In reality, home routers are generally Linux-based and share netfilter NAT implementation. And how this implementation behaves? Well, it is a symmetric NAT masquerading as a port-restricted cone NAT. While it is symmetric NAT, it tries to reuse internal port as external port, and therefore often ends with the same port on different NAT mappings to different external machines.
Therefore, NAT traversal often works by accident in simple cases, but suddenly stops to work when it becames more complicated (e.g. when two clients behind a NAT try to connect to the same server).
Linux netfilter has an option to randomize ports in NAT mappings to avoid this appearance of working, but it is unlikely that home routers allow to configure this.
Similarly, commercial systems like JunOS try to stick to EIM behavior for as long as they can, and only shift to EDM behavior when load makes it infeasible to do otherwise. There again, strictly speaking that means you should abandon all hope... But in practice, NAT traversal still works much more often than not, and we can use that to build useful systems while we wait for IPv6 adoption to continue.
Even if the easy side knows (through STUN) that its public address is 184.108.40.206:1234, that doesn't mean it'll accept any packets addressed to 220.127.116.11:1234.
For it to accept packets from e.g. 18.104.22.168:7890, it first needs to send a packet there, to create the connection table entry in the firewall.
But... it doesn't know what port 22.214.171.124 is going to be sending from (since that's the whole point of 126.96.36.199 having a "hard", i.e., destination-dependent-mapping, NAT), so it can't preemptively send a packet to open the firewall.
At least, this is my understanding.
So, we're left with two options: make one of the NATs vanish via the port-mapping protocols, or use the birthday paradox to find a usable ip:port in reasonable time.
What I got was that "hard" NAT is hard because neither peer is able to obtain the hard NAT's public IP/Port pair: The peer behind the hard NAT can't ask a STUN server because that server would see a different pair while peer behind the easy NAT can't receive any packets.
I think it's interesting that the peer behind the hard NAT could actually produce a packet that would contain all necessary information by sending something to the easy NAT's address - but neither peer could access this packet. You'd have to call the NSA to monitor the packet in-flight...
I wonder if you could somehow fiddle with the max-hop header to have the packet be sent back to the hard NAT's peer though, sort of like traceroute works.
According to the author of dublin-traceroute, it used to be that you could use ICMP TTL Exceeded errors to your advantage, because buggy NATs didn't translate ICMP payload (which contains the IP+UDP header of the packet whose TTL hit zero).
IOW, you could send a probe packet to the easy ip:port, with a TTL low enough that the packet expires somewhere between the two NATs, and listen for the returning ICMP error. Its payload would contain the public ip:port for your session on the hard NAT, which effectively gives you an accidental STUN server that gives you correct answers, even for a hard NAT.
I _believe_ this trick no longer works reliably, because the "NAT Behavioral Requirements" family of RFCs started laying down rules for what well-behaved NATs should do, and afaict, inexplicably, vendors listened. REQ-4 of RFC 5508 says that NAT devices MUST translate the payload of ICMP errors according to the appropriate NAT mapping, to preserve the end device's illusion that no NAT exists. So, these days, the ICMP error you get back contains the unhelpful LAN source ip:port :(
I still want to experiment with that some more, because if it's unusual but not unheard of... Well, it's another technique to grab a little bit more of the long tail :)
That got a good laugh out of me.
That idea sounds really clever, but even if NATs wouldn't mangle the ICMP reply, don't you need elevated privileges to receive it in your application? And I wouldn't be too surprised if a bunch of devices would just drop it entirely.
Another thing that just came to my mind: Do any of those hard NATs assign the outgoing port in a predictable pattern for some inexplicable reason? I'd guess no, since those already seem to be security focused and not randomizing the port sounds stupid, but you never know... Would be a cool last resort for hard/hard.
I've tried to replicate the NAT traversal paper a couple of times in python, but it never really got it to work.
Maybe my ISP's network topology just inlcudes multiple NATs which is messing things up.
The paper you linked seems to have reasonably modern techniques for UDP traversal, so it should work. One thing that paper doesn't make clear, IMO, is that you need to STUN on both ends to discover your WAN ip:port, and you need to run the STUN traffic from the same socket as the one you're using for the NAT traversal.
If you have Tailscale, you can run `tailscale netcheck` to characterize your network a little bit, which might give you some answers as to why the traversal doesn't work. Successful traversal depends on the properties of both endpoints, so you'd want to netcheck from both ends. The usual culprit is MappingVariesByDestIP=true, which indicates a hard NAT.
I didn't run a STUN server, but I exchanged the WAN ip:port via a server and some simple TCP messages.
Especially if the port prediction part is driven by a dedicated "rendezvous" server rather than delegated to the clients to do. This plus taking care of the long tail (weird NAT combos) and adding a TCP traversal as a fallback used to get you a success rate of 95-97%.
Honestly, the idea only made sense back when Google Talk ruled the earth, because it gave XMPP a network effect I could utilize. Sadly, since then, chat has fallen into a dozen different silos, so the "piggybacking" benefits are zero. And if you're not piggybacking on an established network, you can build a side channel protocol that's much simpler than what you'd make with XMPP.
Edit: actually, neither submission of this article made HN's front page. I'm reupping this one (using the process described at https://news.ycombinator.com/item?id=11662380 and the links back from there) because it's obviously a solid, substantive article. No, that's not special treatment, because we do it for a wide assortment of such articles when we see them. There's a partial list at https://news.ycombinator.com/invited, if anyone wants to see what I mean by wide assortment.
It wouldn't help anyhow. Long experience with imaginary accusations shows clearly that more data doesn't persuade anyone to drop their fixed idea. On the contrary, it just spawns even more accusations.
(In case anyone's wondering, the reason I post these replies is to reassure the general reader, who might be concerned whether there's anything to this, that there isn't anything to this.)
Wouldn't be awesome if everyone was friends with you? we all would have been millionaires by now. Everybody is equal here but those who have 100% hit rate to the homepage were obviously just born lucky, right?
Please stop this now.
If you know more than the rest of the community, it would be great to share some of what you know so we all can learn. If you don't want to do that, that's fine, but then please don't post.