Detect NAT for udp/dublin strategy
#1104
Comments
fujiapple852
changed the title
dublin strategyudp/dublin strategy
|
It is not entirely clear if Dublin-style NAT detection is supposed to work or whether it is an artefact of a device which does not conform to specification. Specifically, NAT can only be detected if a NAT device fails to correct the checksum of a UDP packet embedded in an ICMP error message in the WAN->LAN direction. So the question is, is the NAT device supposed to correct this checksum? ExampleWe send the following IPv4/UDP packet (note the IPv4 We expect to receive the following ICMP For Dublin NAT to work we are detecting when What does the spec say?RFC 3022 section 4.3 says:
My interpretation is that:
Therefore this RFC says nothing about NAT modifying the checksum we are interesting in, namely RFC 1631 says:
My interpretation:
Therefore this RFC says nothing about NAT modifying the checksum we are interesting in, namely ConclusionNAT devices are not required by RFC 3022 or RFC 1631 to correct NAT devices (and router, which perform NAT) are not forbidden from correcting this checksum however, so the Dublin NAT detection technique is useful only for such devices which choose not to perform this correction. |
[0.11.0] - 2024-08-11 Added - Added NAT detection for `IPv4/udp/dublin` ([#1104](fujiapple852/trippy#1104)) - Added public API ([#1192](fujiapple852/trippy#1192)) - Added support for NAT detection (`N`) column ([#1219](fujiapple852/trippy#1219)) - Added support for last icmp packet type (`T`) column ([#1105](fujiapple852/trippy#1105)) - Added support for last icmp packet code (`C`) column ([#1109](fujiapple852/trippy#1109)) - Added support for the probe failure count (`f`) column ([#1258](fujiapple852/trippy#1258)) - Added settings dialog tab hotkeys ([#1217](fujiapple852/trippy#1217)) - Added `--dns-ttl` flag to allow refreshing the reverse DNS results ([#1233](fujiapple852/trippy#1233)) - Added `--generate-man` flag for generating [ROFF](https://en.wikipedia.org/wiki/Roff_(software)) man page ([#85](fujiapple852/trippy#85)) - Added Ubuntu PPA package ([#859](fujiapple852/trippy#859)) - Added Chocolatey package ([#572](fujiapple852/trippy#572)) Changed - [BREAKING CHANGE] Changed initial sequence to be `33434` ([#1203](fujiapple852/trippy#1203)) - [BREAKING CHANGE] Renamed `tui-max-[samples|flows]` as `max-[samples|flows]` ([#1187](fujiapple852/trippy#1187)) - Separated library and binary crates ([#1141](fujiapple852/trippy#1141)) - Record `icmp` packet code ([#734](fujiapple852/trippy#734)) - Transient error handling for `IPv4` on macOS, Linux & Windows ([#1255](fujiapple852/trippy#1255)) - Improved error messages ([#1150](fujiapple852/trippy#1150)) - Revamp the help dialog ([#1260](fujiapple852/trippy#1260)) Fixed - Fixed `DestinationUnreachable` incorrectly assumed to come from target host ([#1225](fujiapple852/trippy#1225)) - Fixed incorrect target hop calculation ([#1226](fujiapple852/trippy#1226)) - Do not conflate `AddressInUse` and `AddrNotAvailable` errors ([#1246](fujiapple852/trippy#1246))
The
udp/dublinstrategy makes it possible to detect NAT(s) that occur along the path of a given flow. Some introductory information on the technique is given at https://dublin-traceroute.net/ and the details can be studied in the code.For
udp/dublinwe maintain a stable udp checksum for each probe in a single round as the sequence number is encoded in the ipidentifierfield and so the virtual header is constant. Therefore, if the udp checksum observed in the nested (original datagram) of an ICMP response differs then we know that NAT has occurred at some point along the path.By comparing the udp checksum for all probes in a given round, specifically checking for changes in the checksum between hops which responded in the round, we can identify at which hop(s) NAT occurred and report this to the user.
Note: this does not work for
udp/parisas the checksum differs for each probe in a round, as the checksum is used to encode the sequence number. Indeed,udp/parisdoes not work at all when a path traverses a NAT. Likewise, this does not work forudp/classicas the udp checksum is not stable between probes in a round as the sequence is recorded in the src or dest port, which are part of the virtual header used to compute the udp checksum.In the following example (for
udp/dublinover 1 round) all the outgoing udp packets have checksum0xe5fc. The checksum observed (in the udp original datagram payload of the icmp response) is0xe5fcfor the first hop (seq 33000) and there is no response for the probe at the 2nd hop (seq=33001).The 3rd hop (seq=33002) has a different observed checksum of
0x8eb3which indicates that this hop performed a NAT. Note that the NAT may have occurred at the previous hop (seq=33001) but as that did not respond in this round it is impossible to know.The 4th hop (seq=33003) has the same checksum as the prior hop,
0x8eb3, and so whilst this differs from the initial checksum (i.e.0xe5fc) this does not indicate an additional NAT. To say it another way, the change in checksum due to NAT "carries forward" throughout all remaining hops.The 5th hop (seq=33004) shows a new checksum,
0xd993, which differs from the previous hop and so again we can conclude that NAT occurs at this hop.The text was updated successfully, but these errors were encountered: