NAT and UDP reply port

3

1

extends NAT and UDP source port / NAT and UDP replies

Say Alice and Bob are behind nats (two nats that can somhow communicate not weird cone case, please fix me on this).

Both opens local udp socket on 0.0.0.0, discovers their outgoing ip:port using the torrent dht (http://www.bittorrent.org/beps/bep_0042.html / bootstrapping).

Is this sufficient to send udp packets in both ways ? say open an utp session.

Or is it still required to attempt connect from Alice to Bob and Bob to Alice to punch what could be in the way (fw / nats) ?

mh-cbon

Posted 2017-08-06T09:08:38.173

Reputation: 261

Answers

2

The method most P2P programs use is that of Hole punching, where a central server is used to pass information between the two parties as regarding the ports used. Using that information, the parties can establish a direct connection to valid port numbers so that the firewall or router will accept and forward the incoming packets to the open port.

I believe that your question relates more to UDP over NAT with no intervening common server, which is the general problem of NAT traversal. The problem here is that the NAT device has no automatic method of determining the internal host for which incoming packets are destined, since the originating party does not know the port number on which the other party is listening.

Several algorithms were developed for solving that problem of UDP hole punching. Some UDP hole punching algorithms depend on both parties using the same ports. Other algorithms use a temporary TCP connection to pass the information required for establishing the UDP connection.

Other UDP hole punching techniques do not require any port information, but use instead algorithms where both parties will start sending to each other, using multiple attempts, and accepting the fact that at least the first packets will be lost. After the first failed attempt, the NAT device has a record of having sent a packet to the other machine, and so will let through any packets coming from this IP address and port number. The algorithm for that is detailed in the above linked Wikipedia article.

This is based on the fact that if a packet is received from an address to which a connection was previously attempted, then even if it is on a different port from the one through which the local party tried to establish the connection, then it will switch it to the right port. This lets the UDP packet get through the NAT, as the NAT mapping for it was already established by the local party attempting to send.

The problem with all these methods is that NAT address translation technologies are not standardized. As a result, the methods used for NAT traversal are often proprietary and poorly documented, and whether they will work or not varies between routers of different make and model.

The IETF has an entire working group defining what NAT devices should do in order to make the least mess: BEHAVE There are a several methods of getting data through NAT devices, some listed on the BEHAVE page. There are also STUN, UPnP, NAT-PMP, and Teredo.

harrymc

Posted 2017-08-06T09:08:38.173

Reputation: 306 093

very comprehensive. full of links. awesome! Just to make sure, say we have Alice, Bob and Fred. Alice writes to bob (setup a session on the nat (lan(ip:port)=>wan(port), right ?), bob gets the message, replies back to Alice (using the originating address he learns about her in the message), then, Bob sends that address to Fred. Fred sends a hello message to Alice, will Alice receive it ? – mh-cbon – 2017-08-10T09:04:33.277

1In theory, yes (NAT devices and firewall permitting). Knowing the IP address and port number of Alice, Fred can send a packet that will be delivered. This is is the principle behind all decentralized P2P products, where sources discovery is done by passing between members lists of known sources composed of IP-address+port. – harrymc – 2017-08-10T09:22:58.587

that s awesome! – mh-cbon – 2017-08-10T10:20:08.677

4

Usually dynamic NAT maps connections by changing source port of originating connections. Often the mapping is also restricted by destination IP address as well and only packets from same destination are mapped back. NAT could even map the same source port more than once to different destination addresses.

With such NAT, either Alice or Bob need to configure their NAT (manually or using some other means such as UPnP) to map a specific NAT port to their client for the other side to be able to initiate the connection using the specified port. After connection (or first packet is received with UDP) is established rest of the packets flow as usual.

sebasth

Posted 2017-08-06T09:08:38.173

Reputation: 670

Asked: 2017-08-06T09:08:38.173

Viewed: 901 times

Active: 2017-08-10T08:47:10.073