Both pwnat and chownat are very clever techniques, but I have massive doubts they work _well_ in practice, when exposed to hundreds (or even dozens) of popular NAT devices and network configurations.
Vast majority of NAT boxes change the source port on outbound packets even if a respective externally-facing port is not yet allocated. Anything that's BSD derived will randomize the port, lots and lots of others will +1 the port for each new session, thirds will +2 the port, etc.
There's also egress filtering, intrusion detection systems and NAT devices that do things that make little sense such as remapping ID field in the IP header, presumably for security reasons. Also, depending on the OS, this will need root privileges to craft fake ICMP packets.
All in all, pwnat/chownat are essentially very cool "tech demos" that can't be realistically used just on their own and require a conventional rendezvous server as a fallback.
Yeah these are excellent points. I think the biggest blocker is definitely the symmetric NAT case, since this would still be a problem even if both sides already knew the public IP of the other end...
I wonder if there is still some opportunity to find workarounds in this space. I did see some papers on prediction of the external ports based on local port and NAT vendor, but this is obviously not going to work for a no-bs-magic-wormhole-style solution.
Vast majority of NAT boxes change the source port on outbound packets even if a respective externally-facing port is not yet allocated. Anything that's BSD derived will randomize the port, lots and lots of others will +1 the port for each new session, thirds will +2 the port, etc.
There's also egress filtering, intrusion detection systems and NAT devices that do things that make little sense such as remapping ID field in the IP header, presumably for security reasons. Also, depending on the OS, this will need root privileges to craft fake ICMP packets.
All in all, pwnat/chownat are essentially very cool "tech demos" that can't be realistically used just on their own and require a conventional rendezvous server as a fallback.