0

I've been largely ignoring STUN protocol as noise for a while, but I keep encountering it here and there, and I'm wondering of it's general usability.

If I understand it right, STUN is only useful if the most outer NAT allows in packets sent from addr:port pair than what the source used when establishing the mapping.

I had an obviously delusional understanding that a sane NAT will only allow back packets from the same addr:port pair that a connection was established to (Endpoint-Dependent Filtering). Not enforcing this seems to be a serious security problem in and of itself. Building whole protocols and RFCs on top of that seems crazy.

Questions:

  1. Are there truly a lot of NATs that only do Endpoint-Independent Filtering?
  2. Is there any good reason behind doing Endpoint-Independent Filtering on a NAT besides being lazy, endangering the systems behind it, and charging extra $$ for a "p2p friendly" feature?
Pawel Veselov
  • 744
  • 8
  • 19

1 Answers1

2

NAT is not intended as a security feature - it is a hack to stave off running out of IPv4 addresses, as a stopgap until IPv6 is fully deployed. As such, it makes sense to implement it in a way that maximizes utility rather than security.

As such, the premise of your question number 2 wrong, since NAT is not intended as a security device. If enforcing the remote endpoint to always be the same breaks even one application, I would consider it more sane not to enforce the same remote endpoint, given the goals of the technology.

Peer-to-peer IP telephony (such as Skype) would be a notable example of a legitimate application that wouldn't work well without the ability to punch holes in NAT:s, whether it's by STUN or similar technologies that exploit the behaviour of NAT:s, or through technologies like UPnP.

Per von Zweigbergk
  • 2,615
  • 2
  • 17
  • 27
  • I disagree that NAT is a mere IPv4 shield. The concept of LANs would continue way past IPv6, and the easiest way to let LAN out to Internet is through a NAT, and a NAT must be secure, on its own, or with a stateful firewall that can enforce the same filtering rules. – Pawel Veselov Oct 15 '15 at 08:23
  • 2
    Yes, but this is a completely different question. The fact remains that a typical "NAT" box is not sold as firewall, but as a router. The job of enforcing security policy is that of a firewall, not of NAT. It's also arguable whether the concept of a "LAN" makes any sense from a security standpoint, or whether it makes more sense to protect individual machines using host-based firewalls. But then we're drifting way far off-topic from the question. – Per von Zweigbergk Oct 15 '15 at 08:29
  • 1
    @PawelVeselov We have a lengthy [post about IPv6 and NAT](http://serverfault.com/q/184524/126632) which you will find interesting. – Michael Hampton Oct 15 '15 at 12:54