活在當下

活在當下（常譯作及時行樂）為拉丁語格言「Carpe diem」（把握今朝），語出自賀拉斯的拉丁語詩集《頌歌》。

完整詩文為「carpe diem, quam minimum credula postero」，可翻譯為「活在當下，儘量不要相信明天」。頌歌述說未來不可預見，不要盲目追尋未來，而是在今天盡力而為讓明天變得更好。這段話一般被認為是賀拉斯在對抗伊比鳩魯學派的背景下寫出。^[1]賀拉斯「carpe diem」這句話的用意並不是要忽視未來，而是不要相信事情會自己到位，並在今天為未來做出行動。^[2]

寫有「Carpe diem」的日晷

聽 Mrphs 說︰ W!o+ 在玩過多種模擬器和很多遊戲後，發現模擬器與輸入裝置最好能匹配。玩街頭遊戲機就得用搖桿

才道地夠味。玩超級任天堂，若非使用

Game Pad ，那麼組合鍵就不能得手應心。於是當下動起手來，製作了數種合宜的輸入裝置，玩的盡興。

作者本以搖桿入手街機，卻發覺不管小朋友或大朋友都喜歡玩超級瑪莉歐，無奈沒有 W!o+ 之巧手能 DIY ，但思曾見

---

This project is the result of hard work from Miroof. https://github.com/miroof/node-virtual-gamepads

---

Install from the experimental menu of the setup script (may only work well with a rpi2)

Usage

Once the nodejs application is launched, you just have to plug your gamepad controller by connecting your device on the same local network and by reaching the address http://node_server_adress (i.e. your Raspberry Pi’s IP address) on your choice of web browser (Chrome Mobile is recommended).

………

─── 《W!O+ 的《小伶鼬工坊演義》︰【新春】 復古派 《十》 RETROPIE 活在當下》

 

莫驚慌

52% of All JavaScript npm Packages Could Have Been Hacked via Weak Credentials

………

 

己心有光芒☆

天上明月祇一輪，千江有水千江月，非是明月入江照，卻因千江水映月。自然自為自是天，遮天霧霾非天暗，一旦無雲萬里天，可見可現是可觀。也就是說︰觀『映』『現』的情貌，就是觀『自心』之緣由，明此『緣由』的原故，方能明『己性』所『從來』。所以

明心見性實自映自觀，故不必別立文字。

─── 摘自《千江有水千江月》

 

日照月明亮◎

 

 

 

 

 

 

在《火把節》一文中，我們談過古早的『十月曆』︰

如果說商代甲骨文已有『十天干』和『十二地支』，龜卜上用『六十甲子』以紀時，商王很多用『天干』為名，那麼『后羿射日』與『嫦娥奔月』的傳說，很可能是驚天動地神話了的『歷法變革』︰

傳說堯時，十日並出草木枯亡，又有猰貐、鑿齒、九嬰、大風、封豨、修蛇等等惡獸四方作怪，后羿受堯之命去除惡獸並使射九日，為民除害。……又說后羿之妻為嫦娥，后羿因希望永世能『執子之手， 與子偕老』，求『不死藥』於西王母處，共得了『兩顆』。不知怎的嫦娥卻是乘著后羿外出，獨自將藥全吃了，就飄飄然的飛向了月宮。……其後或聞，她為了再返還人間，一直叫著月兔搗藥！！

這個『日月之戀』是否已然大『明』於天下，作者不得而知；或有人將要說︰

難怪今天日月總不愛相見，祇會之於朔望。

，恐有人又以為，甲骨文上早有的『十二生肖』，自是出自『這個緣故』！！

或許有人曾經聽聞『天上三奇』甲戊庚，『人中三奇』壬癸辛，『地下三奇』乙丙丁，為何十天干中，捨『己』不用？也許好奇者可窺之於

東漢‧魏伯陽‧《周易參同契》

大易總敘章第一

乾坤者，易之門戶，眾卦之父母。坎離匡廓，運轂正軸，牝牡四卦，以為橐蒼。覆冒陰陽之道，尤工御者准繩墨，執銜轡，正規距 ，隨軌轍，處中以制外，數在律歷紀。月節有五六，經緯奉日使，兼并為六十，剛柔有表里。朔旦屯直事，至暮蒙當受，晝夜各一卦用之依次序。即未至晦爽，終則復更始，日月為期度，動靜有早晚 。春夏據內體，從子到辰巳，秋冬當外用，自午訖戌亥。賞罰應春秋，昏明順寒暑，爻辭有仁義，隨時發喜怒，如是應四時，五行得其理。

乾坤設位章第二

天地設位，而易行乎其中。天地者，乾坤之象也﹔設位者，列陰陽配合之位也﹔易謂坎離者，乾坤二用。二用無爻位，周流行六虛，往來既不定，上下亦無常，幽潛淪匿，變化于中，包囊萬物，為道紀綱，以無制有，器用者空，故推消息，坎離沒亡。言不苟造，論不虛生，引驗見效，校度神明，推論結字，原理為証。

坎戊月精，離己日光，日月為易，剛柔相當，土旺四季，羅絡始終，青赤黑白，各居一方，皆秉中宮，戊己之功。

，這個『日光』豈是可『獨享者』耶？？

─── 《《派生》 PYTHON 作坊【乙】選址定基》

 

坎月戊望時節，萬物皆相見耶？

Rootkit

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.^[1] The term rootkit is a concatenation of “root” (the traditional name of the privileged account on Unix-like operating systems) and the word “kit” (which refers to the software components that implement the tool). The term “rootkit” has negative connotations through its association with malware.^[1]

Rootkit installation can be automated, or an attacker can install it after having obtained root or Administrator access. Obtaining this access is a result of direct attack on a system, i.e. exploiting a known vulnerability (such as privilege escalation) or a password (obtained by cracking or social engineering tactics like “phishing“). Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. The key is the root or administrator access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it.

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating system, behavioral-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem.^[2] When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment.

