Nat Game p2p

Embed Size (px)

Citation preview

  • 8/4/2019 Nat Game p2p

    1/60

    1

    Network Address

    Translation (NAT)

  • 8/4/2019 Nat Game p2p

    2/60

    2

    Overview

    Motivation

    End-to-end principle

    Role of IP addresses

    Basic NAT types and their behaviors

    NAT traversal: STUN

  • 8/4/2019 Nat Game p2p

    3/60

    3

    History Early 1990s

    IPv4 Address consumption concern

    Two approaches

    IPv6 and NAT

    NATs were initially intended to allow devices toshare an address pool dynamically

    First RFC about NAT in 1994

    NAT vs. DHCP?

    NAT goes against Internet end-to-end principle IETF hates NATs

    No standardization -> backfire

  • 8/4/2019 Nat Game p2p

    4/60

    4

    Motivation

    DSL and cable modem business model

    Not simultaneous access, no servers

    ISP wants to save money

    In PSTNs, there is extension Changing next higher ISP becomes easier

    Even multi-homing

    Security: Inbound traffic filtering

    stateful firewall

  • 8/4/2019 Nat Game p2p

    5/60

    5

    End-to-end principle

    RFC 1958: An end-to-end protocol designshould not rely on the maintenance of state (i.e.,information about the state of the end-to-endcommunication) inside the network. Such stateshould be maintained only in the endpoints, in

    such a way that the state can only be destroyedwhen the endpoint itself breaks (known as fate-sharing). An immediate consequence of this isthat datagrams are better than classical virtual

    circuits. The network's job is to transmitdatagrams as efficiently and flexibly as possible.Everything else should be done at the fringes.

  • 8/4/2019 Nat Game p2p

    6/60

    6

    Middle boxes

    Middle box = any intermediarydevice performing functions otherthan the normal, standardfunctions of an IP router on thedatagram path between a sourcehost and destination host

    L2, L3, L4, L7,

    explicit vs. implicit

    functional vs. optimizing

    routing vs. processing

    soft vs. hard state

    fail-over vs. restart

    Examples:

    NATs

    SOCKS gateway

    IP tunnel endpoint

    Transport relay

    Load balancers

    Application firewalls

    Transcoders (RFC 3234)

    Proxies

    Caches

    Modified DNS servers Anonymizers

  • 8/4/2019 Nat Game p2p

    7/60

    7

    Private Network

    Private IPnetwork is an IP network that is notdirectly connected to the Internet

    IP addresses in a private network can beassigned arbitrarily.

    Not registered and not guaranteed to be globallyunique

    Generally, private networks use addressesfrom the following experimental address

    ranges (non-routable addresses): 10.0.0.0 10.255.255.255

    172.16.0.0 172.31.255.255

    192.168.0.0 192.168.255.255

  • 8/4/2019 Nat Game p2p

    8/60

    8

    Private Addresses

    H1

    R1

    H2

    10.0.1.3

    10.0.1.1

    10.0.1.2

    H3

    R2

    H4

    10.0.1.310.0.1.2

    Private network 1

    Internet

    H5

    10.0.1.1

    Private network 1

    213.168.112.3

    128.195.4.119 128.143.71.21

  • 8/4/2019 Nat Game p2p

    9/60

    9

    Network Address Translation (NAT)

    NAT is a router function where IP addresses (andpossibly port numbers) of IP datagrams are replacedat the boundary of a private network

    NAT is a method that enables hosts on private

    networks to communicate with hosts on the Internet

    NAT is run on routers that connect private networksto the public Internet, to replace the IP address-portpair of an IP packet with another IP address-port

    pair.

    Topology sensitive

    inside (private) vs. outside (public)

  • 8/4/2019 Nat Game p2p

    10/60

    10

    Basic operation of NAT

    NAT device has address translation table

  • 8/4/2019 Nat Game p2p

    11/60

    11

    Main uses of NAT

    Pooling of IP addresses

    Supporting migration between

    network service providers IP masquerading

    Load balancing of servers

  • 8/4/2019 Nat Game p2p

    12/60

    12

    Pooling of IP addresses

    Scenario: Corporate network has many hosts but onlya small number of public IP addresses

    NAT solution:

    Corporate network is managed with a private address

    space NAT device, located at the boundary between the

    corporate network and the public Internet, manages apool of public IP addresses

    When a host from the corporate network sends an IPdatagram to a host in the public Internet, the NATdevice picks a public IP address from the address pool,and binds this address to the private address of the host

  • 8/4/2019 Nat Game p2p

    13/60

    13

    Pooling of IP addresses

    H1

    private address: 10.0.1.2public address:

    H5

    Private

    networkInternet

    Source = 10.0.1.2Destination = 213.168.112.3

    Source = 128.143.71.21Destination = 213.168.112.3

    public address: 213.168.112.3NAT

    device

    Private

    Address

    Public

    Address10.0.1.2

    Pool of addresses: 128.143.71.0-128.143.71.30

  • 8/4/2019 Nat Game p2p

    14/60

    14

    Supporting migration between network

    service providers

    Scenario: In CIDR, the IP addresses in a corporate network areobtained from the service provider. Changing the service providerrequires changing all IP addresses in the network.

