NAT Traversal: Difference between revisions

From Celeste@Hoppinglife
Jump to navigation Jump to search
Newer edit →
Created page with "This is basically a short paraphrase of what is in [https://tailscale.com/blog/how-nat-traversal-works/ Tailscale's NAT Traversal post]. NAT traversal utilizes the trait that a stateful firewall allows **Outbound connection and the returning connection to the same IP:port**. For UDP, if you know the source and destination IP:port, you can establish a direct connection by sending packages to each other. Case 1: both source and destination are public IPs, only with a sta..."
(No difference)

Revision as of 23:01, 9 April 2024

This is basically a short paraphrase of what is in Tailscale's NAT Traversal post.

NAT traversal utilizes the trait that a stateful firewall allows **Outbound connection and the returning connection to the same IP:port**. For UDP, if you know the source and destination IP:port, you can establish a direct connection by sending packages to each other.

Case 1: both source and destination are public IPs, only with a stateful firewall: easy, ports are known. Case 2: both source and destination are behind one-layer NAT, but the ports only depend on the source socket: use a third-party server to figure out the port. Case 3: This is similar to case 2, but one side of the NAT is endpoint-dependent: We know IP:port from the easy side, and we know IP from the hard side. A birthday attack can be used to enumerate the destination ports (sending connections from both sides and waiting for a collision). Case 4: Both sides are endpoint-dependent: there are too many possibilities.

Retrieved from "https://celeste.hoppinglife.com/index.php?title=NAT_Traversal&oldid=263"