1

When I send a tcp or udp packet from a network under symmetric nat I expect the port to be different from the one chosen by my computer and so it is. But when I send a udp packet with a low ttl, but that still manages to get out of the ISP network, I receive an error icmp packet which contains the udp packet that I originally sent as a payload, but with the port generated by my system .

At this point my doubt is whether NAT does not get its hands on the content of ICMP packets as well. Because I knew that it was necessary to change the headers of the layers that really matter and not the payload. So in the case of an ICMP packet, only the source IP address and not, as I think it happens, also the ip and port of the echo "subpacket".

J. Doe
  • 13
  • 3

2 Answers2

2

When I send a tcp or udp packet from a network under symmetric nat I expect the port to be different from the one chosen by my computer and so it is.

That is the Network Address Port Translation (NAPT) version of NAT. Basic NAT does not do anything with the transport protocol. NAPT must have a different table for each transport protocol, which is why it only supports TCP, UDP and ICMP, because a TCP port is not a UDP port, and ICMP does not use ports, it uses query IDs.

I receive an error icmp packet which contains the udp packet that I originally sent as a payload, but with the port generated by my system .

That would be correct.

At this point my doubt is whether NAT does not get its hands on the content of ICMP packets as well.

For ICMP error messages that must make their way back to the sending application, yes, NAPT must fix the content of the ICMP error messages so that the destination application gets the error. ICMP error message have the first part of the original packet as their payload so that it can be returned to the correct application. If NAPT has modified the outgoing packet, it must modify the returning ICMP error message payload to the original addressing, including the port numbers.

So in the case of an ICMP packet, only the source IP address and not, as I think it happens, also the ip and port of the echo "subpacket".

This behavior is explained in RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations:

3.3. ICMP error packet translation

All ICMP error messages (with the exception of Redirect message type) will need to be modified, when passed through NAT. The ICMP error message types needing NAT modification would include Destination- Unreachable, Source-Quench, Time-Exceeded and Parameter-Problem. NAT should not attempt to modify a Redirect message type.

Changes to ICMP error message will include changes to the original IP packet (or portions thereof) embedded in the payload of the ICMP error message. In order for NAT to be completely transparent to end hosts, the IP address of the IP header embedded in the payload of the ICMP packet must be modified, the checksum field of the same IP header must correspondingly be modified, and the accompanying transport header. The ICMP header checksum must also be modified to reflect changes made to the IP and transport headers in the payload. Furthermore, the normal IP header must also be modified.

As you can see, NAT, and especially NAPT, is very resource intensive, which is why some vendors, such as Cisco, only allow NAT on devices that have a hardware assist for NAT.

Community
  • 1
Ron Maupin
  • 3,243
  • 1
  • 12
  • 20
1

Does NAT spoof TCP port in ICMP payload?

Since you are referring to a UDP packet, then no it wouldn't spoof a TCP port in the ICMP message. However it will very likely rewrite the ICMP message to reflect the original UDP traffic for a number of reasons (revolving around that your host/application needs to know how to handle and possibly respond after receiving such an ICMP message).

This could vary by the NAT implementation, but let's look at your example (taking it on faith that everything you state in your question is accurate).

  1. Your system sends a UDP packet.
  2. Gateway does NAT for the UDP packet.
  3. Somewhere outside your network the TTL decrements and ages out the frame. The router that does this sends back a ICMP time exceeded message.

Stop to think about this a moment. The router that generates the ICMP time exceeded message would not have the "udp packet that I originally sent" as this passed through your NAT gateway and was translated. Put another way, how could the router that generated the ICMP message have any idea what the original information was to put into the ICMP message?

The only way that the original UDP packet could be in the payload of the ICMP message is if your NAT gateway rewrote it.

YLearn
  • 1,247
  • 7
  • 17