Embed Size (px)
DESCRIPTION
P2P TCP behavior through NAT’s. Nagendra Modadugu [email protected]. The Problem. Two peers, both behind NAT’s Possibly multiply NAT’ed Server available for assistance E.g iChat, Yahoo! chat, Net Meeting, BitTorrent, KaZaa. S. NAT_A. NAT_B. B. A. Port 3210. Port 5476. - PowerPoint PPT Presentation
Citation preview
The Problem
• Two peers, both behind NAT’s– Possibly multiply NAT’ed– Server available for assistance
• E.g iChat, Yahoo! chat, Net Meeting, BitTorrent, KaZaa
A BNAT_A
S
NAT_B
Solution 1: No changes to NAT
A BNAT_A
S
NAT_B
A & B send ISN’s to S
S “determines” external port numbers
A & B send SYN’s towards each other
S generates forged SYN/ACK’s
ISN 0xAD.. ISN 0xF5..
Control Channel
SYN (ISN:0xF5..;Port:5476)Forged
SYN/ACKForged
SYN/ACK
ACK
ACK
Port 3210 Port 5476
Port3210
Port5476 SYN (ISN:0xAD..;Port:3210)
Pros and Cons of Solution 1
Pros– Works without changing NAT’s
• Cons– Port # prediction may fail– Egress/ingress filtering may block forged packets– How portable is SO_REUSEPORT?
Solution 2: No forged packets
A BNAT_A
S
NAT_B
A & B send ISN’s to S
S “determines” external port numbers
A & B send SYN’s towards each other
Control Channel
SYN/ACK
ACK
Port 3211 Port 5477
Port3211
Port5477 SYN (Port:3211)
SYN(Port:5477)
Pros and Cons of Solution 2
• Pros– No changes needed to NAT devices
• Cons– Port # prediction may fail– Requires NAT’s to allow incoming SYN’s– How portable is SO_REUSEPORT?
Solution 3: Port Reservation
A BNAT_A
S
NAT_BReserve request: Port 3733,Auth info: Incoming Seq # 0xD2..
Port 3733 rsrvd Auth info: Seq # 0xD2..
SYN (Seq:0xD2..;Port 3733)SYN/ACK
ACK
Pros and Cons of Port Reservation
• Pros– No port number guessing--works reliably– Works even if NAT’s only on one side are upgraded– Client code simpler– Port reservation can be implemented as an ALG
• Cons– Need to define and deploy a new protocol for implementing
port reservation– ALL the NATs on one side must be upgraded
Summary
• Evaluated 3 possible solutions– Two require no changes to NAT devices– Port reservation will take time to adopt
• Deployment on client through an application proxy– No need to change application software
• Recommendations:– Port-restricted cone NAT’s are the way to go– Allow (address and port restricted) incoming SYN’s
