Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Veserv 5 hours ago

Needing to punch holes in NAT is one of the most idiotic own-goals in the entire field of networking.

NAT is effectively your router doing DHCP with a 17-bit suffix (16-bit port + 1 bit for UDP vs TCP) to each of your applications and then not telling you the address it gave you or how long it is good for (which is what a regular DHCP lease does). This is in addition to it, most likely, already doing regular DHCP and allocating you a IP address that it does tell you about, but which is basically worthless since routing to just that prefix without the hidden suffix goes into a black hole.

If you could just ask your router for a lease on a chunk of IP+NAT addresses that you could allocate to your applications and rotate them as they expire, you would not need this horrifying mess.

The router would just need to maintain the last-leg routing table (what a concept, a router doing routing with routing tables) just like it already does DHCP.

The applications would have short-term stable addresses that they could just tell their peers and just directly tell the router/firewall to block anybody except the desired peer short-term address.

lxgr 3 hours ago | parent | next [-]

> If you could just ask your router for a lease on a chunk of IP+NAT addresses

The “just” is doing a lot of lifting there. I’m glad the various port mapping protocols didn’t really take off and it looks like IPv6 is going to actually make it instead. Much less complexity in most parts of the stack and network.

Veserv 3 hours ago | parent | next [-]

It is always a mystery how people just randomly misinterpret what I write. At literally no point did I mention port mapping.

I am pointing out how the problem NAT “solves” is just dynamic address configuration. They have implemented a N+K bit address where the N-bit prefix is routed and allocated using IP and the low K-bits are routed and allocated like a custom fever dream.

You can just do it all the same way instead of doing it differently and worse for the low bits.

To be clear, the router should rewrite zero bits in the packet under the scheme I am describing just like how routers have no need to rewrite any bits when routing to a specific globally-routable IP address.

You get a lease for a /N+K address. /N routes to your router which routes the last K bits just like normal as if it had a /N-M to a /N route. This is a generic description of homogenous hierarchical routing.

lxgr 2 hours ago | parent | next [-]

If I understand it correctly, you're suggesting formalizing a way to make parts of the (host-specific) port canonically part of the network-wide address, no?

This still sounds like a very bad mixing of layers, even if done in a perfectly standardized and uniform way.

> It is always a mystery how people just randomly misinterpret what I write.

If this is intended literally and not as a general complaint: My main problem of understanding your suggestion is that I don't know what you mean by "IP+NAT address". NAT is a translation scheme, not an address.

Maybe it would be clearer if you could provide an example?

GoblinSlayer 2 hours ago | parent | prev [-]

NAT allocates ports. If you reserve a port, that's old good port forwarding.

hrmtst93837 2 hours ago | parent | prev [-]

Assuming IPv6 kills NAT is optimistic, plenty of orgs still stack private addressing and firewalls on top.

lxgr an hour ago | parent [-]

Firewalls aren't nearly as bad as NAT.

hdgvhicv an hour ago | parent [-]

Basically the same thing. If you legitimately need to establish a connection then put a firewall rule in, whether that needs nat or pat is a function of your available addresses.

If you are tying to work around your firewall because it isn’t yours, that’s not a legitimate use.

lxgr 10 minutes ago | parent [-]

Love it when random people tell me whether my use case is legitimate or not without apparently even knowing it exists!

Take mobile data connections, for example: Most people don't want to pay for metered (by the byte) inbound traffic they didn't ask for that also drains their battery, but do want to be able to establish P2P connections for lower latency VoIP etc.

This is a firewall that's definitionally "not theirs", but that still also serves their interests, yet usually doesn't offer any user-accessible management interface.

So may I please traverse this firewall now, or is my use case still illegitimate?

eptcyka 4 hours ago | parent | prev | next [-]

Why not use plain IPv6 instead?

TuxPowered 2 minutes ago | parent | next [-]

Even with IPv6 you still might have stateful firewalls allowing only for outbound connection at both ends (e.g. a CPE a.k.a. “WiFi router”) and to establish communication you’d need to punch a hole in those firewalls.

cbdevidal 4 hours ago | parent | prev [-]

V6 adoption has reached 46.82%[1]. So it is increasingly viable for this.

[1] https://www.google.com/intl/en/ipv6/statistics.html

takipsizad 4 hours ago | parent | prev | next [-]

it's been already done ISPs just don't properly implement it (NAT-PMP and it's relatives)

littlestymaar 3 hours ago | parent | prev [-]

Hole punching is doing exactly what you describe, just in a non-standardized way.

We could have a standard for doing that directly at the NAT box level instead of relying on a third party STUN server, it simply didn't happen (and in fairness, the benefits would be quite minimal).