End Of the Line for SpeakFreely: NATed to Death

Arun writes "John Walker (of AutoDesk and Fourmilab fame), primary author of SpeakFreely, has decided to EOL the program (a pioneering network telephony effort), come January 15th, 2004. He cites difficulty in maintaining a decade-old code base, lack of appropriate developer support and a fundamental change in the peer-to-peer nature of the Internet upon which SF is dependent as motivating factors behind his decision. While the last release of the program will continue to be available from SourceForge, the main web site, mailing list, and web forum will be shut down on the aforementioned date." He's got some good points too, like how once IPv6 is more common, most users probably won't go back to one address per machine. I know I enjoy the added security of a NATed firewall, and without a really good reason, I won't be quick to give it up.

IETF tools for media through NAT

[__aadkms7016]

The IETF midcom group has been working on solutions for passing media streams through NATs and other middleboxes for a few years now. One protocol, STUN, is already a standards-track RFC, and the group has other tools in progress. These tools work with the IETF multimedia suite (SDP, SIP, RTP, etc).

Re:In Europe ISPs do not NAT their customers!

[frohike]

Here in the netherlands at least, both the major broadband providers (UPC adn KPN)give all customers a generically routable IP.

...

Does anyone have different experience elsewhere? The States, for instance? I'd like to hear.

Not only do most (all?) of the US broadband providers give you a globally routable IP, many of them actually get angry with you if you try to use NAT, because they want to have a one IP to one machine mapping for charging your account. Comcast in particular even has language in their AUP that says they may take legal action against you if you try to use NAT to install more machines (which is totally stupid, but there it is).

I've got a lot of respect for Walker in other areas, but this NAT rant is just barking up the wrong tree. NAT boxes are installed by users so that they can get more functionality out of the limited IPs available to them, not by ISPs to limit the users. I know Cox cable will help you install a NAT network, but they by no means require it or lock it down. At any time you could simply plug your machine straight into the internet and be just like everyone else. Or get a better NAT box!

On the other hand, saying that the internet is transitioning to a client/server architecture at the hands of corporate overlords isn't a big stretch at all (limited upstream, blocking HTTP ports, etc) but it has nothing to do with NAT.

Anyway, as others have said, if he is just tired of writing the program for a perceivably uninterested audience, he should just stop and turn it over to an SF project, like he's done. No need for this NAT rant...

Re:Why, oh why?

[nutshell42]

Try Teamspeak - I always loved SpeakFreely but since I used Teamspeak for the first time, I've never looked back - the best voip software for Windows/Linux (If you use something else that won't help you much, of course =)

And it works with NAT (it's more or less like IRC with voice-capability)

Not that simple.

[TheLink]

"No, your addresses are perfectly routable, just the internet at large does not route them by agreement. Your ISP could easily configure it's routers to get traffic in to your network on those addresses."

Of course the ISP gets traffic in to your network even with NAT but that's how you get to surf the web. :)

"That's nat, full, 100% working nat.
With absolutely no security."

Seriously tho, while your ISP can easily subvert data and existing connections (and so can Verisign etc), it is nontrivial for your ISP to make new inbound connections into your network through a NAT device.

If you know how typical NATs work, it isn't that easy. (BTW Cisco calls them PATs because Cisco used to have inferior NAT solutions that didn't support IP sharing or overloading as they called it).

In the simplest case that supports multiple NAT'ed hosts, a NAT device builds a table based on outbound packets: src address, src port, dest address, dest port -> new src address, new src port, dest address, dest port.

You need a new source port because two source hosts could use the same source port.

Reply packets that match are then translated back.

Packets that don't match can't go through the device because the device just doesn't know where they should go.

Unless the device is terribly buggy you should be reasonably safe from inbound connections.

In fact with NAT, in order to allow inbound connections you need to add more code.

So with NAT having inbound connections is harder, and that is a good thing.

Coz there are some tricks you can play with IP fragments, where you get a fragment to overlap the original header on a vulnerable operating system. But if you have a reasonably recent O/S this shouldn't work anymore even on Windows.

Simple example of how it works, an inbound packet fragment goes through a firewall with an legit destination address and port and is stored in a packet buffer on the destination host. Subsequent fragments are sent and allowed through by the firewall and they overwrite/overlap the original destination port on the packet buffer, so the destination host actually ends up with a packet that connects to a service that should have been blocked by the firewall.

If you don't allow inbound connections and only allow outbound, such subversion is a lot harder, someone needs to be able to see your outbound packets as they head towards to the real destination, in order to construct suitable "inbound" packets and fragments.