[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] How NAT Works
- To: sheflug@xxxxxxxxxxxxxx
- Subject: Re: [Sheflug] How NAT Works
- From: Robin Wood <robin@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 9 Jan 2025 18:15:26 +0000
- Delivery-date: Thu, 09 Jan 2025 18:16:01 +0000
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sheflug.org.uk; s=default; h=Sender:Content-Transfer-Encoding:Content-Type: Reply-To:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Subject: To:Message-ID:Date:From:In-Reply-To:References:MIME-Version:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner:List-Archive; bh=9xaVMSQlvwAYaveFQiieguukAcLRTJ6GlewFO27k8Fs=; b=RuR/TX/iUaaR+Pve0f73tB52Oa pQ4yyC6K8413XENMhSs+09QWZKeIRPZOCtk4Dni6PulfMZWp7ve7/cctF5X3mCvNed1csyMKxZhgt kf6rf++9qYru9xzNV6OSQZhTzNAognOpYpwRj6LtudHFug0PB/IcPROyfwOYPrYYtPcswH1yAxCN7 myDmepljJ3s+NBALhAgaRbv/Sd5hbvfuL1ItMiSlUi80NxluJOqOtCs6xBDUodgFNdEiLIjc8byBn mggrwGR5eOysCn03AhGAcKvliOwCU1donk13Dfn8+vlj7NHbtJcp1cDCyw71YMsfA/RABNdKfYgYG Yl/5bN3Q==;
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digininja-org.20230601.gappssmtp.com; s=20230601; t=1736446539; x=1737051339; darn=sheflug.org.uk; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=bL1NcJp/1teGS5mC4HfscLJHhx971V4X6oT1KRq+l2k=; b=q3QEosMSTXIn7ulusHoonXPQwUoXeN6BHWMg9SZxJoDGa9UExEr64Cw/ZkOKrAVjR0 VRel3p5+BSU3ynq8A7QDHUvkONxflUE9e9UbvNHa1q7ihEl6Hyhu2JYml37Tu4a16D5J LAohjhGGnSJdx6bmIsv7OoHzoFeKmtX8+gny7Nr/Go9VCScJSrgE+5yfeOU84IDzI9Vj EBFPZPy/yiibY3Zu/qFNhCBmqfQWmQ2WRExxjgVC0PYa+xbY56xzab998xKU+xU41uui EWZrWxuFAG5daOg1nAVUuru17Us+QA5astThn11vYktDjCFiH/G8I/a1QuOc1WOUnjX/ PkwA==
- Envelope-to: sheflug@xxxxxxxxxxxxxx
- List-help: <mailto:sheflug-request@sheflug.org.uk?subject=help>
- List-id: <sheflug.sheflug.org.uk>
- List-post: <mailto:sheflug@sheflug.org.uk>
- List-subscribe: <http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk>, <mailto:sheflug-request@sheflug.org.uk?subject=subscribe>
- List-unsubscribe: <http://sheflug.org.uk/mailman/options/sheflug_sheflug.org.uk>, <mailto:sheflug-request@sheflug.org.uk?subject=unsubscribe>
- Reply-to: sheflug@xxxxxxxxxxxxxx
- Sender: "Sheflug" <sheflug-bounces@xxxxxxxxxxxxxx>
The most secure version of NAT would be symmetric as the hole is only
opened for traffic coming back in from destination the client originally
connects to. If anyone can come back in through a poked outbound hole then
it gives anyone who happens to stumble onto it access into your network.
To test for it, make an outbound UDP connection to a host you control and
log the IP and port you've come from, then try to send data to that pair
from a third external host. If you can get data back in then it's isn't
symmetric. You can do all that with netcat and tcpdump.
I was told most firewalls are now symmetric but have workarounds for things
like VoIP.
As I've only learnt this stuff over the last 36 hours I could be wrong with
all this so happy to listen if anyone wants to correct me.
Robin
On Thu, 9 Jan 2025, 18:06 John Southern, <linuxtarragon@xxxxxxxxx> wrote:
> Hi Robin,
>
> What are the obvious and commonest failing that would mean I am not in a
> locked down world and how do I test for each?
>
> Regards
> John
>
> On Thu, 9 Jan 2025 at 10:46, Robin Wood <robin@xxxxxxxxxxxxxxxxxxxxx>
> wrote:
>
> > John
> > I've just talked to a friend and we worked out that I'm thinking about
> > symmetric NAT which doesn't work with the basic, poke a hole out and let
> > anything back in through it, model.
> >
> > Things make more sense now, the basic version will fail in my locked down
> > world, but there are setups that aren't as locked down where it does
> work.
> >
> > Robin
> >
> > On Thu, 9 Jan 2025 at 07:07, Robin Wood <robin@xxxxxxxxxxxxxxxxxxxxx>
> > wrote:
> >
> > > Guess I'll just have to write code, play and see what happens.
