undefined | Better HN

0 pointsrocqua9y ago0 comments

Ok, so below is how I understand NAT to make a PC effectively (with exceptions) unroutable.

As I figured it, if pc Bob is behind a NAT, there is not a public IP address that will route to Bob. The NAT box (lets call it a router) does have a public IP address. However, when a packet arrives at the router, and the destination port isn't mapped (by mapped I don't just mean manual port forwarding but also the actual NAT process) to some port on Bob, the packet will never reach Bob.

In order to figure out a destination port that will even reach Bob at all, you either need to somehow get a recognized request from Bob, and look at the 'return address'. If you already have some control over Bob (or another PC in the NAT) that seems feasible, otherwise it takes a rather large dragnet. My point being, unless you have info on the state of the router, anything behind it is effectively unroutable.

I'd be very interested to hear where I am wrong, it's been a while since I covered this material.

0 comments

2 comments · 1 top-level

pdkl959y ago· 1 in thread

You're still looking at NAT as used to masquerade the hosts on a LAN (often with RFC 1918 private addresses) so they appear as a single public internet address. That is actually one of the fancier uses of NAT, and it's almost always combined with a firewall/etc.

RFC 2663 defines[1] a "Basic NAT" as a one-to-one mapping of IP addresses. This can be useful as a way to combine two separate IP networks that share addresses. If you have two networks using the 10.1.x.y range, you could connect them with a Basic NAT so they each see the opposite network as addresses in the 10.2.x.y range.

NAT is just about the Address Translation. Routing is a separate feature, and dropping packets is a separate feature that can be left out, even if those are rare situations.

> but also the actual NAT process

Often you don't even need the NAT process to be involved. Send a packet to a NAT route with the internal destination address, and some routers will simply route the packet directly. Enabling the Source Routing options can also force packets to a specific host by guessing the local address, which is easy when everybody uses 192.168.1.x or other private addresses behind their NAT. Fortunately, this generally isn't possible anymore because LSRR is now usually dropped at the firewall.

If NAT sounds like a mess, it is. NAT is a shameless subversion of the "end-to-end principle, which has set network software development back decades.

[1] https://tools.ietf.org/html/rfc2663#section-4.1.1

rocquaOP9y ago

Thanks for the info. Seems like I was indeed somewhat misinformed.

Learn something new every day.

j / k navigate · click thread line to collapse