Autonomous NAT Traversal

[Nytro]

Autonomous NAT Traversal

Andreas Muller Nathan Evans Christian Grothoff

Network Architectures and Services

Technische Universit¨at M¨unchen

Email: fmueller,evans,grothoffg@net.in.tum.de

Samy Kamkar

Email: samy@samy.pl

Abstract—Traditional NAT traversal methods require the help

of a third party for signalling. This paper investigates a new

autonomous method for establishing connections to peers behind

NAT. The proposed method for autonomous NAT traversal

uses fake ICMP messages to initially contact the NATed peer.

This paper presents how the method is supposed to work in

theory, discusses some possible variations, introduces various

concrete implementations of the proposed approach and evaluates

empirical results of a measurement study designed to evaluate

the efficacy of the idea in practice.

I. INTRODUCTION

A large fraction of the hosts in a typical peer-to-peer network

are in home networks. Most home networks use network

address translation (NAT) [1] to facilitate multiple computers

sharing a single global public IP address, to enhance security

or simply because the provider’s hardware often defaults to

this configuration. Recent studies have reported that up to 70%

of users access P2P networks from behind a NAT system [2].

This creates a well-known problem for peer-to-peer networks

since it is not trivial to initiate a connection to a peer behind

NAT. For this paper, we will use the term server to refer to a

peer behind NAT and the term client for any other peer trying

to initiate a connection to the server.

Unless configured otherwise (protocols such as the Internet

Gateway Device Protocol [3] are counted as configuration

in this context), almost all NAT implementations refuse to

forward inbound traffic that does not correspond to a recent

matching outbound request. This is not primarily an implementation

issue: if there are multiple hosts in the private network,

the NAT is likely unable to tell which host is the intended recipient.

Configuration of the NAT is not always an alternative;

problems range from end-user convenience and capabilities of

the specific NAT implementation to administrative policies that

may prohibit changes to the NAT configuration (for example,

due to security concerns).

Since NAT systems prohibit inbound requests that do not

match a previous outbound request, all existing NAT traversal

techniques (aside from those changing the configuration of the

NAT system) that we are aware of require some amount of

active facilitation by a third party [4], [5]. The basic approach

in most of these cases is that the server in the private network

behind the NAT is notified by the third party that the client

would like to establish a connection. The server then initiates

the connection to the client. This requires that the server

maintains a connection to a third party, that the client is able

to locate the responsible third party and that the third party

acts according to a specific protocol.

The goal of this paper is autonomous NAT traversal,

meaning NAT traversal without a third party. Using third

parties increases the complexity of the software and potentially

introduces new vulnerabilities. For example, if anonymizing

peer-to-peer networks (such as GNUnet [6] or Tor [7]) used

third parties for NAT traversal, an attacker may be able to

monitor connections or even traffic volumes of peers behind

NATs which in turn might enable deanonymization attacks [8],

[9]. Another problem is that the decrease in available globally

routable IPv4 addresses [10] will in the near future sharply

reduce the fraction of hosts that would be able to facilitate

NAT traversal.

Download:

http://samy.pl/pwnat/pwnat.pdf

[begood]

fucking awesome !!

e brilianta metoda !

Edited February 19, 2013 by begood