Upload
vijaysathya
View
234
Download
0
Embed Size (px)
Citation preview
8/4/2019 Nat Game p2p
1/60
1
Network Address
Translation (NAT)
8/4/2019 Nat Game p2p
2/60
2
Overview
Motivation
End-to-end principle
Role of IP addresses
Basic NAT types and their behaviors
NAT traversal: STUN
8/4/2019 Nat Game p2p
3/60
3
History Early 1990s
IPv4 Address consumption concern
Two approaches
IPv6 and NAT
NATs were initially intended to allow devices toshare an address pool dynamically
First RFC about NAT in 1994
NAT vs. DHCP?
NAT goes against Internet end-to-end principle IETF hates NATs
No standardization -> backfire
8/4/2019 Nat Game p2p
4/60
4
Motivation
DSL and cable modem business model
Not simultaneous access, no servers
ISP wants to save money
In PSTNs, there is extension Changing next higher ISP becomes easier
Even multi-homing
Security: Inbound traffic filtering
stateful firewall
8/4/2019 Nat Game p2p
5/60
5
End-to-end principle
RFC 1958: An end-to-end protocol designshould not rely on the maintenance of state (i.e.,information about the state of the end-to-endcommunication) inside the network. Such stateshould be maintained only in the endpoints, in
such a way that the state can only be destroyedwhen the endpoint itself breaks (known as fate-sharing). An immediate consequence of this isthat datagrams are better than classical virtual
circuits. The network's job is to transmitdatagrams as efficiently and flexibly as possible.Everything else should be done at the fringes.
8/4/2019 Nat Game p2p
6/60
6
Middle boxes
Middle box = any intermediarydevice performing functions otherthan the normal, standardfunctions of an IP router on thedatagram path between a sourcehost and destination host
L2, L3, L4, L7,
explicit vs. implicit
functional vs. optimizing
routing vs. processing
soft vs. hard state
fail-over vs. restart
Examples:
NATs
SOCKS gateway
IP tunnel endpoint
Transport relay
Load balancers
Application firewalls
Transcoders (RFC 3234)
Proxies
Caches
Modified DNS servers Anonymizers
8/4/2019 Nat Game p2p
7/60
7
Private Network
Private IPnetwork is an IP network that is notdirectly connected to the Internet
IP addresses in a private network can beassigned arbitrarily.
Not registered and not guaranteed to be globallyunique
Generally, private networks use addressesfrom the following experimental address
ranges (non-routable addresses): 10.0.0.0 10.255.255.255
172.16.0.0 172.31.255.255
192.168.0.0 192.168.255.255
8/4/2019 Nat Game p2p
8/60
8
Private Addresses
H1
R1
H2
10.0.1.3
10.0.1.1
10.0.1.2
H3
R2
H4
10.0.1.310.0.1.2
Private network 1
Internet
H5
10.0.1.1
Private network 1
213.168.112.3
128.195.4.119 128.143.71.21
8/4/2019 Nat Game p2p
9/60
9
Network Address Translation (NAT)
NAT is a router function where IP addresses (andpossibly port numbers) of IP datagrams are replacedat the boundary of a private network
NAT is a method that enables hosts on private
networks to communicate with hosts on the Internet
NAT is run on routers that connect private networksto the public Internet, to replace the IP address-portpair of an IP packet with another IP address-port
pair.
Topology sensitive
inside (private) vs. outside (public)
8/4/2019 Nat Game p2p
10/60
10
Basic operation of NAT
NAT device has address translation table
8/4/2019 Nat Game p2p
11/60
11
Main uses of NAT
Pooling of IP addresses
Supporting migration between
network service providers IP masquerading
Load balancing of servers
8/4/2019 Nat Game p2p
12/60
12
Pooling of IP addresses
Scenario: Corporate network has many hosts but onlya small number of public IP addresses
NAT solution:
Corporate network is managed with a private address
space NAT device, located at the boundary between the
corporate network and the public Internet, manages apool of public IP addresses
When a host from the corporate network sends an IPdatagram to a host in the public Internet, the NATdevice picks a public IP address from the address pool,and binds this address to the private address of the host
8/4/2019 Nat Game p2p
13/60
13
Pooling of IP addresses
H1
private address: 10.0.1.2public address:
H5
Private
networkInternet
Source = 10.0.1.2Destination = 213.168.112.3
Source = 128.143.71.21Destination = 213.168.112.3
public address: 213.168.112.3NAT
device
Private
Address
Public
Address10.0.1.2
Pool of addresses: 128.143.71.0-128.143.71.30
8/4/2019 Nat Game p2p
14/60
14
Supporting migration between network
service providers
Scenario: In CIDR, the IP addresses in a corporate network areobtained from the service provider. Changing the service providerrequires changing all IP addresses in the network.
