Understanding what the routers do in NAT traversal

[bwanaaa]

Normally, if 2.2.2.2:43424 goes to 5.5.5.5:80 then 5.5.5.5:80 sends information back to 2.2.2.2:43424 once the session is established. but what if

2.2.2.2:43424 wants to talk to 5.5.5.5: 62001 where 62001 is closed. My understanding about hole punching is that 2.2.2.2:43424 can contact a third party with an open port, 6.6.6.6:80 and then 6.6.6.6:80 can reply to both 2.2.2.2:43424 and 5.5.5.5: 62001 with a VERB_RENDEZVOUS instruction as described in the 15th paragraph here:
https://www.zerotier.com/blog/?p=226

But how does telling a router to do VERB_RENDEZVOUS fix anything? Why wouldnt routers do VERB_RENDEZVOUS by default when encountering any closed port? That would eliminate the need for third party servers (reducing traffic).

Or am i missing something? I thought the third party server had to spoof a reply to each. So in my example, 6.6.6.6:80 would send a 'reply' to 2.2.2.2:4342 with a spoofed source of 5.5.5.5: 62001 and also a 'reply' to 5.5.5.5: 62001 with a spoofed source of 2.2.2.2:43424.

Still, even in this scenario of hole punching, 5.5.5.5: 62001 would say, 'WTF, who is 2.2.2.2:43424? I never contacted you. Get lost' and it would drop the packet.

So, can anyone un-befuddle me?

 

[Markbnj]

My understanding is that VERB_RENDEZVOUS is a message to the routers, each of which has already been provided the other party's public IP, that they should attempt to initiate a direct connection. If that fails for some reason they can continue relaying traffic through the server.

 

[bwanaaa]

WOW! so someone can create a DDOS by spamming all the world's routers to VERB_RENDEZVOUS with the target?! That sounds really dangerous. I dont think that's all there is to it? REALLY? I would like to check this on my home network. I would set up three routers' wan ports connected to a switch. How can I get one router to send the verb thingy to the other two?

 

[Mark R]

You are quoting from a description of a proprietary NAT traversal technology. This software package is designed to allow easy NAT traversal.

Essentially, Client software A, running on machine M1 behind NAT router R1 contacts an externally reachable server Z, which assists with the traversal. Client B, running on machine M2 behind NAT router R2 is also in contact with server Z. Server Z can receive messages from one client and forward them to another client when that client checks in.

Client A wants to communicate with B. To do that it sends a message (VERB_RENDEZVOUS) via server Z, telling client B to prepare for NAT traversal. Remember, that the VERB_RENDEZVOUS message is part of the client software, and nothing to do with the router.

The way the actual NAT traversal works is that the rendezvous message contains Client A's external IP address AND also the external port used for the message transmission.

Client A then gets client B's external address and communication port sent back from the server, so client A now knows client B's IP and the last used external port.

For example A (int: 192.168.1.1:1234/ext:172.16.3.100:9123) gets a message back from server Z saying B was last seen on 10.0.1.3:10234.

Client A then starts spamming connections to 10.0.1.3:10235, 10.0.1.3:10236, etc.

Everytime, that client A spams a new connection attempt, the router, R1 opens that port, expecting a connection to come back.

Client B then starts spamming connections to 172.16.3.100:9124, 172.16.3.100:9125, etc.

Most routers allocate external port numbers on an increasing basis. So, the first connection goes out from port 10000, the next connection out from port 10001, etc. This gives the software a reasonable chance of guessing which port will be opened next, and by trying 20 or 30 ports at a time, there's a good chance that an open port will be found.

The idea is that client A spams its router, to open a bunch of ports. Client B spams its router to open a bunch of ports. By guessing which ports on the opposite end will be open, at least one connection stands a good chance of succeeding. Once a connection is active, then the traversal process stops. The router will keep the active ports open, and the spammed ports will eventually time-out and auto-close.

This technique doesn't work on routers which allocate external ports randomly (very rare). If any one router allocates external ports in ascending order, the connection will likely work. If both are random, then it's pretty much guaranteed not to work. For this reason, most routers, and ISPs using carrier-grade NAT are designed to use incrementing port numbers.

 

[bwanaaa]

Mark

Thank you for that wonderful explanation. I see now that both a and b have to previously have engaged z. And thus a message from z would not be rejected from either a or b.

Now for a second i will put on my white hat. Suppose I spoofed google's IP address. Everyone goes to google several times a day. Therefore every router in creation will be expecting a reply from 'Google'. Thus I can get the whole world to spam a target by sending them the target's IP address from my pretend google box. Yes?

This sounds scary. Especially the part where the routers just keep trying incremental ports. Sounds like a packet storm waiting to happen.

 

[Mark R]

This technique of hole piercing is only needed where a client behind a NAT router needs to accept incoming messages without first having sent an outgoing message (and expecting a reply)

If you go to google's home page, as a reply is expected, your router will see the outgoing connection request and open a port for the return message. As this type of communication is TCP, routers will tend to monitor the "connection start" and "connection end" messages, only opening the port when an outgoing "connection start" message is detected, and closing the port as soon as a "connection end" message comes from either direction.

TCP also has an anti-spoofing feature built in, to prevent IP spoofing. When your computer sends a "connection start" message to google, it contains a random "sequence number". That number must be quoted in the reply. If the reply has the wrong sequence number, then your computer (and possibly router) will ignore the packet. So, even if you can forge google's IP address on malicious packets you sent to random victims, unless you can arrange to spy on packets going to google, the recipients of those packets will just ignore them.

Things are much simpler with UDP, as there isn't automatic anti-spoofing, explicit connection closing etc. UDP packets are just packet messages. Applications using UDP can implement their own features if needed. Routers auto close UDP ports if they aren't used for a while.

As to packet storms, they aren't usually that bad. Most NAT traversal software techniques use a limited number of ports or try them relatively slowly. In general, unless routers are very busy (most home routers or well designed ISP NAT routers), then the NAT traversal will work on the first or second attempt.

 

[Markbnj]

You are quoting from a description of a proprietary NAT traversal technology. This software package is designed to allow easy NAT traversal.

Yeah I should have mentioned this in my reply. VERB_RENDEZVOUS is a proprietary protocol (or extension, I guess) implemented by ZeroTier.