Airport NAT behavior
Airport NAT behavior
- Subject: Airport NAT behavior
- From: "Tim Dorcey" <email@hidden>
- Date: Fri, 24 Mar 2006 13:13:37 -0800
- Importance: Normal
I have noticed that for UDP traffic the Airport NAT appears to operate as a
"Symmetric NAT," in the terminology of RFC3489. This means that a single
internal (address,UDP port) is mapped to multiple public ports, a different
one for each remote (address,port) it is interacting with. I wonder if
anyone can explain the rationale for this?
I understand that recent versions support "NAT-PMP" protocol, by which an
internal host can request the NAT to maintain a consistent 1:1 mapping
between an internal (addr,port) and a public (addr,port) within some time
window. Wouldn't it be sensible to just make this the normal behavior?
"NAT-PMP" goes a step further and allows any remote host to reach the
internal (addr,port) via this mapping. I can understand why this (what they
call a "Full Cone" in RFC3489) would not be default behavior. But, why do
we need special protocol just to request 1:1 end-point mapping?
The NAT can still enforce default rule that inbound packets are rejected
unless internal host has "recently" sent a packet to that remote
(addr,port). Does assignment of a different port for each remote
(addr,port) add any security? In the former case, an attacker must spoof a
source (addr,port) the internal host has recently sent a packet to. In the
latter case, they must also know what port the NAT has assigned to that
addr,port. Doesn't seem to add much, given that the port assignments seem
to be made sequentially, and there aren't that many for an attacker to guess
at even if they were random.
Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden