[Cryptography] peering through NAT

Jon Callas jon at callas.org
Fri May 10 15:36:48 EDT 2019

> On May 10, 2019, at 9:22 AM, John Levine <johnl at iecc.com> wrote:
> I'm trying to see if there is any crypto relevance to NAT but as far
> as I can tell there isn't.  I suppose on a particularly lame NAT one
> might be able to predict remapped port numbers but I don't recall that
> ever being a problem.

With moderator hat on, I'm going to agree that extended discussion of NAT isn't particularly germane. Perhaps even more to the point, there are better resources than this list. (Also, I let through a top post I shouldn't have. Sorry.)

However, I don't think we've hit it yet. Yet.

I'll add in that NAT traversal has interesting security effects that are hard to characterize. It *changes* the way metadata leaks. Metadata always leaks: every packet has source and destination IP and port, and IP address is often a proxy for physical location. 

In the general case, if both Alice and Bob are behind horrid NATs (particularly nested NAT), it might be impossible to thread the combined NAT traversal problem, and the only way for them to talk is through a protocol relay, as it has a real IP address. There are many specific cases of complex NAT traversal that work well, and as time goes on, there are more of them, for all the reasons  stated by others. Router makers do a better job, client makers do a better job, and service providers are sensitive to the issues as well. There are thorny setups that used to be common but are not any more.

Naively one tends to think that relays are a security problem, but it is more complex than that.

If a service brokers a direct connection to Alice and Bob, then obviously, the service doesn't learn many details about their communications after brokering the connection. Whereas if they have to be relayed, the relay sees every packet and thus knows things like how long they talked, and the total data size. If they talk directly, the service doesn't know this.

However, if you consider the case where Alice is being surveilled and Bob is not, on a direct connection the surveillance system learns Bob's IP address at the very least, along with other things. If the connection is relayed, they know Alice is talking to a relay, but might not be able to learn who Alice is talking to.

This might matter in some scenarios, like secure VOIP (which is where I dealt with it), but also things like cryptocurrency protocols. It might actually be better for Alice to talk to a relay if one wants to protect Bob's metadata. It's possible that the trading protocols hide Bob's information, and yet a leak of his IP address gives the whole thing away.

In short, it's complex. There are counterintuitive things in all this mess, and dispassionate thought and challenging one's own assumptions is warranted.


More information about the cryptography mailing list