History

The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted “root” access.^[3] If an intruder could replace the standard administrative tools on a system with a rootkit, the intruder could obtain root access over the system whilst simultaneously concealing these activities from the legitimate system administrator. These first-generation rootkits were trivial to detect by using tools such as Tripwire that had not been compromised to access the same information.^[4][5] Lane Davis and Steven Dake wrote the earliest known rootkit in 1990 for Sun Microsystems‘ SunOS UNIX operating system.^[6] In the lecture he gave upon receiving the Turing award in 1983, Ken Thompson of Bell Labs, one of the creators of Unix, theorized about subverting the C compiler in a Unix distribution and discussed the exploit. The modified compiler would detect attempts to compile the Unix login command and generate altered code that would accept not only the user’s correct password, but an additional “backdoor” password known to the attacker. Additionally, the compiler would detect attempts to compile a new version of the compiler, and would insert the same exploits into the new compiler. A review of the source code for the login command or the updated compiler would not reveal any malicious code.^[7] This exploit was equivalent to a rootkit.

The first documented computer virus to target the personal computer, discovered in 1986, used cloaking techniques to hide itself: the Brain virus intercepted attempts to read the boot sector, and redirected these to elsewhere on the disk, where a copy of the original boot sector was kept.^[1] Over time, DOS-virus cloaking methods became more sophisticated, with advanced techniques including the hooking of low-level disk INT 13H BIOS interrupt calls to hide unauthorized modifications to files.^[1]

The first malicious rootkit for the Windows NT operating system appeared in 1999: a trojan called NTRootkit created by Greg Hoglund.^[8] It was followed by HackerDefender in 2003.^[1] The first rootkit targeting Mac OS X appeared in 2009,^[9] while the Stuxnet worm was the first to target programmable logic controllers (PLC).^[10]

Sony BMG copy protection rootkit scandal

Main article: Sony BMG copy protection rootkit scandal

 

In 2005, Sony BMG published CDs with copy protection and digital rights management software called Extended Copy Protection, created by software company First 4 Internet. The software included a music player but silently installed a rootkit which limited the user’s ability to access the CD.^[11] Software engineer Mark Russinovich, who created the rootkit detection tool RootkitRevealer, discovered the rootkit on one of his computers.^[1] The ensuing scandal raised the public’s awareness of rootkits.^[12] To cloak itself, the rootkit hid from the user any file starting with “＄sys＄”. Soon after Russinovich’s report, malware appeared which took advantage of that vulnerability of affected systems.^[1] One BBC analyst called it a “public relations nightmare.”^[13] Sony BMG released patches to uninstall the rootkit, but it exposed users to an even more serious vulnerability.^[14] The company eventually recalled the CDs. In the United States, a class-action lawsuit was brought against Sony BMG.^[15]

 

幽深隱微，有事不可睹乎！

Thursday, June 22, 2006

………

※ 原始碼︰

www.invisiblethingslab.com/resources/bh07/nbp-0.32-public.zip

 

如何選擇一顆小藥丸呦☆

Blue Pill (software)

Blue Pill is the codename for a rootkit based on x86 virtualization. Blue Pill originally required AMD-V (Pacifica) virtualization support, but was later ported to support Intel VT-x (Vanderpool) as well. It was designed by Joanna Rutkowska and originally demonstrated at the Black Hat Briefings on August 3, 2006, with a reference implementation for the Microsoft Windows Vista kernel.

The name is a reference to the red pill and blue pill concept from the 1999 film The Matrix.

Overview

The Blue Pill concept is to trap a running instance of the operating system by starting a thin hypervisor and virtualizing the rest of the machine under it. The previous operating system would still maintain its existing references to all devices and files, but nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor. The original concept of Blue Pill was published by another researcher at IEEE Oakland on May 2006, under the name VMBR (virtual-machine based rootkit).^[1]

Joanna Rutkowska claims that, since any detection program could be fooled by the hypervisor, such a system could be “100% undetectable”. Since AMD virtualization is seamless by design, a virtualized guest is not supposed to be able to query whether it is a guest or not. Therefore, the only way Blue Pill could be detected is if the virtualization implementation were not functioning as specified.^[2]

This assessment, repeated in numerous press articles, is disputed: AMD issued a statement dismissing the claim of full undetectability.^[3] Some other security researchers and journalists also dismissed the concept as implausible.^[4] Virtualization could be detected by atiming attack relying on external sources of time.^[5]

In 2007, a group of researchers led by Thomas Ptacek of Matasano Security challenged Rutkowska to put Blue Pill against their rootkit detector software at that year’s Black Hat conference,^[6] but the deal was deemed a no-go following Rutkowska’s request for $384,000 in funding as a prerequisite for entering the competition.^[7] Rutkowska and Alexander Tereshkin countered detractors’ claims during a subsequent Black Hat speech, arguing that the proposed detection methods were inaccurate.^[8]

The source code for Blue Pill has since been made public,^[9][10] under the following license: Any unauthorized use (including publishing and distribution) of this software requires a valid license from the copyright holder. This software has been provided for the educational use only during the Black Hat training and conference.^[11]

Red Pill

Red Pill is a technique to detect the presence of a virtual machine also developed by Joanna Rutkowska.^[12]

 

 

 

 

 

 

 

 

正義女神

正義女神 （Justitia，古羅馬代表公平正義的女神）是作為法律基礎的公正道德的象徵。文藝復興以來Justitia（正義女神）通常被描述為一名裸露胸膛的婦女，手持天秤及長劍，並有時戴有眼罩。現今經常出現於法院的其肖像是由代表正義的古希臘法律女神忒彌斯(Themis)及古羅馬命運女神福爾圖娜(Fortuna)的形象混合而成。自十五世紀開始，正義女神經常被造成帶眼罩之形象，代表其客觀、不徇私、一視同仁的平等精神。

Justitia blindfolded and holding balance scales and a sword. Court of Final Appeal, Hong Kong

 

正義女神 Lady Justice 手持『公正天平』，拿著『正義長劍』，但為什麼帶著『眼罩』呢？因為正義是無偏無私之舉，據說眼通心，所以不見『可欲』，象徵無所住而生其心也！

如問鈔票該具名嗎？為了『資安』應反對『匿名通訊』耶？？

洋蔥路由

洋蔥路由（英語：Onion routing）為一種在電腦網路上匿名溝通的技術。在洋蔥路由的網路中，訊息一層一層的加密包裝成像洋蔥一樣的封包，並經由一系列被稱作洋蔥路由器的網路節點傳送，每經過一個洋蔥路由器會將封包的最外層解密，直至目的地時將最後一層解密，目的地因而能獲得原始訊息。而因為透過這一系列的加密包裝，每一個網路節點（包含目的地）都只能知道上一個節點的位置，但無法知道整個傳送路徑以及原傳送者的位址。^[1]

