Upload
sofia-baldwin
View
224
Download
2
Embed Size (px)
Citation preview
A New Method for Symmetric NAT Traversal in UDP and TCP
Yuan Wei & Daisuke Yamada & Suguru Yoshida & Shigeki Goto
Waseda University{wei,daisk,yoshida,goto}@goto.info.waseda.
ac.jp2008/8/4 Wei Yuan 1
Agenda Network Address Translator
(NAT) Existing problems in NAT
traversal New method Experiment Conclusion
2008/8/4 Wei Yuan2
NAT ( Network Address Translator ) Translate private IP addresses to a
global IP address NAT includes Network Address Port
Translation, (NAPT)
2008/8/4 Wei Yuan3
enable multiple hosts on a private network to access the Internet using a single public IP address
Full Cone NAT (Easy)
2008/8/4 Wei Yuan4
One-to-one
2008/8/4 4 Wei Yuan
Restricted Cone NAT
Wei Yuan5
Another IP address2008/8/4 5 Wei Yuan
Port Restricted Cone NAT
Wei Yuan62008/8/4
6 Wei Yuan
another port number
Symmetric NAT (Difficult)
Wei Yuan7
Unique mapping
Another client2008/8/4 7 Wei Yuan
P2P and NAT (Problem) P2P networks are based on
global IP address Users cannot connect P2P
network behind NAT devices NAT traversal becomes an
active area of research
Wei Yuan82008/8/4 8 Wei Yuan
Existing Methods No NAT traversal techniques
can be successfully applied symmetric NATs
TCP NAT traversal is difficult Unique security filtering
functions on NATs
2008/8/4 Wei Yuan9
New Method UDP NAT traversal :
– Applicable to symmetric NATs
TCP NAT traversal : – Applicable to simple NATs
2008/8/4 Wei Yuan10
How to Traverse Symmetric NAT Simulate normal UDP
communications– IP address and port number must
correspond to NAT.
Do not use a spoof packet from another IP address
Establish direct communication between two end points
Predict port numbers of NATs 2008/8/4 Wei Yuan11
Phase I
2008/8/4 Wei Yuan12
F1: S1 gets the information of a port number translated by NAT a.
F2: Send it back to the echo client.
F3: S2 analyzes the port number of NAT a and records it.
Phase II
2008/8/4 Wei Yuan13
F4: S1 gets the information of a port number translated by NAT b.
F5: Send it back to the echo client.
F6: S2 analyzes the port number of NAT b and records it.
Phase III
2008/8/4 Wei Yuan14
For example
2008/8/4 Wei Yuan15
F1: port number = 700
F3: port number = 701
Next port number is 702
Phase III
2008/8/4 Wei Yuan16
F7: Predict a port number for hole punching
F8: Send a large number of packets with a small TTL value
F9: Predict a port number for hole punching
F11: P2P connection established
F10: Send a large number of packets
New Method: UDP Multi Hole Punching1. Normal UDP communications
– Existing method uses another extra IP address
2. Precise port number prediction– Observe port translate algorithm: increment,
decrement, leap
3. Control port numbers– control random port algorithm– Binding port numbers
4. Utilize many port numbers– High success rate of hole punching
2008/8/4 Wei Yuan17
TCP Hole Punching SPI (Stateful Packet Inspection)
– a type of function for filtering of TCP packets A valid sequence of packets should follow
the 3-way handshake.1. [SYN] - out2. [SYN, ACK] - in3. [ACK] - out
2008/8/4 Wei Yuan18
How to deal with SPI Divide 3-way handshake section and hole
punching section– Hole punching section is similar to “Simple Traversal
of UDP Through NATs and TCP too” (STUNT) 3-way handshake section
– Send sequence number info to server.– Use low TTL ( =1 ) to establish– Packet does not reach at NATs
Set SO_REUSEADDR option of setsockopt()to combine (re-bind) two section
2008/8/4 Wei Yuan19
Experiment Use WinStun to determine the type of
NATs Use Wireshark to capture packets Evaluate Skype for NAT traversal Test the performance of the new method
for UDP NAT traversal Realize TCP NAT traversal
2008/8/4 Wei Yuan20
Results 9 routers tested (3 routers were Symmetric
NAT) The success ratio of the P2P communication
about Skype was 46%– Skype does not use UDP hole punching when the voice
quality was good. The success ratio of the P2P communication
about our new method was 97%– The combination of Buffalo and NEC had an 80% success rate
on average. The other combinations were 100% successful. Succeeded in port prediction and control of
port numbers Succeeded in establishing TCP connections for
five NAT products out of six
2008/8/4 Wei Yuan21
Control of port numbers
2008/8/4 Wei Yuan22
Random
Incremental
Conclusion
Succeed in port prediction Succeed in control of port numbers Skype is 46%. Our new method
outperforms it with a success rate of 97% succeed in establishing TCP connections
for five NAT products out of six
WinStun SkypeNew
Method
Symmetric NAT
33% 0% 100%
All routers 66% 46% 97%2008/8/4 Wei Yuan23
END
2008/8/4 Wei Yuan 24