 aur → ∞ par overhead limits?
ratio → 100%; ratio → 0% ::: fixed header ek toll hai — tiny packets par brutal, huge ones par negligible.
Recall Ex 5: symmetric × full-cone NAT — direct ya TURN?
TURN relay ::: symmetric NAT har destination ke liye naya port allocate karta hai, toh STUN-learned port match nahi karta; hole punching ek direction mein fail hota hai.
Recall Ex 8: crypto overhead sirf header se zyada kyun hai?
IV + padding-to-block-size + auth tag add karta hai ::: padding payload alignment ke saath badhti bhi hai, fixed constant nahi hai.