Network Address Translators (NATs) and NAT Traversal

Similar documents
Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

Network Address Translator Traversal Using Interactive Connectivity Establishment

IPV6 SIMPLE SECURITY CAPABILITIES.

[MS-ICE2]: Interactive Connectivity Establishment (ICE) Extensions 2.0

Network Address Translation

ICE / TURN / STUN Tutorial

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal. R. Naber

BIG-IP CGNAT: Implementations. Version 13.0

ICE-Lite Support on CUBE

Internet Networking recitation #

On the Applicability of knowledge based NAT-Traversal for Home Networks

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

On the Applicability of Knowledge Based NAT-Traversal for Home Networks

NAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1

Network Configuration Example

Category: Informational M.I.T. D. Kegel kegel.com March State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)

Stateful Network Address Translation 64

BIG-IP CGNAT: Implementations. Version 12.1

Characterization and Measurement of TCP. TCP Traversal Through NATs. Firewalls

P2PSIP, ICE, and RTCWeb

An IP Network: Application s View. SIP & NATs / Firewalls. An IP Network: Router s View. Reminder: Internet Architecture

Chapter 15 IPv6 Transition Technologies

Lecture 10: TCP Friendliness, DCCP, NATs, and STUN

Lecture 12: TCP Friendliness, DCCP, NATs, and STUN

Internet Engineering Task Force (IETF) Request for Comments: 6146 Category: Standards Track. I. van Beijnum IMDEA Networks April 2011

ASA Access Control. Section 3

Desktop sharing with the Session Initiation Protocol

Internet Engineering Task Force (IETF) Request for Comments: 7604 Category: Informational. September 2015

Congestion Control. Lecture 12: TCP Friendliness, DCCP, NATs, and STUN. Chiu Jain Phase Plots. Fair A=B. Responding to Loss. Flow B rate (bps) t 1 t 3

Become a WebRTC School Qualified Integrator (WSQI ) supported by the Telecommunications Industry Association (TIA)

Technical White Paper for NAT Traversal

Anatomy. 1. NAT Motivation. 2. NAT Operation. - A Look Inside Network Address Translators. Geoff Huston August 2004

Expires: August 22, 2005 Microsoft R. Mahy Airspace February 21, 2005

M. Petit-Huguenin. Obsoletes: 5389 (if approved) Intended status: Standards Track Expires: September 6, D. Wing

Internet Engineering Task Force (IETF) Request for Comments: 6092 Category: Informational January 2011 ISSN:

Draft Version. Setup Reference guide for KX-HTS Series (Tested with HTS32 Version 1.5) Peoplefone SIP Trunk service with External Router

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

Internet Engineering Task Force (IETF) Request for Comments: November 2010

History Page. Barracuda NextGen Firewall F

Customer Edge Switching & Realm Gateway Tutorial Session Day 2

Configuring Hosted NAT Traversal for Session Border Controller

From POTS to VoP2P: Step 1. P2P Voice Applications. Renato Lo Cigno

MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT

Real-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund

Request for Comments: 3989 Category: Informational T. Taylor Nortel February Middlebox Communications (MIDCOM) Protocol Semantics

INTERFACE SPECIFICATION SIP Trunking. 8x8 SIP Trunking. Interface Specification. Version 2.0

ICE: the ultimate way of beating NAT in SIP

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

Category: Standards Track June Mobile IPv6 Support for Dual Stack Hosts and Routers

Application Note Asterisk BE with Remote Phones - Configuration Guide

How to Configure a Remote Management Tunnel for an F-Series Firewall

Installation & Configuration Guide Version 1.6

IPv6 Transitioning. An overview of what s around. Marco Hogewoning Trainer, RIPE NCC

Draft Version. Setup Reference guide for KX-HTS Series (Tested with HTS32 Version 1.5) VozTelecom SIP Trunk service with Built-in Router

Draft Version. Setup Reference guide for KX-HTS Series (Tested with HTS824 Version 1.5) Netia SIP Trunk service with External Router

IPv6 Transition Mechanisms

In This Issue. From The Editor

Mobile Communications Mobility Support in Network Layer

Network Address Translation (NAT)

Network Address Translation. All you want to know about

IPv6 Transition Technologies (TechRef)

IRVINE: DHT-BASED NAT TRAVERSAL 1. DHT-based NAT Traversal

Application Note Asterisk BE with SIP Trunking - Configuration Guide

Mapping of Address and Port using Translation (MAP-T) E. Jordan Gottlieb Network Engineering and Architecture

Session Border Controller

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Network Access Transla0on - NAT

Cisco CCIE Security Written.

