udp hole punch and port restricted cone NAT

Question

I would like to understand how udp hole punching works when two hosts each behind the port restricted cone NAT establish connection.

As I understood, it happens in several stages and involves three hosts.

Host A and host B are behind the port restricted cone NAT.

Host C is a server that can receive packets from the hosts A and B.

1. A sends a packet to C.
2. C receives packet from A and determines A's external address:port pair
3. B sends a packet to C.
4. C receives packet from B and determines B's external address:port pair
5. C sends the external address:port of B to A
6. C sends the external address:port of A to B
7. A sends packet_1 to B's external address
8. B sends packet_2 to A's external address

The questions are:

How can A behind the restricted cone NAT receive a packet from B which is also behind the restricted cone NAT?

The port restricted cone NAT do not allow packets, in which the source address:port pair does not match the destination address:port pair of packets sent by it, to be received. Why do other packets sent between A and B arrive to A and to B?

Is it because the port restricted cone NAT considers packet_2 as the response from B?

So packet_1 will be lost but packet_2 arrives to B. Am I right?

Thank you in advance.

Answer 1

FYI, here's a paper that addresses your questions and provides a detailed overview of NAT. A pdf version is available here.