By the mid-2000s, NAT had quietly become the most important box on the internet — and one of the most inconsistent. Two NATs from different vendors could implement "the same" address translation in wildly different ways, and applications that worked behind one would silently fail behind another. RFC 5382 (a BCP, Best Current Practice) is the IETF's attempt to force discipline on TCP NAT behavior, complementing the earlier RFC 4787 for UDP. If you've ever wondered why peer-to-peer apps, VoIP, and games actually work through home routers, this document is a big part of the answer.

The problem. NAT was never standardized as a protocol; it was a hack that escaped the lab. Vendors implemented translation tables, timeouts, and filtering policies based on intuition. The result was a zoo of behaviors: some NATs reused the same external port for the same internal source (good for hole punching), others picked a fresh port per destination (terrible for it). Some allowed unsolicited inbound SYNs to an established mapping; others dropped them. TCP keepalives, simultaneous-open, and connection reuse all behaved unpredictably across vendors.

Key requirements the RFC nails down:

• REQ-1: Endpoint-Independent Mapping. A NAT MUST reuse the same external (IP, port) for all outbound TCP connections from the same internal (IP, port), regardless of destination. This is the cornerstone of TCP hole punching — without it, two peers behind NATs cannot predict each other's external addresses.
• REQ-3: Simultaneous-open support. If two endpoints behind separate NATs SYN each other at roughly the same time, the NATs MUST allow the connection to form. This is what makes NAT traversal protocols like ICE-TCP viable.
• REQ-5: Connection idle timeout ≥ 2 hours 4 minutes. Matches the TCP keepalive default from RFC 1122. Many cheap NATs were dropping idle connections after 5 minutes, breaking long-lived SSH sessions and IMAP IDLE.
• REQ-4: Inbound SYN handling. An unsolicited inbound SYN to an existing mapping must either be silently dropped or trigger an ICMP error after at least 6 seconds — long enough for a simultaneous-open to complete.
• REQ-8: Port parity and contiguity are not required for TCP, unlike some legacy assumptions from RTP.

Why it matters today. Even in 2026, with IPv6 deployment past 50% on many networks, the IPv4 internet still depends on NAT — and CGNAT (carrier-grade NAT) has made the problem worse, not better. Every WebRTC call, every BitTorrent swarm, every Tailscale or WireGuard mesh, every Steam game lobby relies on the predictable NAT behavior this RFC mandates. STUN, TURN, and ICE all assume endpoint-independent mapping; without it, fallback to relays becomes the norm and latency suffers. When you read about a router being "Full Cone" vs "Symmetric" NAT, you're reading shorthand for compliance with REQ-1.

Backstory. The lead authors include Bryan Ford, whose 2005 USENIX paper "Peer-to-Peer Communication Across Network Address Translators" effectively cataloged NAT misbehavior in the wild and created political pressure for standardization. The RFC's tone is unusually frank for IETF prose — it acknowledges that NAT is architecturally ugly while pragmatically specifying how to make it less broken. It's a rare BCP that admits the underlying technology shouldn't exist, then proceeds to make it work anyway.