NAT solution:
Assign private addresses to the hosts of the corporate network NAT device has static address translation entries which bind the
private address of a host to the public address.
Migration to a new network service provider merely requires anupdate of the NAT device. The migration is not noticeable to the
hosts on the network.Note:
The difference to the use of NAT with IP address pooling is that themapping of public and private IP addresses is static.
8/4/2019 Nat Game p2p
15/60
15
Supporting migration between network
service providers
8/4/2019 Nat Game p2p
16/60
16
IP masquerading
Also called: Network address and port translation(NAPT)
Scenario: Single public IP address is mapped tomultiple hosts in a private network.
NAT solution: Assign private addresses to the hosts of the corporate
network
NAT device modifies the port numbers for outgoing
traffic
8/4/2019 Nat Game p2p
17/60
8/4/2019 Nat Game p2p
18/60
18
Load balancing of servers
Scenario: Balance the load on a set of identicalservers, which are accessible from a single IPaddress
NAT solution:
Here, the servers are assigned private addresses NAT device acts as a proxy for requests to the server
from the public network
The NAT device changes the destination IP address of
arriving packets to one of the private addresses for aserver
A sensible strategy for balancing the load of the serversis to assign the addresses of the servers in a round-robin fashion.
8/4/2019 Nat Game p2p
19/60
19
Load balancing of servers
8/4/2019 Nat Game p2p
20/60
20
Concerns about NAT
Performance: Modifying the IP header by
changing the IP addressrequires that NAT boxesrecalculate the IP headerchecksum
Modifying port number requiresthat NAT boxes recalculateTCP checksum
Fragmentation Care must be taken that a datagram that is fragmented before it
reaches the NAT device, is not assigned a different IP address ordifferent port numbers for each of the fragments.
8/4/2019 Nat Game p2p
21/60
21
Concerns about NAT
End-to-end connectivity: NAT destroys universal end-to-end reachability of
hosts on the Internet.
A host in the public Internet often cannot initiate
communication to a host in a private network Hamper peer-to-peer applications
The problem is worse, when two hosts that are ina private network need to communicate with each
other Typically, the address-port mapping is maintained
soft-state (in minutes)
8/4/2019 Nat Game p2p
22/60
22
Concerns about NAT
IP address in application data: Applications that carry IP addresses in the
payload of the application data generally donot work across a private-public network
boundary. Some NAT devices inspect the payload of
widely used application layer protocols and, ifan IP address is detected in the application-
layer header or the application payload,translate the address according to the address
translation table.
8/4/2019 Nat Game p2p
23/60
23
NAT and FTP
Normal FTP operation
8/4/2019 Nat Game p2p
24/60
24
NAT and FTP
NAT device with FTP support
8/4/2019 Nat Game p2p
25/60
25
NAT and FTP
FTP in passive mode and NAT.
8/4/2019 Nat Game p2p
26/60
26
NAT Traversal
8/4/2019 Nat Game p2p
27/60
27
NAPT Traversal
8/4/2019 Nat Game p2p
28/60
28
NAT types
Symmetric Port restricted cone
Address restricted cone
Full cone Hairpin
Different not only on a vendor-by-vendor basis but also on a model-by-model basis
8/4/2019 Nat Game p2p
29/60
29
Symmetric NAT
NAT mapping btw src_addr/src_port and dest_addr/dest_port is fixedThe most restrictive form
It has been observed to be rare
8/4/2019 Nat Game p2p
30/60
30
Full-cone NAT
The least restrictive form Binding of a local address/port can be used by any remote host
8/4/2019 Nat Game p2p
31/60
31
(Address) Restricted-cone NAT
NAT binding is accessible only by the destination host
different port can be used
8/4/2019 Nat Game p2p
32/60
32
Port-restricted-cone NAT
NAT binding is accessible by any remote host But only same port should be used
Typically, the internal host had previously sent a packet the remote host
8/4/2019 Nat Game p2p
33/60
33
Hairpin NAT
A local host can direct a packet to the publicaddress/port of an already mapped local host
D
8/4/2019 Nat Game p2p
34/60
34
Nondeterministic NATs
NATs change their types of behavior when
a binding conflict occurs
Example
Some NATs attempt to preserve the port
number in the bindingIf the port number is available, the NAT
behaves like a full-cone NAT
If that port is already occupied by other host,the NAT may change the type, e.g. asymmetric NAT
8/4/2019 Nat Game p2p
35/60
35
What is STUN? Who uses it?
