[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] How NAT Works

To: sheflug@xxxxxxxxxxxxxx
Subject: Re: [Sheflug] How NAT Works
From: John Southern <linuxtarragon@xxxxxxxxx>
Date: Wed, 8 Jan 2025 22:20:58 +0000
Delivery-date: Wed, 08 Jan 2025 22:21:31 +0000
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sheflug.org.uk; s=default; h=Sender:Content-Transfer-Encoding:Content-Type: Reply-To:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Subject: To:Message-ID:Date:From:In-Reply-To:References:MIME-Version:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner:List-Archive; bh=foMuPvix5rZGZvqCIVyJUjalrUVJCZfKLmchHlflew4=; b=RIbCkoY3AXpusHe8MVf4qrMri/ E3oLtgukAJFHRtvSHGtkZBoCGQmY2YeDAZL0rIEpliPn28WxISeb2wfkdAaW3jTsewq1UJ22cxa4O sBfzgpaT010GY6aJlJwMdAA34WiSpm96wZl22x1l0ft11QF+NK0wNnLXR3w70GmDcsIXMsSTabw3H wBqNOu2YMggohBtmCI229trPbAQLrc8mmCUeffiiZG/1vEWWcbwsV4NpZHjfdg1HDe9NnXhgyk3hr 9FnlqnqIN6PgGWkd+KhYTTDzPUP+r2yRQt6qc6UT7pC6PtpMgmpEhGv3p/eNwDqb1hb72ijtWpX4I LxAwWOuQ==;
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1736374871; x=1736979671; darn=sheflug.org.uk; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=S+ZtUmWEv9ub8tjwCGDjzsC+aa+eT/ojpkvpM4R6vDU=; b=cU79B9Pu9cKvtNC5D62S+OAmroSJiX0/TBoOtxaV17Z0h1hIJsUPjPAZVuIqjrdbUg zdM2PtZzpSWkIHY2i6JVgIc9P0qlw0HlfG+1lDfGUbfIJlMu1f62IK/2KXOm26+b5sec 1XAuSLAhR7IhjWsEM39alfnsHsFlOA8Qc5YhOUvzq3vIByTvh9L1Iy4OwtldaJUA47gY PuBGoPedH0SlEkXMxUSorZ2LQKt0etnxXpcKGU7kOEmsY4w45wNYGqQVR35wttIgOIJY Wokw/0HHHCPU96hLRPWT0fIsQNTjOak56lP2eGjekm1dlYmvHu9Q4y3sLYcT65eq3fkw WXsQ==
Envelope-to: sheflug@xxxxxxxxxxxxxx
List-help: <mailto:sheflug-request@sheflug.org.uk?subject=help>
List-id: <sheflug.sheflug.org.uk>
List-post: <mailto:sheflug@sheflug.org.uk>
List-subscribe: <http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk>, <mailto:sheflug-request@sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://sheflug.org.uk/mailman/options/sheflug_sheflug.org.uk>, <mailto:sheflug-request@sheflug.org.uk?subject=unsubscribe>
Reply-to: sheflug@xxxxxxxxxxxxxx
Sender: "Sheflug" <sheflug-bounces@xxxxxxxxxxxxxx>

The Picky NAT does change the port depending on the source. The easy NAT
keeps it open no matter what source IP is used.

John

On Wed, 8 Jan 2025 at 22:18, Robin Wood <robin@xxxxxxxxxxxxxxxxxxxxx> wrote:

