[lacnog] Alternativas for Incoming Connections when using CGNAT

Mike Burns mike en iptrading.com
Vie Jun 14 19:40:44 -03 2019


Hi Fernando,



I think what you are describing is known as a rendezvous server.

It is responsible for security and for keeping track of ip address/ port number combinations of the unreachable client device which is behind NAT.

The client device initiates an outbound contact to the rendezvous server and that server records the ip address and the port number which the client device is listening on.



Now to reach that client, first you connect to the rendezvous server and provide credentials which allows the server to provide the ip address and port number of the client device.

At that point the user uses that ip address and port number to reach the device, even behind ever-changing ip addresses and port numbers. 



Most applications these days are aware of the ubiquity of NAT and have used rendezvous servers to get around the reachability issues inherent with devices behind NAT.

Hard-coding static port redirection in NAT routers is rarely needed anymore. 

In this scenario, only the rendezvous server needs a publicly reachable IP address, and some of the security can be removed from the dumb client device and instead be placed on the rendezvous server.

That server will authenticate any requests to access the dumb client device.



The use of rendezvous servers is a practical way to deal with NAT, and to deal with address exhaustion. 

It additionally allows more security to be built into the rendezvous server than could normally be incorporated into relatively dumb device.





Regards,

Mike Burns

IPTrading.com











---- On Fri, 14 Jun 2019 16:33:20 -0400 Fernando Frediani <fhfrediani en gmail.com> wrote ----


Hello folks.

I wanted to share a topic with you and gather your views on the matter so perhaps it can be useful to people specially for ISP operadors.



With the growing need o CGNAT (or equivalent methods) at many ISPs some issues appear more frequentlly as for example users who require Incoming Connections and Port Reditections for various reasons like access a camera system as DVR/NVR for example, a Home/SMB Server or similar or even to be able to Host Games' matches.



For DVRs there have been more recentlly some makers that developed a 'Cloud System' whihc kind of resolves the issue by doing some type of NAT Punch Hole with the help of an external 'coordinator' server and which becomes something very handy avoiding the ISP having to attribute a public IPv4 for that user.



But that is specific to that application and the maker develop implement the technology and mantain the servers who coordinate this technique.



I wanted to find out more other applications who are able to work with this technique to bypasss CGNAT issues lime this more easily going futher to perhaps having something that can work or is adaptable to other situations like a Home/SMB Server or a Gaming system.



This can help many ISPs to resolve many problems caused by the adaption of the unavoidable CGNAT other than just the DVR scenarios.



Note: even with IPv6 fully implemented at the ISP that still may be many cases where either the hosted equipment didn't get firmware upgrade to suport IPv6 or the most common, the access device not having a IPv6 connection available.



Thanks

Best regards



Fernando Frediani




_______________________________________________
LACNOG mailing list 
mailto:LACNOG en lacnic.net 
https://mail.lacnic.net/mailman/listinfo/lacnog 
Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20190614/f9f29760/attachment.html>


Más información sobre la lista de distribución LACNOG