NAT Impact on Latency
The Processing Cost of Address Translation
The Lifecycle of a NATted Packet
When a packet hits a NAT gateway, the router must perform a series of CPU-intensive tasks:
- Lookup: Match the internal Source IP/Port to an existing state in the NAT table.
- Allocation: If no state exists, allocate a new public Port.
- Modification: Rewrite the Source IP and Source Port in the IP/TCP/UDP headers.
- Recalculation: Derive new Layer 3 and Layer 4 checksums (an O(1) but CPU-heavy operation).
NAT State Table Visualization
PAT (Port Address Translation) Latency
The Hidden State Machine: Netfilter & Conntrack
Under the hood, every NAT device runs a state machine. In Linux (and by extension, Android and most enterprise firewalls), this is handled by Netfilter/Conntrack.
A packet isn't just "translated"; it is tracked through four distinct states:
1. NEW
The first packet seen for a connection (e.g., TCP SYN). The router allocates a new entry in the Conntrack table.
2. ESTABLISHED
Traffic has been seen in both directions. The router now performs "fast-path" lookup (bypassing full rule evaluation).
3. RELATED
A new connection expected by an existing one (e.g., FTP data channel or SIP VoIP signaling). Deep Packet Inspection (DPI) is required here.
4. INVALID
Packets that don't match any known state. Usually dropped for security reasons.
The Limit of Translation: Port Exhaustion (SNAT)
The theoretical limit of a single public IP address is 65,535 concurrent connections (ports). In practice, ephemeral port ranges limit this to about 50,000.
When a large office or a carrier-grade NAT (CGNAT) gateway hits this limit, new connections are silently dropped until an old one times out. This phenomenon, known as Port Exhaustion, is often mistaken for packet loss or DDoS attacks.
Breaking the Barrier: STUN, TURN, and ICE
For Peer-to-Peer (P2P) applications like WebRTC, we need to bypass the NAT restriction using a technique called NAT Traversal:
- STUN (Session Traversal Utilities for NAT): The client asks an external server "What is my Public IP and Port?" and then shares that with the peer. Fails behind Symmetric NATs.
- TURN (Traversal Using Relays around NAT): If direct connection fails, traffic is relayed through a public server (High Latency, High Cost).
- ICE (Interactive Connectivity Establishment): A protocol that tries STUN first, then falls back to TURN if necessary, ensuring the lowest possible latency.
Carrier-Grade NAT (CGNAT) and Cumulative Delay
Modern mobile and residential connections often go through CGNAT. In this scenario, your traffic is NATted once at your home router and then again at the ISP's core gateway.
This multi-tier translation increases the risk of 'NAT Type' issues in gaming consoles, where peer-to-peer connections cannot be established due to unpredictable port mapping on the second tier.
The CPU vs. Throughput Trade-off
NAT requires state. This means the router must remember every active connection in RAM. As the number of concurrent connections grows (e.g., BitTorrent or high-load web scrapers), the NAT table lookups take longer, leading to increased latency variance (Jitter).
Conclusion
NAT was a brilliant temporary fix for the IPv4 shortage, but it is a performance bottleneck. Understanding and mitigating NAT latency is essential for maintaining high-performance edge networks.