> I've got as far as the birthday problem so I might just need to read some
> more.
>
> Does Picky NAT not care what IP the traffic is coming from? The port is
> just open for a short period of time for any connections? That seems quite
> dangerous.
>
> Robin
>
> On Wed, 8 Jan 2025, 22:13 John Southern, <linuxtarragon@xxxxxxxxx> wrote:
>
> > Hi Robin,
> >
> > My understanding is you send out to the STUN server and your NATTing
> router
> > keeps that port linked back to your client1 for a short period.
> > In that time client 2 can send info to it and get through.
> >
> > In your scenario you are using the Picky NAT where the port it gives when
> > talking to the STUN server is different to the port it would want to use
> > from client2.
> > That is where the article then jumps down to the Birthday problem if one
> of
> > the NAT devices is an Easy NAT or having to use one of the three
> protocols
> > (UPnP-IGD, NAT-PMP or PCP) to find the port number if they are both
> HardNAT
> > devices and so not have to go via the TURN relay for all traffic.
> >
> > I think a TURN server is more likely to enable a connection but then has
> to
> > be able to handle all the traffic thrown at it. I think in Tailscales
> > situation they are saying that by using all the tricks, they can avoid
> > having TURN servers in most cases.
> >
> > There are also TURNS servers for TCP traffic.
> >
> > Regards
> > John
> >
> > On Wed, 8 Jan 2025 at 21:34, Robin Wood <robin@xxxxxxxxxxxxxxxxxxxxx>
> > wrote:
> >
> > > Hi
> > > I've read through most of this and I'm stuck on how STUN works. I
> think I
> > > must be missing something but this is where I'm having problems.
> > >
> > > A NAT device handles connections by quads of source IP and port, and
> > > destination IP and port. So the client on the inside of my network
> > > (client1) makes a call out to the STUN server, that records the
> external
> > IP
> > > and port the connection is coming from and is then able to pass it on
> to
> > > the other side of the connection (client2).
> > >
> > > But, if client2 tries to connect to client1 using that IP and port the
> > NAT
> > > box will see a different source IP, one that doesn't match any that it
> > > knows, so it would just drop the traffic.
> > >
> > > I know the idea is that once client1 has punched out of the NAT, the
> hole
> > > is open so the other side is able to send packets back, but I can only
> > see
> > > that working when the other side is using the same IP as client1
> started
> > > talking to. If client2 tries to talk to the external IP and port
> client1
> > > used to talk to the STUN server it shouldn't work.
> > >
> > > Is this the failing that TURN is used to handle? If so, then isn't STUN
> > > dead in most situations? I'd imagine a lot of clients, especially VOIP,
> > are
> > > behind at least one layer of NAT.
> > >
> > > To have written such a big article on STUN, it feels like I've missed
> > > something important that means it will work in a lot more situations,
> > but I
> > > can't see what it is. Can anyone explain?
> > >
> > > Robin
> > >
> > > On Sun, 5 Jan 2025 at 11:56, Richard Ibbotson <richard@xxxxxxxxxxxxxx>
> > > wrote:
> > >
> > > > Hi
> > > >
> > > > https://tailscale.com/blog/how-nat-traversal-works
> > > >
> > > >
> > > > Might interest someone out there. How NAT works.
> > > >
> > > > --
> > > > Richard
> > > >
> > > >
> > > > _______________________________________________
> > > > Sheffield Linux User's Group
> > > > http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> > > > FAQ at: http://www.sheflug.org.uk/mailfaq.html
> > > >
> > > > GNU - The Choice of a Complete Generation
> > > >
> > > _______________________________________________
> > > Sheffield Linux User's Group
> > > http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> > > FAQ at: http://www.sheflug.org.uk/mailfaq.html
> > >
> > > GNU - The Choice of a Complete Generation
> > >
> > _______________________________________________
> > Sheffield Linux User's Group
> > http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> > FAQ at: http://www.sheflug.org.uk/mailfaq.html
> >
> > GNU - The Choice of a Complete Generation
> >
> _______________________________________________
> Sheffield Linux User's Group
> http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> FAQ at: http://www.sheflug.org.uk/mailfaq.html
>
> GNU - The Choice of a Complete Generation
>
_______________________________________________
Sheffield Linux User's Group
http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
FAQ at: http://www.sheflug.org.uk/mailfaq.html

GNU - The Choice of a Complete Generation

Follow-Ups:
- Re: [Sheflug] How NAT Works
  - From: Robin Wood

References:
- [Sheflug] How NAT Works
  - From: Richard Ibbotson
- Re: [Sheflug] How NAT Works
  - From: Robin Wood
- Re: [Sheflug] How NAT Works
  - From: John Southern
- Re: [Sheflug] How NAT Works
  - From: Robin Wood

Prev by Date: Re: [Sheflug] How NAT Works
Next by Date: Re: [Sheflug] How NAT Works
Previous by thread: Re: [Sheflug] How NAT Works
Next by thread: Re: [Sheflug] How NAT Works
Index(es):
- Date
- Thread