發明與實作

1990年代中期，美國海軍研究實驗室的研究員保羅‧塞維亞森（Paul Syverson）、麥可‧里德和大衛‧戈爾德施拉格（David Goldschlag）為了保護美國線上情報系統而開發了洋蔥路由^[2][3][4]。其後國防高等研究計劃署接手該計畫繼續開發，並在1998年獲得海軍的專利^[3][5][6]。2002年電腦科學家羅傑‧丁高戴恩（Roger Dingledine）和尼克‧馬修森（Nick Mathewson）加入了塞維亞森的計畫，並開始開發Tor；Tor為「洋蔥路由專案」（The Onion Routing project）的頭字語，該專案後來成為規模最大的洋蔥路由實作並廣為人知。之後美國海軍研究實驗室將Tor以自由軟體授權的方式公開了原始碼^[4][7][8]，丁高戴恩、馬修森以及其他五位成員在2006年成立了名為「The Tor Project」的非營利組織，並獲得包含電子前哨基金會在內的幾個組織的財政資助。^[9][10]

弱點

計時分析

傳統網際網路不被認為具有匿名性的一個理由為網際網路服務供應商具有紀錄和追蹤各電腦間的連線能力；例如當有人存取一個特定網站時，往來的資訊內容如密碼等，雖然能透過像是HTTPS等加密連線方式保護讓其他人無法得知內容，但是連線本身卻仍會有紀錄 ，包含何時建立連線，多少資料量被傳送等。洋蔥路由雖然能建立並隱藏兩電腦之間的連線，使兩者之間並無一個可分辨的直接連線 ，但仍會有上述的連線紀錄問題。流量分析可藉由搜尋連線紀錄的連線時間和資料傳輸量來試圖判別潛在的一對發送者與接收者；例如當有人傳送51KB的資料到一個未知的電腦，三秒後另一未知的電腦傳送51KB的資料給一個特定的網站，則可以推斷此人可能與該網站曾建立連線^[12][13]。此外還有一些原因可以讓流量分析更加有效 ，包含節點的損壞或離開網路^[13]，以及當鏈已經因為定期重建而改變，但有些鏈上節點卻仍在追蹤此前建立的會話等。^[14]

大蒜路由是洋蔥路由的一種變體，其結合了I2P網路並將多份訊息加密打包在一起，使其更難被攻擊者以流量分析的方式破解。^[15]

出口節點漏洞

雖然訊息在洋蔥路由網路中被層層加密，但是在出口節點時，該節點會把最後一層解密並將原始訊息傳給接收者；因此若出口節點遭到攻擊或是受控制，則原始的訊息將會被截取^[16]。瑞典研究員丹‧伊格史塔德（瑞典語：Dan Egersta）曾用此方式獲得了超過100封寄給外國大使館的電子郵件密碼^[17]。出口節點漏洞的原理與未加密無線網路很類似，後者為使用者將未加密的資料在無線網路上傳送時可能中途被其他人截走；這兩種問題都可以透過端對端加密連線如SSL、HTTPS等方式解決。^[18]

大蒜路由

大蒜路由（Garlic routing）是洋蔥路由的一個變體，它將傳輸的原始數據拆散為加密數據包通過多條隧道交叉疏散傳遞，令攻擊者的流量分析難上加難。在洋蔥路由中一條或多條數據流的上傳與下載共用一條隧道，而這種路由方式的上傳與下載隧道相互獨立而且兩個方向上的隧道數量都可能>1，所以被稱為大蒜路由。

與洋蔥路由的電路交換（Circuit Switching）相比，大蒜路由也稱為封包交換（Packet Switching）方式。大蒜路由是I2P與Tor及其他隱私/加密網絡的主要區別之一。

 

彩色的世界，說明不只有『黑白』！詮釋現象，人性之矛盾欲望，總有不同程度的『灰』！！難道『不偏不倚』、『不左不右』、『不□不非□』，就謂之『中』乎？？！！在那『開天闢地』之初 ，既無『時間』又無『空間』，哪來『上下左右』，一切無不在其中乎！！？？

謙謙君子，慎思慎行而已矣☆

─── 《樹莓派 0W 狂想曲︰資安探測器《𝄡》》

 

理能侑於『工具』應用之辯乎？

人拿刀殺人，罪在刀乎？有製殺人之刀者，有人用以殺人，製刀者果無罪耶 ？？工具論者 ── 器物與應用無干 ── 有辯也。依其論 ，隻手亦可殺人，練武動機可疑矣！那麼

《荀子‧王制篇》

馬駭輿，則君子不安輿；庶人駭政，則君子不安位。馬駭輿，則莫若靜之；庶人駭政，則莫若惠之。選賢良，舉篤敬，興孝弟，收孤寡，補貧窮。如是，則庶人安政矣。庶人安政，然後君子安位。傳曰：「君者、舟也，庶人者、水也；水則載舟，水則覆舟。」此之謂也。

言︰水則載舟，水則覆舟。到底是誰之過焉！！

─── 摘自《【鼎革‧革鼎】︰ RASPBIAN STRETCH 《三‧戊》》

 

設想『暗網』已『寄生』哩！

Dark web

The dark web is the World Wide Web content that exists on darknets, overlay networks that use the Internet but require specific software, configurations, or authorization to access.^[1][2] The dark web forms a small part of the deep web, the part of the Web not indexedby web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web.^{[3][4][5][6][7]}

The darknets which constitute the dark web include small, friend-to-friend peer-to-peer networks, as well as large, popular networks like Tor, Freenet, I2P, and Riffle operated by public organizations and individuals. Users of the dark web refer to the regular web as Clearnet due to its unencrypted nature.^[8] The Tor dark web may be referred to as onionland,^[9] a reference to the network’s top-level domain suffix .onion and the traffic anonymization technique of onion routing.

 

與其考慮封殺『網際網路』？？實不如思考如何建立『資安網』呦 ！！比方藉著

n2n

n2n is an open source Layer 2 over Layer 3 VPN application which utilises a peer-to-peer architecture for network membership and routing.

