NAT Traversal: Difference between revisions
Hoppinglife (talk | contribs) Created page with "This is basically a short paraphrase of what is in [https://tailscale.com/blog/how-nat-traversal-works/ Tailscale's NAT Traversal post]. NAT traversal utilizes the trait that a stateful firewall allows **Outbound connection and the returning connection to the same IP:port**. For UDP, if you know the source and destination IP:port, you can establish a direct connection by sending packages to each other. Case 1: both source and destination are public IPs, only with a sta..." |
Hoppinglife (talk | contribs) No edit summary |
||
| Line 4: | Line 4: | ||
Case 1: both source and destination are public IPs, only with a stateful firewall: easy, ports are known. | Case 1: both source and destination are public IPs, only with a stateful firewall: easy, ports are known. | ||
Case 2: both source and destination are behind one-layer NAT, but the ports only depend on the source socket: use a third-party server to figure out the port. | Case 2: both source and destination are behind one-layer NAT, but the ports only depend on the source socket: use a third-party server to figure out the port. | ||
Case 3: This is similar to case 2, but one side of the NAT is endpoint-dependent: We know IP:port from the easy side, and we know IP from the hard side. A birthday attack can be used to enumerate the destination ports (sending connections from both sides and waiting for a collision). | Case 3: This is similar to case 2, but one side of the NAT is endpoint-dependent: We know IP:port from the easy side, and we know IP from the hard side. A birthday attack can be used to enumerate the destination ports (sending connections from both sides and waiting for a collision). | ||
Case 4: Both sides are endpoint-dependent: there are too many possibilities. | Case 4: Both sides are endpoint-dependent: there are too many possibilities. | ||
Latest revision as of 23:01, 9 April 2024
This is basically a short paraphrase of what is in Tailscale's NAT Traversal post.
NAT traversal utilizes the trait that a stateful firewall allows **Outbound connection and the returning connection to the same IP:port**. For UDP, if you know the source and destination IP:port, you can establish a direct connection by sending packages to each other.
Case 1: both source and destination are public IPs, only with a stateful firewall: easy, ports are known.
Case 2: both source and destination are behind one-layer NAT, but the ports only depend on the source socket: use a third-party server to figure out the port.
Case 3: This is similar to case 2, but one side of the NAT is endpoint-dependent: We know IP:port from the easy side, and we know IP from the hard side. A birthday attack can be used to enumerate the destination ports (sending connections from both sides and waiting for a collision).
Case 4: Both sides are endpoint-dependent: there are too many possibilities.