Carrier Grade NAT (CGNAT to CGNAT) Testing

[CMCDragonkai]

Specification

Existing issues #159 and PR #381 address testing the NAT busting through hole-punching and centralised signalling via testnet.polykey.io. We know that certain NAT situations won't be traversable until relaying via #182 is possible. We're parking #182 until #365 is first solved, since the architectures would be similar.

This issue is about augmenting our NAT tests to also simulate a carrier grade NAT situation. This is important for mobile device deployment.

To give you an example, our office has a wireless router connected to the ISP. The router provides a LAN for the office computers. However the external IP assigned to the router is not the real IP on the internet, it's also within a LAN with respect to the ISP. The ISP adds their own NAT on top of our router's NAT.

This means there's a "double NAT".

Therefore we may want to test:

• Any kind of NAT setup (including no-NAT) to a double NAT setup.

The hardest would be double NAT to double NAT.

When I attempted to use wireguard/tailscale to connect my home laptop to my phone's hotspot to the office router to the windows/mac systems in office, I noticed that it had to use the DERP relays, a direct connection was not possible. This implies hole-punching and signalling is not enough in theses situations. But we can simumlate this using our NAT simulation harness.

The CGNAT is likely to be a port-restricted or symmetric NAT. And as we saw in #381, we don't need to test address-restricted or full-cone as long as port-restricted and symmetric works.

Additional context

• https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
• https://en.wikipedia.org/wiki/Carrier-grade_NAT
• Tests for NAT-Traversal and Hole-Punching #381 - initial PR bringing in automated tests and NAT busting simulation testing
• Manual Testing of testnet.polykey.io #487 - demonstrates that CGNAT to NAT and NAT to CGNAT works.
• Local Network Traversal - Multicast Discovery js-mdns#1 - P2P on local networks would need to be done where both nodes have the same public IP address.

Tasks

1. ...
2. ...
3. ...

[CMCDragonkai]

To test CGNAT to CGNAT, we can basically connect to the office from another mobile network by hot-spotting a laptop. This can be done in-office or at home.

It will be critical for mobile networks for this to work. But if hole punching doesn't succeed then, most likely this will need to be done with relaying.

Note though, that it's possible that many mobile phones end up sharing the same IP address. And this would result in the same problem with P2P on internal networks. I'll discuss this problem in MatrixAI/js-mdns#1.

[CMCDragonkai]

This can only be done in PKI, not here. Closing for now as this is not something we can do until we implement more sophisticated PKI and setup relaying NAT traversal in #182.

[CMCDragonkai]

@amydevs