logoalt Hacker News

Veservtoday at 7:32 AM5 repliesview on HN

Needing to punch holes in NAT is one of the most idiotic own-goals in the entire field of networking.

NAT is effectively your router doing DHCP with a 17-bit suffix (16-bit port + 1 bit for UDP vs TCP) to each of your applications and then not telling you the address it gave you or how long it is good for (which is what a regular DHCP lease does). This is in addition to it, most likely, already doing regular DHCP and allocating you a IP address that it does tell you about, but which is basically worthless since routing to just that prefix without the hidden suffix goes into a black hole.

If you could just ask your router for a lease on a chunk of IP+NAT addresses that you could allocate to your applications and rotate them as they expire, you would not need this horrifying mess.

The router would just need to maintain the last-leg routing table (what a concept, a router doing routing with routing tables) just like it already does DHCP.

The applications would have short-term stable addresses that they could just tell their peers and just directly tell the router/firewall to block anybody except the desired peer short-term address.

Replies

lxgrtoday at 8:52 AM

> If you could just ask your router for a lease on a chunk of IP+NAT addresses

The “just” is doing a lot of lifting there. I’m glad the various port mapping protocols didn’t really take off and it looks like IPv6 is going to actually make it instead. Much less complexity in most parts of the stack and network.

show 2 replies
eptcykatoday at 7:35 AM

Why not use plain IPv6 instead?

show 2 replies
takipsizadtoday at 7:52 AM

it's been already done ISPs just don't properly implement it (NAT-PMP and it's relatives)

jeroenhdtoday at 3:48 PM

If only router manufacturers could be trusted to implement UPnP safely, then none I'd this bullshit would be necessary.

At least with IPv6 this crap becomes a little easier because you no longer have randomized source ports (which this article just ignores because some devices indeed maintain the same source port) and the IP address contains all the routing information you need. A simple simultaneous open is all you need.

show 1 reply
littlestymaartoday at 9:10 AM

Hole punching is doing exactly what you describe, just in a non-standardized way.

We could have a standard for doing that directly at the NAT box level instead of relying on a third party STUN server, it simply didn't happen (and in fairness, the benefits would be quite minimal).