Unlike many other VPN programs, n2n can also connect computers which reside behind NAT routers. These connections are set up with help from a third computer that both computers can reach. This computer, called a supernode, can then route the information between NATed nodes.^[2][3]

It is free software licensed under the terms of the GNU General Public License v3.^{[citation needed]}

Turbo VPN is a custom Windows server/client implementation of n2n.^{[citation needed]}

 

之『免費』、『簡易』及『加密』種種優點，或『亞馬遜』用戶也喜歡哩☺

Using n2n with Amazon (AWS) EC2

Posted February 10, 2014 ·

 

所以特別推薦啊☆

n2n

a Layer Two Peer-to-Peer VPN

---

n2n is a layer-two peer-to-peer virtual private network (VPN) which allows users to exploit features typical of P2P applications at network instead of application level. This means that users can gain native IP visibility (e.g. two PCs belonging to the same n2n network can ping each other) and be reachable with the same network IP address regardless of the network where they currently belong. In a nutshell, as OpenVPN moved SSL from application (e.g. used to implement the https protocol) to network protocol, n2n moves P2P from application to network level.

The main n2n design features are:

• An n2n is an encrypted layer two private network based on a P2P protocol.
• Encryption is performed on edge nodes using open protocols with user-defined encryption keys: you control your security without delegating it to companies as it happens with Skype or Hamachi.
• Each n2n user can simultaneously belong to multiple networks (a.k.a. communities).
• Ability to cross NAT and firewalls in the reverse traffic direction (i.e. from outside to inside) so that n2n nodes are reachable even if running on a private network. Firewalls no longer are an obstacle to direct communications at IP level.
• n2n networks are not meant to be self-contained: it is possible to route traffic across n2n and non-n2n networks.

The n2n architecture is based on two components:

• edge nodes: applications installed on user PCs that allow the n2n network to be build. Practically each edge node creates a tun/tap device that is then the entry point to the n2n network.
• an supernode: it is used by edge nodes at startup or for reaching nodes behind symmetrical firewalls. This application is basically a directory register and a packet router for those nodes that cannot talk directly.

Edge nodes talk by means of virtual tap interfaces. Each tap interface is an n2n edge node. Each PC can have multiple tap interfaces, one per n2n network, so that the same PC can belong to multiple communities.

Quickstart

---

• Download and compile the code
• Decide where to place your supernode. Suppose you put it on host a.b.c.d at port xyw.
• Decide what encryption password you want to use to secure your data. Suppose you use the password encryptme
• Decide the network name you want to use. Suppose you call it mynetwork. Note that you can use your supernode/edge nodes to handle multiple networks, not just one.
• Decide what IP address you plan to use on your edge nodes. Suppose you use IP address 10.1.2.0/24
• Start your applications:

#supernode > supernode -l xyw
#edge node1> edge -a 10.1.2.1 -c mynetwork -k encryptme -l a.b.c.d:xyw
#edge node2> edge -a 10.1.2.2 -c mynetwork -k encryptme -l a.b.c.d:xyw

Now test your n2n network:

#edge node1> ping 10.1.2.2
#edge node2> ping 10.1.2.1

 

※ 執行參考︰

supernode A 5.168.168.6 ─── OpenWrt 路由器 5.168.168.20 ─── edge B 5.168.128.250

【supernode A】

root@kali-pi:~# supernode -l 1234
21/Nov/2018 18:42:03 [supernode.c: 476] Supernode ready: listening on port 1234 [TCP/UDP]
21/Nov/2018 18:42:13 [supernode.c: 119] Registered new node [public_ip=(2)5.168.168.6:36776][private_ip=0.0.0.0:36776][mac=0E:BD:7C:E4:B6:2D][community=mynetwork]
21/Nov/2018 18:43:49 [supernode.c: 119] Registered new node [public_ip=(2)5.168.168.20:37542][private_ip=0.0.0.0:37542][mac=16:6B:C4:FA:61:99][community=mynetwork]

【edge A】

root@kali-pi:~# edge -a 10.1.2.1 -c mynetwork -k encryptme -l 5.168.168.6:1234
10.1.2.1
21/Nov/2018 18:42:13 [     edge.c:1136] Using supernode 5.168.168.6:1234
21/Nov/2018 18:42:13 [tuntap_linux.c:  38] Interface edge0 has MAC 0E:BD:7C:E4:B6:2D
21/Nov/2018 18:42:13 [     edge.c: 670] Registering with supernode
21/Nov/2018 18:42:13 [     edge.c:1367] 
21/Nov/2018 18:42:13 [     edge.c:1368] Ready
21/Nov/2018 18:42:13 [     edge.c:1035] Received REGISTER_ACK from remote peer [ip=5.168.168.6:1234]
21/Nov/2018 18:42:13 [     edge.c:1434] STATUS: pending=0, operational=0
21/Nov/2018 18:43:16 [     edge.c: 670] Registering with supernode
21/Nov/2018 18:43:16 [     edge.c:1035] Received REGISTER_ACK from remote peer [ip=5.168.168.6:1234]
21/Nov/2018 18:44:20 [     edge.c: 670] Registering with supernode
21/Nov/2018 18:44:20 [     edge.c:1035] Received REGISTER_ACK from remote peer [ip=5.168.168.6:1234]

 

root@kali-pi:~# ifconfig 
edge0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1400
        inet 10.1.2.1  netmask 255.255.255.0  broadcast 10.1.2.255
        inet6 fe80::cbd:7cff:fee4:b62d  prefixlen 64  scopeid 0x20<link>
        ether 0e:bd:7c:e4:b6:2d  txqueuelen 1000  (Ethernet)
        RX packets 16  bytes 1236 (1.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 17  bytes 1314 (1.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 5.168.168.6  netmask 255.255.255.0  broadcast 5.168.168.255
        inet6 fe80::ba27:ebff:fedb:efad  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:db:ef:ad  txqueuelen 1000  (Ethernet)
        RX packets 20227495  bytes 1949210996 (1.8 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 865121  bytes 114241549 (108.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
...