> > >
> > > On Wed, 8 Jan 2025, 23:36 John Southern, <linuxtarragon@xxxxxxxxx>
> > wrote:
> > >
> > >> Hi Robin,
> > >>
> > >> I am afraid I do not know either, which is the most common or how I
> > would
> > >> go about identifying.
> > >>
> > >> Regards
> > >> John
> > >>
> > >> On Wed, 8 Jan 2025 at 22:28, Robin Wood <robin@xxxxxxxxxxxxxxxxxxxxx>
> > >> wrote:
> > >>
> > >> > Which is the most common? Is there an easy way to tell? I want to
> try
> > to
> > >> > mock this up to see if I can get traffic going through my pfsense
> box.
> > >> >
> > >> > Robin
> > >> >
> > >> > On Wed, 8 Jan 2025, 22:21 John Southern, <linuxtarragon@xxxxxxxxx>
> > >> wrote:
> > >> >
> > >> > > The Picky NAT does change the port depending on the source. The
> easy
> > >> NAT
> > >> > > keeps it open no matter what source IP is used.
> > >> > >
> > >> > > John
> > >> > >
> > >> > > On Wed, 8 Jan 2025 at 22:18, Robin Wood <
> > robin@xxxxxxxxxxxxxxxxxxxxx>
> > >> > > wrote:
> > >> > >
> > >> > > > I've got as far as the birthday problem so I might just need to
> > read
> > >> > some
> > >> > > > more.
> > >> > > >
> > >> > > > Does Picky NAT not care what IP the traffic is coming from? The
> > >> port is
> > >> > > > just open for a short period of time for any connections? That
> > seems
> > >> > > quite
> > >> > > > dangerous.
> > >> > > >
> > >> > > > Robin
> > >> > > >
> > >> > > > On Wed, 8 Jan 2025, 22:13 John Southern, <
> linuxtarragon@xxxxxxxxx
> > >
> > >> > > wrote:
> > >> > > >
> > >> > > > > Hi Robin,
> > >> > > > >
> > >> > > > > My understanding is you send out to the STUN server and your
> > >> NATTing
> > >> > > > router
> > >> > > > > keeps that port linked back to your client1 for a short
> period.
> > >> > > > > In that time client 2 can send info to it and get through.
> > >> > > > >
> > >> > > > > In your scenario you are using the Picky NAT where the port it
> > >> gives
> > >> > > when
> > >> > > > > talking to the STUN server is different to the port it would
> > want
> > >> to
> > >> > > use
> > >> > > > > from client2.
> > >> > > > > That is where the article then jumps down to the Birthday
> > problem
> > >> if
> > >> > > one
> > >> > > > of
> > >> > > > > the NAT devices is an Easy NAT or having to use one of the
> three
> > >> > > > protocols
> > >> > > > > (UPnP-IGD, NAT-PMP or PCP) to find the port number if they are
> > >> both
> > >> > > > HardNAT
> > >> > > > > devices and so not have to go via the TURN relay for all
> > traffic.
> > >> > > > >
> > >> > > > > I think a TURN server is more likely to enable a connection
> but
> > >> then
> > >> > > has
> > >> > > > to
> > >> > > > > be able to handle all the traffic thrown at it. I think in
> > >> Tailscales
> > >> > > > > situation they are saying that by using all the tricks, they
> can
> > >> > avoid
> > >> > > > > having TURN servers in most cases.
> > >> > > > >
> > >> > > > > There are also TURNS servers for TCP traffic.
> > >> > > > >
> > >> > > > > Regards
> > >> > > > > John
> > >> > > > >
> > >> > > > > On Wed, 8 Jan 2025 at 21:34, Robin Wood <
> > >> robin@xxxxxxxxxxxxxxxxxxxxx
> > >> > >
> > >> > > > > wrote:
> > >> > > > >
> > >> > > > > > Hi
> > >> > > > > > I've read through most of this and I'm stuck on how STUN
> > works.
> > >> I
> > >> > > > think I
> > >> > > > > > must be missing something but this is where I'm having
> > problems.
> > >> > > > > >
> > >> > > > > > A NAT device handles connections by quads of source IP and
> > port,
> > >> > and
> > >> > > > > > destination IP and port. So the client on the inside of my
> > >> network
> > >> > > > > > (client1) makes a call out to the STUN server, that records
> > the
> > >> > > > external
> > >> > > > > IP
> > >> > > > > > and port the connection is coming from and is then able to
> > pass
> > >> it
> > >> > on
> > >> > > > to
> > >> > > > > > the other side of the connection (client2).
