NAT (NAPT/PAT), STUN, and ICE

Transcription

1 NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen bonds between the water molecules are shown as dashed lines. Lengths are in angstroms.'' (Hobbs, 1970, p. 69, reproduced from Hamilton et al., 1969). Ice II exists only at pressures greater than 2000 atmospheres.

2 NAT and NAPT/PAT NAT = Network Address Translation NAPT = Network Address and Port Translation, PAT=Port Address Translation Reserved & Publicly non-routable address space Class A: 10.x.x.x Class C: x.x Even smaller: x.x to x.x NAT 1:1 mapping between private & public ip addresses `

3 NAPT/PAT N:1 (private to public). Uses ports to provide further granularity for routing on the private side. Helps with the problem of ip address exhaust (IPV4). Many different flavors: Full Cone, Half Cone or Strict, Symmetric, etc. NAPT BREAKS PROTOCOLS THAT BURY THE IP ADDRESS INSIDE OF THE APPLICATION LAYER (e.g., all the VoIP Signaling Protocols: SIP, H323, MGCP as well as RTP). STUN (and other) client protocols (TURN, etc.) used to discover the private to public mappings, and to overcome the problem created by NAPT. Take a look at new STUN (RFC 5389) Note: traditional STUN doesn t work with symmetrical (or bi-directional) NAT, which is what most high class firewalls use. (I m not sure what s implemented in your voip clients would be interesting to know). I m told that TURN solves this, and perhaps has been incorporated into Session Border Controllers (server side) also can be used to fix the problems created by NAPT.

4 Full Cone: Very Popular on Broadband routers Each private IP:Port is mapped to a single public IP:Port on the public side of the router, regardless of destination IP address. Source: private Source: public Destination: public sip.google.com : :10668 ` For TCP connections, the mapping is typically session state-full (stays up until timeout or ended) For UDP connections, the pinhole is opened for a short time (seconds). Typically, the response from the destination must go BACK to the same ip:port as the source to get through. In the SIP world, registration by the client to the server is often used to keep the pinhole open to the destination sip server. What s a potential problem with this. sip.microsoft.com

5 Problem with full cone NAPT? The foreign ip address is never checked by the NAT router (since the same public IP:port is used to map to a given host - private IP:port for all foreign ip addresses). Bad guys can send scan the ports of a given public ip address and send malicious packets to hosts behind the NAPT. This problem is corrected using strict NAPT in which the router checks the foreign ip address before forwarding the packet to a host behind the NAPT.

6 Strict NAPT: Corrects Full Cone vulnerability For each private IP:Port and destination IP:Port there is a separate public IP:port on the public side of the NAPT router

7 Routing Tables Full Cone: For each host ip:port there is one public ip:port regardless of destination ip:port. Source private :5060 Source public :10566 Destination public : :5060 Strict (partial cone): For each host ip:port & destination ip address:port, there is one public ip:port. Source private : : : :5060 Source public : : : :12384 Destination public : : : :5060

8 STUN: Simple Traversal of UDP Networks USED to discover the public address:port mapping from the private side of the network. STUN client STUN server in the network, which echo s information back. Asks different questions (scans ip address and ports) to answer the question what type of NAT is running on your broadband router, and how to modify the private ip address and ports to make the protocol(s) work!

9 Example of a STUN Session

10 STUN Debug (continued)

11 STUN Decision Tree (see Wikipedia)