Re: TCP simultaneous open using iptables NAT?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Now I am confused. The behavior I am seeing is that despite the timing
being correct, simultaneous open does not function as intended:

A's SYN reaches B's NAT *after* B's SYN has left B's NAT and the same
is true of B - B's SYN reaches A's NAT *after* A's SYN has left A's
NAT. This is the correct case for simultaneous open. What I was
originally saying was that this does not work if one does iptables
SNAT without DNAT (of course, with a full-cone NAT it works; you don't
even have to do a simultaneous open).

My program basically does a SYN flood (though it waits for RSTs before
sending out more SYNs) from both sides with the hope that one of these
will cross in the network and create the appropriate timing conditions
for a simultaneous open, i.e., what you mentioned below. From my
testing, even with very small round trip times of less than 1 ms, one
can generate numerous instances of simultaneous open. Note that this
is with single layer NATting. With multi-level NAT, simultaneous open
might be more difficult. Section 2.3 on this page -
http://nutss.gforge.cis.cornell.edu/pub/imc05-tcpnat/ - sort of
describes the approach I am using. Furthermore, the same authors
concluded that about 85% of NATs in the wild actually do support
simultaneous open. So things may not be as bleak.

Best,
Saatvik


On 5/30/09, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote:
> On Sat, 30 May 2009, Christoph Paasch wrote:
>
>
> > Hmm, I don't understand...
>  >
>  > As both hosts are NATed, this would mean that the NAT would allow the SYN to
>  > pass (coming from the "Internet" going to the LAN).
>  >
>  > But this is not possible, as no state has been created on this one of the two
>  > NATs (the host hasn't sent out a SYN yet).
>  >
>  > Can you explain me, what I'm missing here?
>
>
> The intended packet flow is as follows:
>
>  Time/action   Host A      NAT A           NAT B     Host B
>  Send SYN      A SYN ->                            <- B SYN
>  SYN NATed                 A SYN ->     <- B SYN
>  Cross other fw         <- B SYN           A SYN ->
>  SYN arrives   B SYN                                  A SYN
>  Reply         A SYN/ACK->                         <- B SYN/ACK
>  ...
>
>  When the SYNs arrive to the other firewall, it's already opened up from
>  inside. Of course both communicating party must know in advance the mapped
>  IP address and source port of the other side.
>
>  Because RST packets were generated by the hosts, it means the timing was
>  not appropriate and A SYN reached B before it had sent its SYN. But it
>  means we have to assume DNAT/REDIRECT rules was set up as well, otherwise
>  B NAT would not let pass the SYN from A to B.
>
>  But this is assumption because we do not know the full details of the
>  settings.
>
>
>  Best regards,
>  Jozsef
>  -
>  E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
>  PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
>  Address : KFKI Research Institute for Particle and Nuclear Physics
>           H-1525 Budapest 114, POB. 49, Hungary
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux