June 2019

A relatively recent technology, not too well known, unfortunately, since we should be aware of it, which is known as  CGNAT (Carrier Grade Network Address Translation) . CGN (Carrier-grade NAT) allows a public IP to serve multiple clients, providing private addressing. Know the problems





What is NAT?

Probably many will know NAT (Network Address Translation) . It is the mechanism, with which the majority of users connect to the Internet during the last years . The connection is made through a device, usually a router, that has a public IP address connected to the Internet.
The device that is connected to the Internet is the router, through the lines of your corresponding provider, and behind the router we set up a private address.
The mechanism that makes the private address of the devices that are in the network can access the Internet , is done by substituting the requests that leave the private IP addresses, substituting that private IP for the public IP of the router. 

Finally it arrives at the corresponding server, the response arrives and the router undoes the change so that the response reaches the machine that made it. 

Simple network scheme that we all have in our home:


NAT limitations

NAT is an important limitation in what is the use and perception of Internet users, since most think that the Internet is that. Originally the idea was that all the equipment was connected from end to end , that is, that all the equipment was accessible from anywhere in the world. 

So we would have had a much less centralized and controlled Internet than we have today . But at the time there was no other option than to opt for NAT, and it is what we have experienced in recent years that we use networks, mainly domestic, virtually all, and in many cases also corporate networks.

NAT types





In NAT, two different processes are distinguished:


  • SNAT (Source Network Address Translation) , is the mechanism through which customers have access to the Internet.
  • DNAT (Destination Network Address Translation) , through a configuration in the router, allows requests that reach certain ports of the same, to its public address, to be redirected to a specific equipment of the private network . This allows access, in a limited way, since it is only to certain ports, to equipment from the private network abroad, allowing us to have certain services within the private network. It is widely used in p2p networks in the domestic sphere, or else used in a non-domestic environment to mount web servers, mail servers or any service that wants to be mounted within the private network. This mechanism allows, with its limitations, to give something of greater functionality to computers in the network.

What is CG-NAT?

A few years ago, the CGNAT mechanism developed, due to the exhaustion of IPV4 addresses. With it, the IP address that is provided to the router is not a public IP , it is an IP of rank CGNAT, that is to say it is block 100.64.0.0/10, which makes the router does not have a public address and therefore is not accessible.



Actually that NAT does not affect the use that many end users make of the Internet, as they continue to access services such as Google, Facebook or any other. What happens is that instead of doing once, they do NAT twice, an aspect that in most cases is negligible, so users still think they have access to the Internet. 

It really is not an access like having a public address on the router, because it makes any DNAT mechanism absolutely impossible, so we can not redirect any port, since the IP address to which they are redirected is in turn a private address. Not exactly private as in NAT, but it is also inaccessible from the Internet, and therefore you can not have services inside, or web servers, or mail servers, or p2p servers, or any service that requires that a communication be established between a Internet team to a team in my local network. 

The router that makes the NAT of the public IP address is in the hands of the operator, therefore, forget about the typical "open ports to this PC to use this application", you simply can not open ports . Of course,you will not have the possibility to change the public IP address either , that is in the hands of the operator directly. 

If in your home you have a web server, an FTP server, an SSH server, a VPN server, if you have Nextcloud for example to synchronize your files wherever you are, or if you want to play games that need to open ports online, you simply can not do it , it will be impossible for you to host services. You will have a private IP address, and not a public IP, so you will no longer have point-to-point communication with the Internet, everything will pass through CGN.

Importance of knowing CGNAT

It is important that we are aware of this, that we are aware of the technologies that are being used, because this type of Internet access, which some Internet providers are selling to their users, is sold as an Internet access, and It is not exactly the same Internet access . 

Therefore the user should be perfectly informed and also administrations should take measures to limit it or inform consumers of what is being given to them. 