    NAT solution:

    Assign private addresses to the hosts of the corporate network NAT device has static address translation entries which bind the

    private address of a host to the public address.

    Migration to a new network service provider merely requires anupdate of the NAT device. The migration is not noticeable to the

    hosts on the network.Note:

    The difference to the use of NAT with IP address pooling is that themapping of public and private IP addresses is static.

  • 8/4/2019 Nat Game p2p

    15/60

    15

    Supporting migration between network

    service providers

  • 8/4/2019 Nat Game p2p

    16/60

    16

    IP masquerading

    Also called: Network address and port translation(NAPT)

    Scenario: Single public IP address is mapped tomultiple hosts in a private network.

    NAT solution: Assign private addresses to the hosts of the corporate

    network

    NAT device modifies the port numbers for outgoing

    traffic

  • 8/4/2019 Nat Game p2p

    17/60

  • 8/4/2019 Nat Game p2p

    18/60

    18

    Load balancing of servers

    Scenario: Balance the load on a set of identicalservers, which are accessible from a single IPaddress

    NAT solution:

    Here, the servers are assigned private addresses NAT device acts as a proxy for requests to the server

    from the public network

    The NAT device changes the destination IP address of

    arriving packets to one of the private addresses for aserver

    A sensible strategy for balancing the load of the serversis to assign the addresses of the servers in a round-robin fashion.

  • 8/4/2019 Nat Game p2p

    19/60

    19

    Load balancing of servers

  • 8/4/2019 Nat Game p2p

    20/60

    20

    Concerns about NAT

    Performance: Modifying the IP header by

    changing the IP addressrequires that NAT boxesrecalculate the IP headerchecksum

    Modifying port number requiresthat NAT boxes recalculateTCP checksum

    Fragmentation Care must be taken that a datagram that is fragmented before it

    reaches the NAT device, is not assigned a different IP address ordifferent port numbers for each of the fragments.

  • 8/4/2019 Nat Game p2p

    21/60

    21

    Concerns about NAT

    End-to-end connectivity: NAT destroys universal end-to-end reachability of

    hosts on the Internet.

    A host in the public Internet often cannot initiate

    communication to a host in a private network Hamper peer-to-peer applications

    The problem is worse, when two hosts that are ina private network need to communicate with each

    other Typically, the address-port mapping is maintained

    soft-state (in minutes)

  • 8/4/2019 Nat Game p2p

    22/60

    22

    Concerns about NAT

    IP address in application data: Applications that carry IP addresses in the

    payload of the application data generally donot work across a private-public network

    boundary. Some NAT devices inspect the payload of

    widely used application layer protocols and, ifan IP address is detected in the application-

    layer header or the application payload,translate the address according to the address

    translation table.

  • 8/4/2019 Nat Game p2p

    23/60

    23

    NAT and FTP

    Normal FTP operation

  • 8/4/2019 Nat Game p2p

    24/60

    24

    NAT and FTP

    NAT device with FTP support

  • 8/4/2019 Nat Game p2p

    25/60

    25

    NAT and FTP

    FTP in passive mode and NAT.

  • 8/4/2019 Nat Game p2p

    26/60

    26

    NAT Traversal

  • 8/4/2019 Nat Game p2p

    27/60

    27

    NAPT Traversal

  • 8/4/2019 Nat Game p2p

    28/60

    28

    NAT types

    Symmetric Port restricted cone

    Address restricted cone

    Full cone Hairpin

    Different not only on a vendor-by-vendor basis but also on a model-by-model basis

  • 8/4/2019 Nat Game p2p

    29/60

    29

    Symmetric NAT

    NAT mapping btw src_addr/src_port and dest_addr/dest_port is fixedThe most restrictive form

    It has been observed to be rare

  • 8/4/2019 Nat Game p2p

    30/60

    30

    Full-cone NAT

    The least restrictive form Binding of a local address/port can be used by any remote host

  • 8/4/2019 Nat Game p2p

    31/60

    31

    (Address) Restricted-cone NAT

    NAT binding is accessible only by the destination host

    different port can be used

  • 8/4/2019 Nat Game p2p

    32/60

    32

    Port-restricted-cone NAT

    NAT binding is accessible by any remote host But only same port should be used

    Typically, the internal host had previously sent a packet the remote host

  • 8/4/2019 Nat Game p2p

    33/60

    33

    Hairpin NAT

    A local host can direct a packet to the publicaddress/port of an already mapped local host

    D

  • 8/4/2019 Nat Game p2p

    34/60

    34

    Nondeterministic NATs

    NATs change their types of behavior when

    a binding conflict occurs

    Example

    Some NATs attempt to preserve the port

    number in the bindingIf the port number is available, the NAT

    behaves like a full-cone NAT

    If that port is already occupied by other host,the NAT may change the type, e.g. asymmetric NAT

  • 8/4/2019 Nat Game p2p

    35/60

    35

    What is STUN? Who uses it?