 

root@kali-pi:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         5.168.168.1     0.0.0.0         UG    0      0        0 eth0
5.168.168.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.1.2.0        0.0.0.0         255.255.255.0   U     0      0        0 edge0

 

【edge B】

root@kali:~# edge -a 10.1.2.2 -c mynetwork -k encryptme -l 5.168.168.6:1234
10.1.2.2
21/Nov/2018 07:43:49 [     edge.c:1136] Using supernode 5.168.168.6:1234
21/Nov/2018 07:43:49 [tuntap_linux.c:  38] Interface edge0 has MAC 16:6B:C4:FA:61:99
21/Nov/2018 07:43:49 [     edge.c: 670] Registering with supernode
21/Nov/2018 07:43:49 [     edge.c:1367] 
21/Nov/2018 07:43:49 [     edge.c:1368] Ready
21/Nov/2018 07:43:49 [     edge.c:1035] Received REGISTER_ACK from remote peer [ip=5.168.168.6:1234]
21/Nov/2018 07:43:49 [     edge.c:1434] STATUS: pending=0, operational=0
21/Nov/2018 07:44:49 [     edge.c: 670] Registering with supernode
21/Nov/2018 07:44:49 [     edge.c:1035] Received REGISTER_ACK from remote peer [ip=5.168.168.6:1234]
21/Nov/2018 07:45:55 [     edge.c: 670] Registering with supernode
21/Nov/2018 07:45:55 [     edge.c:1035] Received REGISTER_ACK from remote peer [ip=5.168.168.6:1234]

 

root@kali:~# ifconfig 
edge0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1400
        inet 10.1.2.2  netmask 255.255.255.0  broadcast 10.1.2.255
        inet6 fe80::146b:c4ff:fefa:6199  prefixlen 64  scopeid 0x20<link>
        ether 16:6b:c4:fa:61:99  txqueuelen 1000  (Ethernet)
        RX packets 7  bytes 518 (518.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 17  bytes 1306 (1.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 5.168.128.250  netmask 255.255.255.0  broadcast 5.168.128.255
        inet6 fe80::ba27:ebff:fec2:b06e  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:c2:b0:6e  txqueuelen 1000  (Ethernet)
        RX packets 346585  bytes 212092128 (202.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 293387  bytes 54265187 (51.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
...

 

root@kali:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         5.168.128.66    0.0.0.0         UG    0      0        0 eth0
5.168.128.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.1.2.0        0.0.0.0         255.255.255.0   U     0      0        0 edge0

 

【A ssh B】

root@kali-pi:~# ssh -l root 10.1.2.2
The authenticity of host '10.1.2.2 (10.1.2.2)' can't be established.
ECDSA key fingerprint is SHA256:+k1xOqFbG0NPv4aFzHT6Dd+iD3O6sWJALOXInXZxiZg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.2.2' (ECDSA) to the list of known hosts.
root@10.1.2.2's password: 
Linux kali 4.9.59-v7_Re4son-Kali-Pi+ #1 SMP Wed Feb 14 20:50:28 CST 2018 armv7l

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

 

關心未來發展者，自可到此處呀◎

meyerd/n2n

A development branch of the n2n p2p vpn software https://github.com/ntop/n2n

This is a development branch of the n2n p2p vpn software.

https://github.com/ntop/n2n

It contains some modifications of the v2 version of n2n, which is the latest stable version
and should be used for productive environments.
All the current development happens in this repository in the new_protocol branch, which is
intended to be come version v3 of n2n and then merged back into the original svn repository
on ntop.org.

Uses sglib http://sglib.sourceforge.net.

For further information please visit the wiki https://github.com/meyerd/n2n/wiki.

 

 

 

 

 

 

 

馬太福音 25:29
因為凡有的，還要加給他，叫他有餘；沒有的，連他所有的也要奪過來。

【論語‧為政第二】
子張問十世可知也。子曰：殷因於夏禮，所損益，可知也。周因於殷禮，所損益，可知也。其或繼周者，雖百世可知也。

風雷益 ☴ ☳
益：利有攸往，利涉大川。
彖曰：益，損上益下，民說無疆，自上下下，其道大光。利有攸往，中正有慶。 利涉大川，木道乃行。 益動而巽，日進無疆。 天施地生，其益無方。 凡益之道，與時偕行。
象曰：風雷，益﹔君子以見善則遷，有過則改。

初九：利用為大作，元吉，無咎。
象曰：元吉無咎，下不厚事也。

六二：或益之，十朋之龜弗克違，永貞吉。 王用享于帝，吉。
象曰：或益之，自外來也。

六三：益之用凶事，無咎。 有孚中行，告公用圭。
象曰：益用凶事，固有之也。

六四：中行，告公從。 利用為依遷國。
象曰：告公從，以益志也。

九五：有孚惠心，勿問元吉。 有孚惠我德。
象曰：有孚惠心，勿問之矣。 惠我德，大得志也。

上九：莫益之，或擊之，立心勿恆，凶。
象曰：莫益之，偏辭也。 或擊之，自外來也。

─── 《馬太福音 25:29；》

 

為著解決

IPv4

網際協定版本4（英語：Internet Protocol version 4，IPv4），又稱網際網路通訊協定第四版，是網際協定開發過程中的第四個修訂版本，也是此協定第一個被廣泛部署的版本。IPv4是網際網路的核心，也是使用最廣泛的網際協定版本，其後繼版本為IPv6，直到2011年，IANA IPv4位元址完全用盡時，IPv6仍處在部署的初期。

IPv4在IETF於1981年9月發布的 RFC 791 中被描述，此RFC替換了於1980年1月發布的 RFC 760。

IPv4是一種無連接的協定，操作在使用封包交換的鏈路層（如乙太網路）上。此協定會盡最大努力交付封包，意即它不保證任何封包均能送達目的地，也不保證所有封包均按照正確的順序無重複地到達。這些方面是由上層的傳輸協定（如傳輸控制協定）處理的。

位址

IPv4使用32位元（4位元組）位址，因此位址空間中只有4,294,967,296（2³²）個位址。不過，一些位址是為特殊用途所保留的，如專用網路（約1800萬個位址）和多播位址（約2.7億個位址），這減少了可在網際網路上路由的位址數量。隨著位址不斷被分配給終端使用者，IPv4位址枯竭問題也在隨之產生。基於分類網路、無類別域間路由和網路位址轉換的位址結構重構顯著地減少了位址枯竭的速度。但在2011年2月3日，在最後5個位址塊被分配給5個區域網際網路註冊管理機構之後，IANA的主要位址池已經用盡。

這些限制刺激了仍在開發早期的IPv6的部署，這也是目前唯一的長期解決方案。

 

『不足』的問題，故而『益』之以

Network address translation

Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.^[1] The technique was originally used as a shortcut to avoid the need to readdress every host when a network was moved. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

IP masquerading is a technique that hides an entire IP address space, usually consisting of private IP addresses, behind a single IP address in another, usually public address space. The address that has to be hidden is changed into a single (public) IP address as “new” source address of the outgoing IP packet so it appears as originating not from the hidden host but from the routing device itself. Because of the popularity of this technique to conserve IPv4 address space, the term NAT has become virtually synonymous with IP masquerading.