In fact, there is an initiative on the part of the European Union, with the idea of ​​forcing the Internet providers that CGNAT is a process simply to use, temporarily, up to the massive and extensive use of the double stack with IPv6, which is really the solution that arises and that would change a lot the use of Internet that users are currently doing. 

Adoption of IPv6 in Spain






Sources: 
https://openwebinars.net/blog/que-es-cgnat/



Broadly speaking, we can say that the fronting technique consists of obfuscating the data source of a site. 
This is something that has existed for a long time, but lately it has recovered its relevance due to the barriers that have been raised on the internet to censor, filter and prevent access to certain content, generally for political or ideological interests.
Fronting works in the application layer and allows users to access content that has been blocked by the most common techniques: IP blocking, DNS filtering and even packet inspection, since the header of these is that of a Authorized origin, and only the actual content is revealed once the connection has been authorized and established. It should be noted that the fronting only works on HTTPS protocol. 
There are many tutorials on the internet about how to use CDN (Content Delivery Network) in Amazon Web Services to provide content from different sources in case one of them is offline. However, we have not found explanations on how to do this when the data source does not come from a site hosted on AWS, that's why we decided to create this guide.

In our example we will use the following names: 



subdomain.domain.com : Our subdomain with which we will do the obfuscation 
www.otrodominio.com/routa/al/subdominio : The origin of the data that we will show in sub.domain.com 

The first thing that we must do is enable the fronting in the hosting of another domain.com , since in most it is disabled by default to avoid phishing. (Later we will make a guide to know if your domain is vulnerable to fronting by malicious users.) 
I can not tell you in detail how to enable fronting in your hosting, as it is different in each one. In any case, you can always check with the provider's support team.

Then we must go to AWS and create a CNAME for sub.domain.com . For now it does not matter where you point, since we 
'll change it later. We go to Route53, select our zone and create a new record with "Create Record Set":

Here we select as CNAME type, we put our subdomain as a name and as a source anything, for example, www.google.com :


Then we go to Cloudfront and create a new distribution:


We select the Web option and place the domain of the data source and the route, if there is one.
We place the alternative name that we chose for the data source and select the type of certificate. In this case, we chose a public one generated by Amazon for our domain:

We accept and while this is done, which will take about 20 minutes, we select the name of the cloudfront generated by this distribution. It is a name of type a1b2c3d4c5.cloudfront.net. 
We copy it and go back to the CNAME that we created before and replace whatever we have put (in this example it was www.google.com ) for this new domain. 

Finally, we connect by ssh to the AWS hosting with the method that we have configured (pem file of certificate, user and password, etc.) and, depending on the version of apache that we have installed, navigate to / etc / apache2 / and edit apache2. conf or go to / etc / apache2 / sites-available / and edit domain.com.conf (the name will be that of your domain) and add the following lines: 
 
<VirtualHost *: 80> 
        ServerName subdomain.domain.com 
        ServerAlias http://subdomain.domain.com
        ProxyPass / https://www.otrodomain.com/route/al/subdomain
        ProxyPassReverse / https://www.otrodomain.com / path / to / subdomain
</ VirtualHost> 
<VirtualHost *: 80> 
        ServerName subdomain.domain.com 
        ServerAlias https://subdomain.domain.com
        ProxyPass / https://www.otrodominio.com/ruta/al/subdominio
        ProxyPassReverse / https://www.otrodominio.com/ruta/al/subdominio
</ VirtualHost>
 
with this we make sure that whatever you enter the user request to subdomain.domain.com, arrive by https to anotherdomain.com/path/al/subdomain . 

Finally, once the CloudFront has finished creating the distribution (the status will change to deployed and it will no longer say in progress ), we can try the fronting by typing subdomain.domain.com/index.php or a path that is only found in www. .otherdomain.com / route / to / subdomain / , for example www.otrodomain.com/ruta/al/subdominio/otra/ruta/test.php . We put subdomain.domain.com/otra/ruta/test.php and voila!there is our content from anotherdomain.com and the URL that the browser shows us is subdomain.domain.com !