    STUN Simple Traversal of UserDatagram Protocol through NetworkAddress Translators.

    The protocol is defined in RFC 3489.

    Protocols like SIP and applicationslike Google Talk use STUN to gather

    important information about thenetwork configuration.

  • 8/4/2019 Nat Game p2p

    36/60

    36

    What does it do?

    STUN is a client-server protocol that allowsentities behind a NAT to first discover thepresence of a NAT and the type of NAT,and then to learn the addresses bindingsallocated by the NAT.

    In other words, its a means of discoveringthe public IP and port numbers that a NATassigns to a node on a private LAN.

    In addition, STUN does not require any

    special network configuration and workswith a variety of existing networks, but notall.

    *http://tools.ietf.org/html/rfc3489

  • 8/4/2019 Nat Game p2p

    37/60

    37

    STUN and NAT terminology

    A STUN Client is a node thatgenerates the STUN requests.

    A STUN Server is a node that

    receives the STUN requests andgenerates the STUN responses.

    NAT

    usually part of a firewall or router

  • 8/4/2019 Nat Game p2p

    38/60

    38

    A picture i worth 1000 words

  • 8/4/2019 Nat Game p2p

    39/60

    39

    How STUN generally works

    A STUN Client sends a STUN request to aSTUN Server. The Client then waits for theServer to send a STUN response

    STUN client is typically embedded in application

    STUN server has two IP addresses

    The trick is to analyze the response from theserver to determine the type of NAT router and

    the associated bindings the router has given tointernal nodes.

  • 8/4/2019 Nat Game p2p

    40/60

    40

    The STUN Message

    The following STUN attributes in the payload areespecially important:

    MAPPED-ADDRESS : Found in STUN responses. Itcontains the IP address and port number of the STUNrequest. I.e., the public IP and port of the STUN client.

    CHANGE-REQUEST : Found in STUN requests. Itcontains flags for the IP address and port number ofthe server. If set, the client is asking the server tosend the response from a different IP and port. (Wewill see why later)

    CHANGED-ADDRESS Found in STUN responses.It contains the alternate IP address and port numberof the server due to CHANGE-REQUEST

  • 8/4/2019 Nat Game p2p

    41/60

    41

    NAT discovery (test 1)

    To determine if a NAT router/firewall ispresent, send a STUN request to the server.Wait for a response and analyze it.

    If the IP address and port number in the

    MAPPED-ADDRESS attribute of thepayload in the STUN response equal thelocal IP address and port number that itbound to when sending the request, then

    the client is NOT behind a NAT router.Otherwise, it is behind a NAT router.

  • 8/4/2019 Nat Game p2p

    42/60

    42

    NAT discovery Full Cone (test 2)

    Full Cone NAT router The client sets theIP address and port number flags in theCHANGE-REQUEST of the STUN request.This causes the server to send theresponse from the alternate IP and portnumber.

    If the client receives the STUN response,then the client is behind a full cone router.

    Otherwise, it is behind one of the other threeNAT routers.

  • 8/4/2019 Nat Game p2p

    43/60

    43

    NAT discovery Symmetric (test 3)

    Symmetric NAT The client sends twoSTUN requests. One request is sent to aserver at IP address X and port P, andanother to a server at IP address Y and port

    P. If the IP addresses and ports from the

    MAPPED-ADDRESS attributes in the tworesponses do not match, then it is behind aSymmetric NAT router.

    If they do match, then it is behind one of theremaining two NAT routers.

  • 8/4/2019 Nat Game p2p

    44/60

    44

    NAT discovery Restricted (test 4)

    Restricted NAT The port flag in theCHANGE-REQUEST attribute of therequest is set. This instructs the server tosend a response from a different port.

    If the response is received, it is behind arestricted NAT router. If no response isreceived, it is behind a port restricted NATrouter.

  • 8/4/2019 Nat Game p2p

    45/60

    45

  • 8/4/2019 Nat Game p2p

    46/60

  • 8/4/2019 Nat Game p2p

    47/60

  • 8/4/2019 Nat Game p2p

    48/60

    48

  • 8/4/2019 Nat Game p2p

    49/60

  • 8/4/2019 Nat Game p2p

    50/60

    50

  • 8/4/2019 Nat Game p2p

    51/60

    51

  • 8/4/2019 Nat Game p2p

    52/60

    52

  • 8/4/2019 Nat Game p2p

    53/60

    53

  • 8/4/2019 Nat Game p2p

    54/60

    54

  • 8/4/2019 Nat Game p2p

    55/60

    55

  • 8/4/2019 Nat Game p2p

    56/60

    56

  • 8/4/2019 Nat Game p2p

    57/60

    57

  • 8/4/2019 Nat Game p2p

    58/60

    58

  • 8/4/2019 Nat Game p2p

    59/60

    59

  • 8/4/2019 Nat Game p2p

    60/60

    60

    Other issues

    Symmetric NATs The first packet for hole punching will

    be dropped

    And the port number (for the otherpeer) is changed from the one for theserver

    Port prediction technique

    May not work Nested NATs