As network address translation modifies the IP address information in packets, it has serious consequences on the quality of Internet connectivity and requires careful attention to the details of its implementation. NAT implementations vary widely in their specific behavior in various addressing cases and their effect on network traffic. The specifics of NAT behavior are not commonly documented by vendors of equipment containing NAT implementations.^[2]

 

怎知卻引發了

Peer-to-peer

Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the application. They are said to form a peer-to-peer network of nodes.

Peers make a portion of their resources, such as processing power, disk storage or network bandwidth, directly available to other network participants, without the need for central coordination by servers or stable hosts.^[1] Peers are both suppliers and consumers of resources, in contrast to the traditional client-server model in which the consumption and supply of resources is divided. Emerging collaborative P2P systems are going beyond the era of peers doing similar things while sharing resources, and are looking for diverse peers that can bring in unique resources and capabilities to a virtual community thereby empowering it to engage in greater tasks beyond those that can be accomplished by individual peers, yet that are beneficial to all the peers.^[2]

While P2P systems had previously been used in many application domains,^[3] the architecture was popularized by the file sharing system Napster, originally released in 1999. The concept has inspired new structures and philosophies in many areas of human interaction. In such social contexts, peer-to-peer as a meme refers to the egalitarian social networking that has emerged throughout society, enabled by Internet technologies in general.

 

『應用』難題！

Peer-to-Peer Communication Across Network Address Translators

J’fais des trous, des petits trous …
toujours des petits trous
– S. Gainsbourg

Abstract:

 

1 Introduction

The combined pressures of tremendous growth and massive security challenges have forced the Internet to evolve in ways that make life difficult for many applications. The Internet’s original uniform address architecture, in which every node has a globally unique IP address and can communicate directly with every other node, has been replaced with a new de facto Internet address architecture, consisting of a global address realm and many private address realms interconnected by Network Address Translators (NAT). In this new address architecture, illustrated in Figure 1, only nodes in the “main,” global address realm can be easily contacted from anywhere in the network, because only they have unique, globally routable IP addresses. Nodes on private networks can connect to other nodes on the same private network, and they can usually open TCP or UDP connections to “well-known” nodes in the global address realm. NATs on the path allocate temporary public endpoints for outgoing connections, and translate the addresses and port numbers in packets comprising those sessions, while generally blocking all incoming traffic unless otherwise specifically configured.

The Internet’s new de facto address architecture is suitable for client/server communication in the typical case when the client is on a private network and the server is in the global address realm. The architecture makes it difficult for two nodes on different private networks to contact each other directly, however, which is often important to the “peer-to-peer” communication protocols used in applications such as teleconferencing and online gaming. We clearly need a way to make such protocols function smoothly in the presence of NAT.

One of the most effective methods of establishing peer-to-peer communication between hosts on different private networks is known as “hole punching.” This technique is widely used already in UDP-based applications, but essentially the same technique also works for TCP. Contrary to what its name may suggest, hole punching does not compromise the security of a private network. Instead, hole punching enables applications to function within the the default security policy of most NATs, effectively signaling to NATs on the path that peer-to-peer communication sessions are “solicited” and thus should be accepted. This paper documents hole punching for both UDP and TCP, and details the crucial aspects of both application and NAT behavior that make hole punching work.

Unfortunately, no traversal technique works with all existing NATs, because NAT behavior is not standardized. This paper presents some experimental results evaluating hole punching support in current NATs. Our data is derived from results submitted by users throughout the Internet by running our “NAT Check” tool over a wide variety of NATs by different vendors. While the data points were gathered from a “self-selecting” user community and may not be representative of the true distribution of NAT implementations deployed on the Internet, the results are nevertheless generally encouraging.

While evaluating basic hole punching, we also point out variations that can make hole punching work on a wider variety of existing NATs at the cost of greater complexity. Our primary focus, however, is on developing the simplest hole punching technique that works cleanly and robustly in the presence of “well-behaved” NATs in any reasonable network topology. We deliberately avoid excessively clever tricks that may increase compatibility with some existing “broken” NATs in the short term, but which only work some of the time and may cause additional unpredictability and network brittleness in the long term.

Although the larger address space of IPv6 [3] may eventually reduce the need for NAT, in the short term IPv6 is increasing the demand for NAT, because NAT itself provides the easiest way to achieve interoperability between IPv4 and IPv6 address domains [24]. Further, the anonymity and inaccessibility of hosts on private networks has widely perceived security and privacy benefits. Firewalls are unlikely to go away even when there are enough IP addresses: IPv6 firewalls will still commonly block unsolicited incoming traffic by default, making hole punching useful even to IPv6 applications.

The rest of this paper is organized as follows. Section 2 introduces basic terminology and NAT traversal concepts. Section 3 details hole punching for UDP, and Section 4 introduces hole punching for TCP. Section 5 summarizes important properties a NAT must have in order to enable hole punching. Section 6presents our experimental results on hole punching support in popular NATs, Section 7 discusses related work, and Section 8 concludes.

 

『派生』愛好者或可讀一讀

laike9m/PyPunchP2P

Python实现NAT穿透+STUN+TURN+P2P聊天 | Python P2P chat

PyPunchP2P

THIS PROJECT IS FOR STUDYING AND VERIFICATION, DON’T USE IT IN PRODUCTION.

Python p2p chat client/server with built-in NAT traversal (UDP hole punching).
I’ve written an article about the detailed implementation (in Chinese).

Based on
koenbollen’s gist
pystun
Peer-to-Peer Communication Across Network Address Translators

Python edition: py2.6+ but no Python 3 support
Platform: Linux/Windows

Usage

Suppose you run server.py on a VPS with ip 1.2.3.4, listening on port 5678

 client.py 1.2.3.4 5678 100

The number 100 is used to match clients, you can choose any number you like but only clients with the same number will be linked by server. If two clients get linked, two people can chat by typing in terminal, and once you hit <ENTER> your partner will see your message in his terminal.
Encoding is a known issue since I didn’t pay much effort on making this tool perfect, but as long as you type English it will be fine.