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

CDCS: a New Case-Based Method for Transparent NAT Traversals of the SIP Protocol

APP NOTES TeamLink and Firewall Detect

Deploying and Troubleshooting Network Address Translation

Virtual Private Networks (VPNs)

ANTS - A Framework for Knowledge based NAT Traversal

TCP/IP Protocol Suite

TURN by name (00) for IETF 92, 2015 March Ben Schwartz Justin Uberti

ipv6 mobile home-agent (global configuration)

IPsec NAT Transparency

VG422R. User s Manual. Rev , 5

Internet Engineering Task Force (IETF) Request for Comments: 5780 Category: Experimental ISSN: May 2010

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.

TSIN02 - Internetworking

Network Interconnection

Dual-Stack lite. Alain Durand. May 28th, 2009

CUCM 10.5 / CUBE 9.5. BT SIP Trunk Configuration Guide. 1 BT SIP Trunk Configuration Guide

Draft Version. Setup Reference guide for KX-HTS Series (Tested with HTS824 Version 1.5) LCR SIP Trunk service with Built-in Router

SXP Specification and Architecture. Implementation of SXP Protocol. on the OpenDaylight SDN Controller. Miloslav Radakovic. v.00

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Configuring Static and Dynamic NAT Translation

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Network Security: IPsec. Tuomas Aura

Advanced Computer Networks. IP Mobility

Transcription:

Network Address Translators (NATs) and NAT Traversal Ari Keränen ari.keranen@ericsson.com Ericsson Research Finland, NomadicLab

Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN ICE Others NAT64 NATs and NAT Traversal 2011-10-13 Page 2

Internet Back in the Good Old Days NATs and NAT Traversal 2011-10-13 Page 3

Internet Today (in practice) NAT IDS/proxy/ Firewall NATs and NAT Traversal 2011-10-13 Page 4

Origin of NATs Created to resolve the IPv4 address exhaustion problem Designed with the web in mind Client/server paradigm 10.0.0.3 S: 10.0.0.2 D: 192.0.2.5 LAN S: 192.0.2.5 D: 10.0.0.2 NAT S: 192.0.2.1 D: 192.0.2.5 Internet S: 192.0.2.5 D: 192.0.2.1 10.0.0.1 192.0.2.1 192.0.2.5 Server 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 5

Different Kind of NATs Basic Network Address Translator Translates just the IP address in the packets Requires multiple addresses from the NAT One for each host concurrently communicating with the outside networks Very uncommon today Network Address and Port Translator (NAPT) Uses also transport layer (TCP/UDP) ports for multiplexing connections Most of the current NATs are of this type NAT64 More about this later NATs and NAT Traversal 2011-10-13 Page 6

Side-effects of NATs Hosts behind NATs are not reachable from the public Internet Sometimes used to implement security Breaks peer-to-peer (as opposed to client/server) applications NATs attempt to be transparent Troubleshooting becomes more difficult NATs have state single point of failure NATs may try to change addresses also in the payload (and possibly break application layer protocols) NATs behavior is not deterministic Difficult to build applications that work through NATs NATs and NAT Traversal 2011-10-13 Page 7

Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN ICE Others NAT64 NATs and NAT Traversal 2011-10-13 Page 8

IETF NAT Behavior Recommendations Two RFCs describing how NATs should behave RFC 4787: Network Address Translation (NAT) Behavioral Requirements for Unicast UDP RFC 5382: NAT Behavioral Requirements for TCP Classification of current NAT behaviors Existing terminology was confusing Full cone, restricted cone, port restricted cone, and symmetric Recommendations for NAT vendors BEHAVE-compliant NATs are deterministic Lots of NATs implemented before the recommendations Various kind of behavior found in the wild Not all new NATs comply even today NATs and NAT Traversal 2011-10-13 Page 9

Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN ICE Others NAT64 NATs and NAT Traversal 2011-10-13 Page 10

Mapping Behavior For session originated on the same address and port Endpoint independent: same mapping to different sessions MUST use it Address dependent: same mapping to sessions to the same host Address and port dependent: a mapping only applies to one session 192.0.2.6 Endpoint Independent S: 192.0.2.1 : 25000 D: 192.0.2.6 : 80 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 80 S: 192.0.2.1 : 25000 D: 192.0.2.5 : 80 10.0.0.1 192.0.2.1 S: 10.0.0.2 : 20000 D: 192.0.2.5 : 80 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 11 192.0.2.5

Mapping Behavior For session originated on the same address and port Endpoint independent: same mapping to different sessions MUST use it Address dependent: same mapping to sessions to the same host Address and port dependent: a mapping only applies to one session 192.0.2.6 Address Dependent S: 192.0.2.1 : 25000 D: 192.0.2.6 : 80 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 80 S: 192.0.2.1 : 27000 D: 192.0.2.5 : 80 10.0.0.1 192.0.2.1 S: 10.0.0.2 : 20000 D: 192.0.2.5 : 80 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 12 192.0.2.5

Mapping Behavior For session originated on the same address and port Endpoint independent: same mapping to different sessions MUST use it Address dependent: same mapping to sessions to the same host Address and port dependent: a mapping only applies to one session 192.0.2.6 Address Dependent S: 192.0.2.1 : 25000 D: 192.0.2.6 : 80 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 80 S: 192.0.2.1 : 25000 D: 192.0.2.6 : 8080 10.0.0.1 192.0.2.1 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 8080 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 13 192.0.2.5

