Umm. I was told that most NATs would use the port number to forward packets from any and all external hosts to the one internal PC that has used a given port.. is that wrong?
On Fri, May 21, 2004 at 06:48:42PM +0300, Roger Oksanen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Friday 21 May 2004 18:15, Ian Clarke wrote: > > Roger Oksanen wrote: > > > Tunneling packets in UDP when both hosts are behind NAT has the > > > following problems: > > > * Generic NAT tunneling implementations don't work; They require > > > that one host is on a routable address. > > > > Not true in 85% of cases, most NATs will forward UDP packets that > > come from a host to which they recently sent a packet, allowing the > > establisment of bi-directional UDP between two NATted nodes. > > Yes, it will match the "connection" based on the source and destination > IP address. Of course, when both computers are behind NAT:s (and I'm > talking of NAPT), the source port will be changed when it passes the > NAPT gw. Thus when it reaches the other NAPT gw, it's source address is > unknown to both A and B, and B:s NAPT gw. The NAPT GW won't let the > packet pass to B because it has no way to tell where it should go. > > Scenario > A: Node A:s AP address > G1: Node A:s NAPT GW > A1: Node A:s NAPT GW IP > B: Node B:s IP.. > G2: Node B:s NAPT GW > > A knows B and B1, B knows A and A1 > 1) A sends UDP packet 1234:B1:1234 (sourcep:destip:destp - source IP is > not intreseting here, so I left it out) > 2) G1 changes it to 5678:B1:1234 and remembers it. > 3) G2 receives 5678:B1:1234 and drops it, it can't possibly know where > it was going > > 4) Now B could send a packet 1234:A1:5678 (because G1 remembers the > route) but how would it know the NAPT port (5678). It can't. So it > would have to walk through every possible port. => Out of luck > And to make things worse, G2 will also change the source port number, so > G1 won't accept the new packet even if B would successfully hit the > right destination port. > > > > > > > - Since NAT changes the source port number. A would have > > > to send the initializing UDP packet to every port on B > > > (essentially port scan B). > > > > Not if it has been informed of what port to use through out-of-band > > means (ie. via an introduction). > > Introduction works only when the destination node has a public IP and > thus can receive the introduction message, from wich it figures out the > random port number that the NAPT gw has invented. > > > - -- > Roger Oksanen <[EMAIL PROTECTED]> +358 50 355 1990 > CS Student at Helsinki University PGP id 1B125A3E > Homepage http://www.cs.helsinki.fi/u/raoksane/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (GNU/Linux) > > iD8DBQFAriTa78OZUBsSWj4RAm+zAJ9ahDR7y+gGd3BfH6jBf0BPiUQZrwCfSLmA > T+v5vsy7a0clyXww+Zh3ECw= > =Vtu3 > -----END PGP SIGNATURE----- > _______________________________________________ > Support mailing list > [EMAIL PROTECTED] > http://news.gmane.org/gmane.network.freenet.support > Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support > Or mailto:[EMAIL PROTECTED] -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so.
signature.asc
Description: Digital signature
_______________________________________________ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
