Strong enough to deter all but the most determined attacker.
In my architecture, each player (ostensibly on phone) connects to a central matchmaker server, which then relays gameplay packets to each player, eliminating the NAT problem. However, that also means a malicious actor could play man-in-the-middle if that actor can read the gameplay packets.
I am also thinking about using an auth token.