STUN Simple Traversal of UserDatagram Protocol through NetworkAddress Translators.
The protocol is defined in RFC 3489.
Protocols like SIP and applicationslike Google Talk use STUN to gather
important information about thenetwork configuration.
8/4/2019 Nat Game p2p
36/60
36
What does it do?
STUN is a client-server protocol that allowsentities behind a NAT to first discover thepresence of a NAT and the type of NAT,and then to learn the addresses bindingsallocated by the NAT.
In other words, its a means of discoveringthe public IP and port numbers that a NATassigns to a node on a private LAN.
In addition, STUN does not require any
special network configuration and workswith a variety of existing networks, but notall.
*http://tools.ietf.org/html/rfc3489
8/4/2019 Nat Game p2p
37/60
37
STUN and NAT terminology
A STUN Client is a node thatgenerates the STUN requests.
A STUN Server is a node that
receives the STUN requests andgenerates the STUN responses.
NAT
usually part of a firewall or router
8/4/2019 Nat Game p2p
38/60
38
A picture i worth 1000 words
8/4/2019 Nat Game p2p
39/60
39
How STUN generally works
A STUN Client sends a STUN request to aSTUN Server. The Client then waits for theServer to send a STUN response
STUN client is typically embedded in application
STUN server has two IP addresses
The trick is to analyze the response from theserver to determine the type of NAT router and
the associated bindings the router has given tointernal nodes.
8/4/2019 Nat Game p2p
40/60
40
The STUN Message
The following STUN attributes in the payload areespecially important:
MAPPED-ADDRESS : Found in STUN responses. Itcontains the IP address and port number of the STUNrequest. I.e., the public IP and port of the STUN client.
CHANGE-REQUEST : Found in STUN requests. Itcontains flags for the IP address and port number ofthe server. If set, the client is asking the server tosend the response from a different IP and port. (Wewill see why later)
CHANGED-ADDRESS Found in STUN responses.It contains the alternate IP address and port numberof the server due to CHANGE-REQUEST
8/4/2019 Nat Game p2p
41/60
41
NAT discovery (test 1)
To determine if a NAT router/firewall ispresent, send a STUN request to the server.Wait for a response and analyze it.
If the IP address and port number in the
MAPPED-ADDRESS attribute of thepayload in the STUN response equal thelocal IP address and port number that itbound to when sending the request, then
the client is NOT behind a NAT router.Otherwise, it is behind a NAT router.
8/4/2019 Nat Game p2p
42/60
42
NAT discovery Full Cone (test 2)
Full Cone NAT router The client sets theIP address and port number flags in theCHANGE-REQUEST of the STUN request.This causes the server to send theresponse from the alternate IP and portnumber.
If the client receives the STUN response,then the client is behind a full cone router.
Otherwise, it is behind one of the other threeNAT routers.
8/4/2019 Nat Game p2p
43/60
43
NAT discovery Symmetric (test 3)
Symmetric NAT The client sends twoSTUN requests. One request is sent to aserver at IP address X and port P, andanother to a server at IP address Y and port
P. If the IP addresses and ports from the
MAPPED-ADDRESS attributes in the tworesponses do not match, then it is behind aSymmetric NAT router.
If they do match, then it is behind one of theremaining two NAT routers.
8/4/2019 Nat Game p2p
44/60
44
NAT discovery Restricted (test 4)
Restricted NAT The port flag in theCHANGE-REQUEST attribute of therequest is set. This instructs the server tosend a response from a different port.
If the response is received, it is behind arestricted NAT router. If no response isreceived, it is behind a port restricted NATrouter.
8/4/2019 Nat Game p2p
45/60
45
8/4/2019 Nat Game p2p
46/60
8/4/2019 Nat Game p2p
47/60
8/4/2019 Nat Game p2p
48/60
48
8/4/2019 Nat Game p2p
49/60
8/4/2019 Nat Game p2p
50/60
50
8/4/2019 Nat Game p2p
51/60
51
8/4/2019 Nat Game p2p
52/60
52
8/4/2019 Nat Game p2p
53/60
53
8/4/2019 Nat Game p2p
54/60
54
8/4/2019 Nat Game p2p
55/60
55
8/4/2019 Nat Game p2p
56/60
56
8/4/2019 Nat Game p2p
57/60
57
8/4/2019 Nat Game p2p
58/60
58
8/4/2019 Nat Game p2p
59/60
59
8/4/2019 Nat Game p2p
60/60
60
Other issues
Symmetric NATs The first packet for hole punching will
be dropped
And the port number (for the otherpeer) is changed from the one for theserver
Port prediction technique
May not work Nested NATs