 

短短的『原始碼』，嘗試深入了解也◎

※ 參考︰

server A 5.168.168.6 ─── OpenWrt 路由器 5.168.168.20 ─── client B 5.168.128.250

【server A】

root@kali-pi:~/test/PyPunchP2P# ./server.py 5678
listening on *:5678 (udp)
connection from 5.168.168.6:56672
pool=100, nat_type=Symmetric NAT, ok sent to client
request received for pool: 100
connection from 5.168.168.20:39029
pool=100, nat_type=Symmetric NAT, ok sent to client
request received for pool: 100
linked 100
Hurray! symmetric chat link established.
msg successfully forwarded to ('5.168.168.6', 56672)
hello

msg successfully forwarded to ('5.168.168.6', 56672)
world

 

【client A】

root@kali-pi:~/test/PyPunchP2P# ./client.py 5.168.168.6 100
(<open file '<stderr>', mode 'w' at 0x76ce80d0>, 'usage: ./client.py <host> <port> <pool>')
root@kali-pi:~/test/PyPunchP2P# ./client.py 5.168.168.6 5678 100
('NAT Type:', 'Symmetric NAT')
('External IP:', '36.231.56.34')
('External Port:', 1026)
(<open file '<stdout>', mode 'w' at 0x76cc5078>, "request sent, waiting for partner in pool '100'...")
(('5.168.168.20', 39029), 3)
(<open file '<stdout>', mode 'w' at 0x76cc5078>, 'connected to 5.168.168.20:39029, its NAT type is Symmetric NAT')
Symmetric chat mode
hello
world

 

【client B】

root@kali:~/test/PyPunchP2P# ./client.py 5.168.168.6 5678 100
('NAT Type:', 'Symmetric NAT')
('External IP:', '36.231.56.34')
('External Port:', 1027)
(<open file '<stdout>', mode 'w' at 0x76d50078>, "request sent, waiting for partner in pool '100'...")
(('5.168.168.6', 56672), 3)
(<open file '<stdout>', mode 'w' at 0x76d50078>, 'connected to 5.168.168.6:56672, its NAT type is Symmetric NAT')
Symmetric chat mode
hello
world

 

 

 

 

 

 

 

派 ︰《【了凡四訓】》有言︰

…

何謂真假？昔有儒生數輩，謁中峰和尚，

問曰︰「佛氏論善惡報應，如影隨 形。今某人善，而子孫不興；某人惡，而家門隆盛︰佛說無稽矣。」

中峰云︰「凡情未滌，正眼未開，認善為惡，指惡為善，往往有之 。不憾己之是非顛倒，而反怨 天之報應有差乎？」

眾曰︰「善惡何致相反？」

中峰令試言。

一人謂「詈人毆人是惡；敬人禮人是善。」

中峰云︰「未必然也。」

一人謂「貪財妄取是惡，廉潔有守是善。」

中峰云︰「未必然也。」

眾人歷言其狀，中峰皆謂不然。因請問。

中峰告之曰︰「有益於人，是善；有益於己，是惡。有益於人，則毆人，詈人皆善也；有益於己，則敬人，禮人皆惡也。 是故人之行善，利人者公，公則為真；利己者私，私則為假。又根心者真，襲跡者假；又無為而為者真，有為而為者假；皆當自考。」

何謂端曲？今人見謹愿之士,，類稱為善而取之；聖人則寧取狂狷。至於謹愿之士，雖一鄉皆好，而必以為德之賊；是世人之善惡，分明與聖人相反。推此一端,種種取舍，無有不謬；天地鬼神之福善禍淫，皆與聖人同是非，而不與世俗同取舍。凡欲積善，決不可徇耳目，惟從心源隱微處，默默洗滌，純是濟世之心，則為端；苟有一毫媚世之心，即為曲；純是愛人之心，則為端；有一毫憤世之心，即為曲；純是敬人之心，則為端；有一毫玩世之心，即為曲；皆當細辨。

……

生︰昔有『唐鳳』者，能文善語『珍珠串』☿☺︰

=head1 NAME
Lingua::Sinica::PerlYuYan – 中書珨 – Perl in Classical Chinese in Perl
=head1 VERSION
our nat-traverse 40000:natgw-of-right:40001
user@right $ nat-traverse 40001:natgw-of-left:40000
where 40000 is an unused UDP port on left and 40001 is an unused UDP port on right.

Description

nat-traverse establishes connections between nodes which are behind NAT gateways, i.e. hosts which do not have public IP addresses. Additionally, you can setup a small VPN by using pppd on top of nat-traverse. nat-traverse does not need an external server on the Internet, and it isn’t necessary to reconfigure the involved NAT gateways, either. nat-traverse works out-of-the-box.

See below for how this is achieved.

In other words: nat-traverse is a bit like Harm, but doesn’t have Harm’s limitation that one peer has to have a public IP address.

Limitation: nat-traverse does not work with gateways which change the port numbers. This is a fundamental problem of nat-traverse’s design, as the changed port numbers are (in general) not predictable.

……

Changelog

v0.7, 2017-10-28

Fixed a minor syntactical issue which caused a warning on modern Perl and relicensed under GPL version 3 or later.

………

v0.1, 2005-06-25

Initial release.

Author

Copyright (C) 2005, 2012, 2017 Ingo Blechschmidt, <iblech@speicherleck.de>.

The source code repository is hosted at GitLab.

 

與 Perl 結緣︰

名稱

Perl 原名叫「Pearl」。拉里·沃爾想給這個語言起一個有正面意思的短的名字；他考慮了（並且否定了）字典里每一個 3—4 個字母的詞 。他也考慮用他的妻子 Gloria 的名字命名。沃爾在 Perl 官方釋出之前發現了現有的 PEARL 語言，並且改變了這個名字^[23]。

當指代這個語言的時候，名字通常是大寫的（Perl），就像專有名詞一樣。當指代這個直譯器本身的時候，這個名字通常是小寫的（perl），因為大部分類 Unix 檔案系統都是區分大小寫的。在《Programming Perl》的第一版釋出之前，用 perl 指代這個語言也很普遍；Randal L. Schwartz 排版時將這個語言的名字在書中寫成大寫的以便理解。後來，這個大小寫的區別就成為正規的了^[24]。

全大寫的「PERL」是有爭議的，而文件中說明「PERL」是不對的^[24]，一些核心的社群成員將其視為外行的標誌^[25]。這個名字偶爾會被視為「Practical Extraction and Report Language」的縮寫，就像文件^[23]頂端和一些紙質書本說的那樣^[26]。一些全稱被建議作為正式名稱，包括沃爾自己的幽默的「Pathologically Eclectic Rubbish Lister」^[27]。的確，沃爾要求這個名字啟示許多不同的擴充^[28]。