> > >> > > > > >
> > >> > > > > > But, if client2 tries to connect to client1 using that IP
> and
> > >> port
> > >> > > the
> > >> > > > > NAT
> > >> > > > > > box will see a different source IP, one that doesn't match
> any
> > >> that
> > >> > > it
> > >> > > > > > knows, so it would just drop the traffic.
> > >> > > > > >
> > >> > > > > > I know the idea is that once client1 has punched out of the
> > NAT,
> > >> > the
> > >> > > > hole
> > >> > > > > > is open so the other side is able to send packets back, but
> I
> > >> can
> > >> > > only
> > >> > > > > see
> > >> > > > > > that working when the other side is using the same IP as
> > client1
> > >> > > > started
> > >> > > > > > talking to. If client2 tries to talk to the external IP and
> > port
> > >> > > > client1
> > >> > > > > > used to talk to the STUN server it shouldn't work.
> > >> > > > > >
> > >> > > > > > Is this the failing that TURN is used to handle? If so, then
> > >> isn't
> > >> > > STUN
> > >> > > > > > dead in most situations? I'd imagine a lot of clients,
> > >> especially
> > >> > > VOIP,
> > >> > > > > are
> > >> > > > > > behind at least one layer of NAT.
> > >> > > > > >
> > >> > > > > > To have written such a big article on STUN, it feels like
> I've
> > >> > missed
> > >> > > > > > something important that means it will work in a lot more
> > >> > situations,
> > >> > > > > but I
> > >> > > > > > can't see what it is. Can anyone explain?
> > >> > > > > >
> > >> > > > > > Robin
> > >> > > > > >
> > >> > > > > > On Sun, 5 Jan 2025 at 11:56, Richard Ibbotson <
> > >> > > richard@xxxxxxxxxxxxxx>
> > >> > > > > > wrote:
> > >> > > > > >
> > >> > > > > > > Hi
> > >> > > > > > >
> > >> > > > > > > https://tailscale.com/blog/how-nat-traversal-works
> > >> > > > > > >
> > >> > > > > > >
> > >> > > > > > > Might interest someone out there. How NAT works.
> > >> > > > > > >
> > >> > > > > > > --
> > >> > > > > > > Richard
> > >> > > > > > >
> > >> > > > > > >
> > >> > > > > > > _______________________________________________
> > >> > > > > > > Sheffield Linux User's Group
> > >> > > > > > >
> > http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> > >> > > > > > > FAQ at: http://www.sheflug.org.uk/mailfaq.html
> > >> > > > > > >
> > >> > > > > > > GNU - The Choice of a Complete Generation
> > >> > > > > > >
> > >> > > > > > _______________________________________________
> > >> > > > > > Sheffield Linux User's Group
> > >> > > > > >
> http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> > >> > > > > > FAQ at: http://www.sheflug.org.uk/mailfaq.html
> > >> > > > > >
> > >> > > > > > GNU - The Choice of a Complete Generation
> > >> > > > > >
> > >> > > > > _______________________________________________
> > >> > > > > Sheffield Linux User's Group
> > >> > > > > http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> > >> > > > > FAQ at: http://www.sheflug.org.uk/mailfaq.html
> > >> > > > >
> > >> > > > > GNU - The Choice of a Complete Generation
> > >> > > > >
> > >> > > > _______________________________________________
> > >> > > > Sheffield Linux User's Group
> > >> > > > http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> > >> > > > FAQ at: http://www.sheflug.org.uk/mailfaq.html
> > >> > > >
> > >> > > > GNU - The Choice of a Complete Generation
> > >> > > >
> > >> > > _______________________________________________
> > >> > > Sheffield Linux User's Group
> > >> > > http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> > >> > > FAQ at: http://www.sheflug.org.uk/mailfaq.html
> > >> > >
> > >> > > GNU - The Choice of a Complete Generation
> > >> > >
> > >> > _______________________________________________
> > >> > Sheffield Linux User's Group
> > >> > http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> > >> > FAQ at: http://www.sheflug.org.uk/mailfaq.html
> > >> >
> > >> > GNU - The Choice of a Complete Generation
> > >> >
> > >> _______________________________________________
> > >> Sheffield Linux User's Group
> > >> http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> > >> FAQ at: http://www.sheflug.org.uk/mailfaq.html
> > >>
> > >> GNU - The Choice of a Complete Generation
> > >>
> > >
> > _______________________________________________
> > Sheffield Linux User's Group
> > http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> > FAQ at: http://www.sheflug.org.uk/mailfaq.html
> >
> > GNU - The Choice of a Complete Generation
> >
> _______________________________________________
> Sheffield Linux User's Group
> http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> FAQ at: http://www.sheflug.org.uk/mailfaq.html
>
> GNU - The Choice of a Complete Generation
>
_______________________________________________
Sheffield Linux User's Group
http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
FAQ at: http://www.sheflug.org.uk/mailfaq.html
GNU - The Choice of a Complete Generation