OSDev.org

The Place to Start for Operating System Developers
It is currently Tue Nov 19, 2019 4:54 am

All times are UTC - 6 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Re: penetrating ipv6 firewalls for peer-to-peer connections
PostPosted: Thu Nov 05, 2015 5:24 am 
Offline
Member
Member

Joined: Tue Nov 08, 2011 11:35 am
Posts: 453
I don't get your problem. Firewall either allows (passes through) the packet or drops it. What hole-punching are you talking about? Without NAT there are only two options: either two hosts are able to communicate with each other from the very beginning or packets are dropped and they cannot communicate directly at all (except through the 3rd host that is accessible to both of them due to some strange admin decision).


Top
 Profile  
 
 Post subject: Re: penetrating ipv6 firewalls for peer-to-peer connections
PostPosted: Thu Nov 05, 2015 5:29 am 
Offline
Member
Member
User avatar

Joined: Wed Oct 18, 2006 3:45 am
Posts: 9287
Location: On the balcony, watching the Swedish Chef
So basically you're stating that,
1: By default, sending UDP packets from inside to outside is allowed, but not from outside to inside.
2: UDP packets sent outside add an allow rule to the firewall using the exact source and dest ip:port (but swapped to match return traffic)
3: The firewall doesn't translate addresses or ports.
(4: If the rule generated in #2 hasn't been used for a certain period, remove the rule)

This essentially mean that any communication must be initiated from the inside network. And yes, for the lack of translation, you could punch holes and make connections with these rules. It requires cooperation between the peers and to know of each other what to connect to. If there's no cooperation, there will be no bidirectional communication.

Importantly, a host can't actively punch holes in the remote firewall, because it can't trigger rule #2 from the outside, and there's no other way to allow incoming traffic. Therefore this is not a security issue.
In order to receive packets from a host a local machine must have established permission for incoming traffic by sending a packet to the specified port and ip. There are a number of options here:
1: The client is purposefully connecting. This can be either intended behaviour for peering, or it can be a form of coercion, indicating an exploit elsewhere, and thus not at issue here.
2: The attacker can guess a functional source/dest host/ip, and forge a packet accordingly. This is easy when you're able to intercept communications. Otherwise you have to
a: Brute force the 16-bit source port
b: Get the device's MAC address, or at least a valid IP (if the host is properly configured it will not initiate connections from the mac-based IP, but not everybody does that)
c: Guess a service that's being used. If you do a bit of research DNS servers are for instance easy to guess.
d: Hope there's no address forgery filtering on the route.
(e: know that such a packet will actually have effect on the host, though this only matters post-firewall)
This is considered difficult, but not impossible. The receiving network software (point e) is where the security should eventually be completed.

If the firewall doesn't do full host+host+port+port matching, like you see used in many NAT-to-NAT punching with an intermediate, you get increasingly less difficulties figuring a-d, and this certainly is an unnecessary increase of slack in security.

_________________
"Certainly avoid yourself. He is a newbie and might not realize it. You'll hate his code deeply a few years down the road." - Sortie
[ My OS ] [ VDisk/SFS ]


Top
 Profile  
 
 Post subject: Re: penetrating ipv6 firewalls for peer-to-peer connections
PostPosted: Tue Jun 28, 2016 6:40 am 
Offline

Joined: Tue Jun 28, 2016 12:16 am
Posts: 16
you could use this link : http://www.brynosaurus.com/pub/net/p2pnat/


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group