駱駝標誌

《Programming Perl》，由奧萊理媒體釋出，特色是封面有一張駱駝的圖片，因而被稱作「駱駝書」^[29]。這張駱駝的圖片已經成為了Perl非官方的標誌和一個駭客的標誌，這出現在T恤衫和其它衣服上 。

歐萊禮擁有此圖像之商標，並且宣稱，唯有在捍衛「符號之完整性 」時，才會行使其法律上的權力^[30]。歐萊禮允許此商標在非商業目的之前提下被使用，並同時供了Programming Republic of Perl 的圖像以及 Powered by Perl 的按鈕圖。^[31]Perl的另一個識別符號是羊駝。因為《Intermediate Perl》一書的封面是一隻羊駝^[32]。

 

開始了UDP 打洞之旅哩！

UDP hole punching

UDP hole punching is a commonly used technique employed in network address translation (NAT) applications for maintaining User Datagram Protocol (UDP) packet streams that traverse the NAT. NAT traversal techniques are typically required for client-to-client networking applications on the Internet involving hosts connected in private networks, especially in peer-to-peer, Direct Client-to-Client (DCC) and Voice over Internet Protocol (VoIP) deployments.^[1]

UDP hole punching establishes connectivity between two hosts communicating across one or more network address translators. Typically, third-party hosts on the public transit network are used to establish UDP port states that may be used for direct communications between the communicating hosts. Once port state has been successfully established and the hosts are communicating, port state may be maintained either by normal communications traffic, or in the prolonged absence thereof, by keep-alive packets, usually consisting of empty UDP packets or packets with minimal non-intrusive content.

Overview

UDP hole punching is a method for establishing bidirectional UDP connections between Internet hosts in private networks using network address translators. The technique is not applicable in all scenarios or with all types of NATs, as NAT operating characteristics are not standardized.

Hosts with network connectivity inside a private network connected via a NAT to the Internet typically use the Session Traversal Utilities for NAT (STUN) method or Interactive Connectivity Establishment (ICE) to determine the public address of the NAT that its communications peers require. In this process another host on the public network is used to establish port mapping and other UDP port state that is assumed to be valid for direct communication between the application hosts. Since UDP state usually expires after short periods of time in the range of tens of seconds to a few minutes,^[2] and the UDP port is closed in the process, UDP hole punching employs the transmission of periodic keep-alive packets, each renewing the life-time counters in the UDP state machine of the NAT.

UDP hole punching will not work with symmetric NAT devices (also known as bi-directional NAT) which tend to be found in large corporate networks. In symmetric NAT, the NAT’s mapping associated with the connection to the well-known STUN server is restricted to receiving data from the well-known server, and therefore the NAT mapping the well-known server sees is not useful information to the endpoint.

In a somewhat more elaborate approach both hosts will start sending to each other, using multiple attempts. On a Restricted Cone NAT, the first packet from the other host will be blocked. After that the NAT device has a record of having sent a packet to the other machine, and will let any packets coming from this IP address and port number through. This technique is widely used in peer-to-peer software and Voice over Internet Protocol telephony. It can also be used to assist the establishment of virtual private networksoperating over UDP. The same technique is sometimes extended to Transmission Control Protocol (TCP) connections, though with less success because TCP connection streams are controlled by the host OS, not the application, and sequence numbers are selected randomly; thus any NAT device that performs sequence-number checking will not consider the packets to be associated with an existing connection and drop them.

Flow

Let A and B be the two hosts, each in its own private network; N_A and N_B are the two NAT devices with globally reachable IP addresses EIP_A and EIP_B respectively; S is a public server with a well-known, globally reachable IP address.

1. A and B each begin a UDP conversation with S; the NAT devices N_A and N_B create UDP translation states and assign temporary external port numbers EP_A and EP_B
2. S examines the UDP packets to get the source port used by N_A and N_B (the external NAT ports EP_A and EP_B)
3. S passes EIP_A:EP_A to B and EIP_B:EP_B to A
4. A sends a packet to EIP_B:EP_B.
5. N_A examines A’s packet and creates the following tuple in its translation table: (Source-IP-A, EP_A, EIP_B, EP_B)
6. B sends a packet to EIP_A:EP_A
7. N_B examines B’s packet and creates the following tuple in its translation table: (Source-IP-B, EP_B, EIP_A, EP_A)
8. Depending on the state of N_A‘s translation table when B’s first packet arrives (i.e. whether the tuple (Source-IP-A, EP_A, EIP_B, EP_B) has been created by the time of arrival of B’s first packet), B’s first packet is dropped (no entry in translation table) or passed (entry in translation table has been made).
9. Depending on the state of N_B‘s translation table when A’s first packet arrives (i.e. whether the tuple (Source-IP-B, EP_B, EIP_A, EP_A) has been created by the time of arrival of A’s first packet), A’s first packet is dropped (no entry in translation table) or passed (entry in translation table has been made).
10. At worst, the second packet from A reaches B; at worst the second packet from B reaches A. Holes have been “punched” in the NAT and both hosts can directly communicate.

• If both hosts have Restricted cone NATs or Symmetric NATs, the external NAT ports will differ from those used with S. On some routers, the external ports are picked sequentially making it possible to establish a conversation through guessing nearby ports.

 

今日故地重遊，景色依舊咦？

peer A 5.168.168.6 ─── OpenWrt 路由器 5.168.168.20 ─── peer B 5.168.128.250

※ 執行︰

【peer A】

root@kali-pi:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         5.168.168.1     0.0.0.0         UG    0      0        0 eth0
5.168.168.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

 

root@kali:~/test# ./nat-traverse 40000:5.168.168.6:40001
> Creating socket localhost:40000 <-> 5.168.168.6:40001... done.
> Sending 10 initial packets... .......... done.
> Waiting for ACK (timeout: 10s)... ........... done.
> Connection established.
> Type ahead.
Hello World

 

【peer B】

root@kali:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         5.168.128.66    0.0.0.0         UG    0      0        0 eth0
5.168.128.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

 

root@kali-pi:~/test# ./nat-traverse-0.7.pl 40001:5.168.168.20:40000
> Creating socket localhost:40001 <-> 5.168.168.20:40000... done.
> Sending 10 initial packets... .......... done.
> Waiting for ACK (timeout: 10s)... ......... done.
> Connection established.
> Type ahead.
Hello World