gnunet-developers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNUnet-developers] [Gsoc 2015] Project proposal on GNUnet-over-ICMP


From: DocMalloc
Subject: Re: [GNUnet-developers] [Gsoc 2015] Project proposal on GNUnet-over-ICMP
Date: Sat, 21 Mar 2015 08:59:02 +0100

I think this approach requires a careful thinking about what the
envisioned environment is and what it tries to solve.

So I think we can distinguish between a packet filters restricting
traffic and a NAT devices. And in addition if none, 1 or both is
affected by such a device.

The goal is to achieve bi-directional, ICMP based communication. 

With NAT the challenge is to establish a mapping to allow the nat'ed
peer to receive data without having the NAT drop it. 

Here we need a careful evaluation what the behavior of current
implementations is.


Therefore a protocol sketch would be great to have...

On Fri, 2015-03-20 at 19:11 +0100, Christian Grothoff wrote:
> Hi Wen,
> 
> I still doubt this will work with NAT at all, as incoming ICMP pings
> will be bounced by the NAT and never reach the host with the peer.

In the case that a peer tries to send ICMP-ECHO requests to a nat'ed
peer? Here ACK ... since the nat mapping is not established. If the
nat'ed peer previously established the mapping the non nat'ed peer could
send data using ECHO-replies. 

So there is a way required to keep the mapping established ... and we
need to evaluate how nat implementations treat the state (e.g. if they
dismiss a ECHO request mapping upon arrival of the first ECHO
response) ...

> If only one peer is behind NAT, you will still absolutely need the
> ability to substitute the payload in the PONG for something else, so as
> to get any transmission going to the NATed peer, and even then the
> question is if the NATed peer will allow the PONG through if the payload
> fails to match the PING.  Truncation is then just yet another
> issue.

> 
> Please play with command-line / pcap / etc. tools as a proof-of-concept
> now.  I would feel more comfortable with this if we had the following:
> 
> 1) an "ICMP client" implementation that sends an ICMP ECHO request to
>    an IP address given at the command line, with "Hello" in payload
> 2) an "ICMP server" implementation that sends an ICMP ECHO REPLY to
>    an IP address given at the command line with "World" in payload
> 
> and us confirming for _some_ NAT box (we should have plenty within the
> team) that when we run the client *behind* the NAT and send a packet
> to an unrestricted server (i.e. one of our university systems), and
> then use the ICMP server to send a "fake" reply back to the external
> IP of the NAT, the "World" packet does cross the NAT.
> 
> We could use iptables to block the kernel's ICMP ECHO RESPONSE and
> wireshark to confirm the receipt of the "world" ICMP ECHO RESPONSE.
> That's the simplest scenario to demonstrate ICMP "works" with NAT.
> 
> For me, this is important to know as for I the networks I use, they
> either have NAT involved or UDP/TCP are likely to work fine already.
> Naturally, I don't know about China with its IPv6 deployment, so
> if you have data that shows that ICMP will work in situations where
> TCP/UDP will not work, I'm willing to be educated ;-).
> 
> 
> My 2 cents
> 
> Christian
> 
> On 03/20/2015 05:24 PM, Wen Yuzhong wrote:
> > Hi Christian,
> > 
> > My idea is encapsulating all the payload in the ICMP echo request packet,
> > so upon the system on the other side receives the Ping, the system will
> > response a Pong as normal, then the RAW socket interface will parse the
> > payload of the incoming ICMP echo request, and give the data to the upper
> > layer of GNUNet. For the firewall/NAT, this will be like a normal ICMP
> > conversation. In this way every Ping is matched with a Pong, we don't need
> > to deal with the duplicated Pong problem.

Just a as starter question. Did you consider:
http://linux.die.net/man/7/raw: 

"An IPPROTO_RAW socket is send only. If you really want to receive all
IP packets, use a packet(7) socket with the ETH_P_IP protocol. Note that
packet sockets don't reassemble IP fragments, unlike raw sockets. "

> > However, as the frequency of the packet sending goes high, the channel
> > might be flooded by ICMP echo response packets. From my point of view, this
> > transport service is for *extreme* situations, so the throughput is not the
> > first priority. But as you pointed out, there should be a throughput
> > measurement, to see if this thing is really *useful* under certain overhead.
> > 
> > ----------
> > Best regards,
> > Wen
> 
> _______________________________________________
> GNUnet-developers mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/gnunet-developers

Attachment: signature.asc
Description: This is a digitally signed message part


reply via email to

[Prev in Thread] Current Thread [Next in Thread]