In any case, is it fair to say that we will probably need some sort of introduction over the network for anything like this to work? i.e. we will need a way to send a message to a node we are not directly connected to, through the network?
On Fri, May 21, 2004 at 07:36:16PM +0100, Toad wrote: > Umm. I was told that most NATs would use the port number to forward > packets from any and all external hosts to the one internal PC that has > used a given port.. is that wrong? > > On Fri, May 21, 2004 at 06:48:42PM +0300, Roger Oksanen wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Friday 21 May 2004 18:15, Ian Clarke wrote: > > > Roger Oksanen wrote: > > > > Tunneling packets in UDP when both hosts are behind NAT has the > > > > following problems: > > > > * Generic NAT tunneling implementations don't work; They require > > > > that one host is on a routable address. > > > > > > Not true in 85% of cases, most NATs will forward UDP packets that > > > come from a host to which they recently sent a packet, allowing the > > > establisment of bi-directional UDP between two NATted nodes. > > > > Yes, it will match the "connection" based on the source and destination > > IP address. Of course, when both computers are behind NAT:s (and I'm > > talking of NAPT), the source port will be changed when it passes the > > NAPT gw. Thus when it reaches the other NAPT gw, it's source address is > > unknown to both A and B, and B:s NAPT gw. The NAPT GW won't let the > > packet pass to B because it has no way to tell where it should go. > > > > Scenario > > A: Node A:s AP address > > G1: Node A:s NAPT GW > > A1: Node A:s NAPT GW IP > > B: Node B:s IP.. > > G2: Node B:s NAPT GW > > > > A knows B and B1, B knows A and A1 > > 1) A sends UDP packet 1234:B1:1234 (sourcep:destip:destp - source IP is > > not intreseting here, so I left it out) > > 2) G1 changes it to 5678:B1:1234 and remembers it. > > 3) G2 receives 5678:B1:1234 and drops it, it can't possibly know where > > it was going > > > > 4) Now B could send a packet 1234:A1:5678 (because G1 remembers the > > route) but how would it know the NAPT port (5678). It can't. So it > > would have to walk through every possible port. => Out of luck > > And to make things worse, G2 will also change the source port number, so > > G1 won't accept the new packet even if B would successfully hit the > > right destination port. > > > > > > > > > > > - Since NAT changes the source port number. A would have > > > > to send the initializing UDP packet to every port on B > > > > (essentially port scan B). > > > > > > Not if it has been informed of what port to use through out-of-band > > > means (ie. via an introduction). > > > > Introduction works only when the destination node has a public IP and > > thus can receive the introduction message, from wich it figures out the > > random port number that the NAPT gw has invented. > > > > > > - -- > > Roger Oksanen <[EMAIL PROTECTED]> +358 50 355 1990 > > CS Student at Helsinki University PGP id 1B125A3E > > Homepage http://www.cs.helsinki.fi/u/raoksane/ > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.3 (GNU/Linux) > > > > iD8DBQFAriTa78OZUBsSWj4RAm+zAJ9ahDR7y+gGd3BfH6jBf0BPiUQZrwCfSLmA > > T+v5vsy7a0clyXww+Zh3ECw= > > =Vtu3 > > -----END PGP SIGNATURE----- > > _______________________________________________ > > Support mailing list > > [EMAIL PROTECTED] > > http://news.gmane.org/gmane.network.freenet.support > > Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support > > Or mailto:[EMAIL PROTECTED] > > -- > Matthew J Toseland - [EMAIL PROTECTED] > Freenet Project Official Codemonkey - http://freenetproject.org/ > ICTHUS - Nothing is impossible. Our Boss says so. > _______________________________________________ > Support mailing list > [EMAIL PROTECTED] > http://news.gmane.org/gmane.network.freenet.support > Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support > Or mailto:[EMAIL PROTECTED] -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so.
signature.asc
Description: Digital signature
_______________________________________________ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
