ICMP hole punching
Encyclopedia
ICMP hole punching is a technique employed in network address translator (NAT) applications for maintaining Internet Control Message Protocol
(ICMP) packet streams that traverse the NAT. NAT traversal
techniques are typically required for client-to-client networking applications on the Internet
involving hosts connected in private network
s, especially in peer-to-peer
and Voice over Internet Protocol (VoIP) deployments.
ICMP hole punching establishes connectivity between two hosts communicating across one or more network address translators in either a peer-to-peer
or client-server model. Typically, third party hosts on the public transit network are used to establish UDP or TCP port states that may be used for direct communications between the communicating hosts, however ICMP hole punching requires no third party involvement to pass information between one or more NATs by exploiting a NAT's loose acceptance of inbound ICMP Time Exceeded
packets.
Once an ICMP Time Exceeded packet reaches the destination NAT, arbitrary data in the packet expected by the NAT allows the packet to reach the destination server, allowing the destination server to obtain the client's public IP address and other data stored in the packet from the client.
on January 22, 2010 and released in the open source software pwnat, and the method was later published in the IEEE.
According to the paper:
Internet Control Message Protocol
The Internet Control Message Protocol is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be...
(ICMP) packet streams that traverse the NAT. NAT traversal
NAT traversal
NAT traversal is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation gateways. Network address translation breaks end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the...
techniques are typically required for client-to-client networking applications on the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
involving hosts connected in private network
Private network
In the Internet addressing architecture, a private network is a network that uses private IP address space, following the standards set by RFC 1918 and RFC 4193. These addresses are commonly used for home, office, and enterprise local area networks , when globally routable addresses are not...
s, especially in peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
and Voice over Internet Protocol (VoIP) deployments.
ICMP hole punching establishes connectivity between two hosts communicating across one or more network address translators in either a peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
or client-server model. Typically, third party hosts on the public transit network are used to establish UDP or TCP port states that may be used for direct communications between the communicating hosts, however ICMP hole punching requires no third party involvement to pass information between one or more NATs by exploiting a NAT's loose acceptance of inbound ICMP Time Exceeded
ICMP Time Exceeded
The Time Exceeded Message is an ICMP message which is generated by a gateway to inform the source of a discarded datagram due to the time to live field reaching zero...
packets.
Once an ICMP Time Exceeded packet reaches the destination NAT, arbitrary data in the packet expected by the NAT allows the packet to reach the destination server, allowing the destination server to obtain the client's public IP address and other data stored in the packet from the client.
Description
Currently the only method of ICMP hole punching or hole punching without third party involvement (autonomous NAT traversal) was developed by Samy KamkarSamy Kamkar
Samy Kamkar is a security researcher, possibly best known for creating the Evercookie and the MySpace worm Samy , as well as his discovery that the Apple iPhone, Google Android and Microsoft Windows Phone mobile devices transmit GPS and Wi-Fi information to their parent companies.- Samy Worm :In...
on January 22, 2010 and released in the open source software pwnat, and the method was later published in the IEEE.
According to the paper:
The proposed technique assumes that the client has somehow learned the current external (globally routable) IP address of the server's NAT.
The key idea for enabling the server to learn the client's
IP address is for the server to periodically send a message to
a fixed, known IP address. The simplest approach uses ICMP
ECHO REQUEST messages to an unallocated IP address, such
as 1.2.3.4. Since 1.2.3.4 is not allocated, the ICMP REQUEST
will not be routed by routers without a default route;
ICMP DESTINATION UNREACHABLE messages that may
be created by those routers can just be ignored by the server.
As a result of the messages sent to 1.2.3.4, the NAT
will enable routing of replies in response to this request.
The connecting client will then fake such a reply. Specifically,
the client will transmit an ICMP message indicating
TTL_EXPIRED. Such a message could legitimately
be transmitted by any Internet router and the sender address
would not be expected to match the server's target IP.
The server listens for (fake) ICMP replies and upon receipt
initiates a connection to the sender IP specified in the ICMP reply.