lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4F450F47.1070805@behrens.com>
Date: Wed, 22 Feb 2012 16:52:39 +0100
From: Harry Behrens <harry@...rens.com>
To: Adam Behnke <adam@...osecinstitute.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Circumventing NAT via UDP hole punching.

I believe this is exactly what "Symmetric RTP" in the context of 
SIP-based communication has been doing for years.

Or have I missed something?

Best regards,

     Harry

On 22.02.2012 16:36, Adam Behnke wrote:
>
> A new write up at InfoSec Institute on circumventing NAT.  The process 
> works in the following way. We assume that both the systems A and B 
> know the IP address of C.
>
> a) Both A and B send UDP packets to the host C. As the packets pass 
> through their NAT's, the NAT's rewrite the source IP address to its 
> globally reachable IP address. It may also rewrite the source port 
> number, in which case UDP hole punching would be almost impossible.
>
> b) C notes the IP address and port of the incoming requests from A and 
> B. Let the port number for A equal X and the port number for B equal Y.
>
> c) C then tells A to send UDP packet to the global IP address of the 
> NAT for B at port Y, and similarly tells B to send UDP packet to the 
> global IP address of the NAT for A at port X.
>
> d) The first packets for both A and B get rejected while entering into 
> each other's NAT's. However as the packet passes from the NAT of A to 
> the NAT of B at port Y, NAT A makes note of it and hence punches a 
> hole in its firewall to allow incoming packets from the IP address of 
> the NAT of B, from port Y. The same happens with the NAT of B and it 
> makes a rule to allow incoming packets from the IP address of the NAT 
> of A from port X.
>
> e) Now when A and B send packets to each other, these get accepted and 
> hence a P2P connection is established.
>
> http://resources.infosecinstitute.com/udp-hole-punching/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