Bypassing hostile NATs

This is the first of a possibly long series of posts detailing some of the issues I’ve been having with a job task of mine, for a customer that paid me way less than they should have. I’m not going to deny that some of this can be just vague rants, and some of it might as well be incorrect. I mostly solved my trouble, but if you have corrections to make, feel free to comment on them.

So, a customer of mine has a small shop of two people (and a secretary), but a number of computer, devices and other amenities, with the result that they’d actually need a dedicated sysadmin; I helped them out for a while for just token prices, since one of them is a friend, and they are passing a rough patch, I just hope they’ll be able to pay me for my time properly at some point.

Unfortunately, there is one big trouble with one of the choices they made before I started helping them out: their ISP does not provide public IP addresses, but they rather provide just five IPs in a private NAT (actually using a non-assigned IP range, which is also bad on its own). This became first a problem because they have more than five computers, but now it’s a problem because I cannot just connect to the boxes on their premises to ensure that they run properly (what I’m working on mainly is a backup server to make sure that they won’t lose their data again, and that I need access to).

One relatively easy way to solve this problem, generally speaking, is to provide the boxes with IPv6 addresses; this works peachy when you have control of the NAT (like I do at home), but it’s a bit more complex when you have hostile NATs in front of you.

My first idea was to use Hurricane Electric’s Tunnel Broker since I remember they started providing, some time ago, VPN access to public IPv4 addresses that could be used to set up IPv6 tunnels behind NAT or dynamic IP connections. Unfortunately, they only provide the VPN through the Microsoft-originating PPTP protocol, which uses the (standard) GRE protocol for sending and receiving the packages. Unfortunately, PPTP does not work through that particular NAT, so I cannot use that option.

The Teredo protocol comes as a natural solution as it is designed for that specific purpose: avoiding special-protocol packets, such as 47 (GRE) or 41 (IPv6-in-IPv4). There are just two problems with this option: the first problem is that Teredo only works with one host/address and not a full network, so I have to proxy myself through that to be able to connect to the various boxes. The second is that the IP address the Teredo address is declared from depends on the outgoing NAT access which is not under my control at all.

Since my first direct option (using DynDNS), was out of reach, as it does not support IPv6 addresses, I went to look at a technique that I remember was designed just to solve this kind of trouble: mobility. The Mobile IP technique and technologies are supposed to provide stable addressing for nodes that may be roaming between different networks and network technologies. For instance for laptops that can switch between normal cable-based Ethernet and Wireless LAN, or for mobile phone that can switch cell or move from UMTS to Wireless network on ADSL. All in all, it seems a pretty cool idea.

Unfortunately there are a number of issues with that idea; while Linux nowadays has in-kernel support for Mobile IP, running a Home Agent (router/server for the Mobile IP system) requires some software stack that is not available in Gentoo and as far as I know is not even regularly released at all. Interestingly enough, thorough documentation on MIPv6 is available on the same site that helped me with my Dell laptop so I have to thank again Arnauld.

There are many reasons why I think it’s overkill to work on MIPv6 at this point in time, at least for external routing (I still wonder if it might solve the problem of laptops switching between the two interface within my home network); first of all, there is the encapsulation problem; to be able to use MIPv6 over Teredo, you end up with a very complex stack: IPv4 / UDP / IPv6 / ESP / IPv6 / TCP / data; but not just that, even if it was an acceptable stack, it requires you to run at least two daemons on the Home Agent system, and to use a custom Teredo server, as it requires a higher MTU than the protocol specifies as default.

It wouldn’t be very difficult to do (the miredo package available on Gentoo provides both client and server for miredo, although I guess I wouldn’t mind having a client-only install), if it wasn’t for one particular requirement: to run a miredo server you need two public IP addresses — for compatibility, you also need the two to be one IP from the other. I have the two IPs but I’m not sure if I want to use it for this kind of work. Also, it will make my customer’s access (and internal IPv6 network, which they don’t care about, but I do, when I’m there with my laptop) depend on the availability of my home network which is not a given.

All in all, MIPv6 is a nice thing, but until there will be enough providers to hand out either native, or near-native IPv6 connectivity (6to4, 6rd), it’s probably just going to be some kind of “technology preview”. Sigh, I wish more home routers configured themselves by default to provide at least 6to4 to home networks, that would make it much nicer a tool.

The next solution was obviously to go back to the original idea of using dynamic hosts, but that’ll be a rant for tomorrow.

10 thoughts on “Bypassing hostile NATs

  1. This is nuts. This is an administrative problem.Running a business has costs. The costs involved to resolve this are trivial compared to other costs like salaries and office space. This type of thing gets dumped on technical people, because technical people say they can do it for less overall costs then the other solutions.You are so skilled, your time can be much better spent than with frustrating stuff. To put this in perspective, would they take a loan from you to pay someone else to do this? If not, they are just taking advantage of you.A business person should either negotiate with their ISP for fixed IP addresses or get someone to choose a new ISP. If the ISP won’t provide fixed IP addresses for a reasonable price, ask them to recommend someone who will.Alternatively, can’t you just setup something in their network to tunnel a SSH port on their network over SSH to a fixed IP address you have? Then you SSH to your fixed IP address and end up in their network. SSH tunneling is awesome…Good luck,-Arthur

    Like

  2. I agree, ssh from their servers to yours looks like a good solution, also e.g. ISDN or modem dialin as a backup solution works very well (esp. with such a cheap/stupid ISP I’d rather not rely on them).

    Like

  3. Yes I know that *the Solution* is to avoid the ISP entirely; unfortunately simply moving away from it is not feasible for a number of reasons, not last because they provide two phone numbers and just one of the two can be migrated away. So they are playing the lock-in card.As for using reverse SSH… I might be paranoid but I don’t want to open a hole on my security system for them to connect; it’s the same reason why I haven’t considered OpenVPN.

    Like

  4. Not saying it is a good idea, but you could have them connect via SSH to an untrusted 3rd-party just forwarding their SSH port…Something like a low-power linux-based router in your DMZ could handle that, since it only serves as a proxy you could even use ssh with a cheap encryption like arcfour or even netcat (though that would be extra effort).

    Like

  5. Last time I needed to achieve NAT bypass I used OpenVPN. It’s not security issue if you configure VPN in an intelligent way.

    Like

  6. Today an ADSL is cheap, just sign for an _additional_ line for 20 €/month. Also a well configured openvpn is the way to go even if a bit slower than direct connection.

    Like

  7. Turin is better served, to get a new ADSL line here you have to pay way more than €20/month. Plus they are barely paying me, let alone paying another provider…

    Like

  8. If i understood it correctly then you can just assign one of the 5 ip-s to a router and there you go. Besides MAC cloning is invented.

    Like

  9. After they blacklisted me for using @gmail.com as address, SixXS ended in my blacklist of “I’d rather not use a technology if it comes from them”.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s