Mapping Behavior For session originated on the same address and port Endpoint independent: same mapping to different sessions MUST use it Address dependent: same mapping to sessions to the same host Address and port dependent: a mapping only applies to one session 192.0.2.6 Address and Port Dependent S: 192.0.2.1 : 25000 D: 192.0.2.6 : 80 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 80 S: 192.0.2.1 : 27000 D: 192.0.2.6 : 8080 10.0.0.1 192.0.2.1 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 8080 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 14 192.0.2.5

IP Address Pooling Behavior NATs with a pool of external IP addresses Arbitrary: an endpoint may have simultaneous mappings corresponding to different external IP addresses of the NAT Paired: same external IP address of the NAT RECOMMENDED 192.0.2.6 Arbitrary S: 192.0.2.1 : 25000 D: 192.0.2.6 : 80 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 80 S: 192.0.2.2 : 27000 D: 192.0.2.6 : 8080 10.0.0.1 192.0.2.1 S: 10.0.0.2 : 23000 192.0.2.2 D: 192.0.2.6 : 8080 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 15 192.0.2.5

IP Address Pooling Behavior NATs with a pool of external IP addresses Arbitrary: an endpoint may have simultaneous mappings corresponding to different external IP addresses of the NAT Paired: same external IP address of the NAT RECOMMENDED 192.0.2.6 Paired S: 192.0.2.1 : 25000 D: 192.0.2.6 : 80 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 80 S: 192.0.2.1 : 27000 D: 192.0.2.6 : 8080 10.0.0.1 192.0.2.1 S: 10.0.0.2 : 23000 192.0.2.2 D: 192.0.2.6 : 8080 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 16 192.0.2.5

Port Assignment Port preservation: preserves the port as long as there are available IP addresses in the NAT s pool Port overloading: the port is preserved always, even without available IP addresses in the NAT s pool The NAT relays on the source of the response 10.0.0.3 S: 10.0.0.3 : 20000 D: 192.0.2.6 : 80 Port Preservation S: 192.0.2.1 : 20000 D: 192.0.2.6 : 80 192.0.2.6 S: 10.0.0.2 : 20000 D: 192.0.2.5 : 80 10.0.0.1 192.0.2.1 192.0.2.2 S: 192.0.2.2 : 20000 D: 192.0.2.5 : 80 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 17 192.0.2.5

Port Assignment Port preservation: preserves the port as long as there are available IP addresses in the NAT s pool Port overloading: the port is preserved always, even without available IP addresses in the NAT s pool The NAT relays on the source of the response 10.0.0.3 S: 10.0.0.3 : 20000 D: 192.0.2.6 : 80 No Port Preservation S: 192.0.2.1 : 20000 D: 192.0.2.6 : 80 192.0.2.6 S: 10.0.0.2 : 20000 D: 192.0.2.5 : 80 10.0.0.1 192.0.2.1 192.0.2.2 S: 192.0.2.1 : 25000 D: 192.0.2.5 : 80 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 18 192.0.2.5

Port Assignment Port preservation: preserves the port as long as there are available IP addresses in the NAT s pool Port overloading: the port is preserved always, even without available IP addresses in the NAT s pool The NAT relays on the source of the response 10.0.0.3 S: 10.0.0.3 : 20000 D: 192.0.2.6 : 80 Port Overloading S: 192.0.2.1 : 20000 D: 192.0.2.6 : 80 192.0.2.6 S: 10.0.0.2 : 20000 D: 192.0.2.5 : 80 10.0.0.1 192.0.2.1 S: 192.0.2.1 : 20000 D: 192.0.2.5 : 80 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 19 192.0.2.5

Port Assignment Port preservation: preserves the port as long as there are available IP addresses in the NAT s pool Port overloading: the port is preserved always, even without available IP addresses in the NAT s pool The NAT relays on the source of the response 10.0.0.3 S: 192.0.2.6 : 80 D: 10.0.3 : 20000 Port Overloading S: 192.0.2.6 : 80 D: 192.0.2.1 : 20000 192.0.2.6 S: 192.0.2.5 : 80 D: 10.0.2 : 20000 10.0.0.1 192.0.2.1 S: 192.0.2.5 : 80 D: 192.0.2.1 : 20000 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 20 192.0.2.5

Port Ranges 1-1023 Well known 1024 49151 Registered 49152 65535 Dynamic / Private RECOMMENDED to preserve the following ranges 1 1023 1024 65535 Port overloading MUST NOT be used Problems when two internal hosts connect to the same external host It is RECOMMENDED that NATs preserve port parity (even/odd) No requirement for port contiguity NATs and NAT Traversal 2011-10-13 Page 21

Mapping Timeout NAT mappings need to be eventually discarded in order to re-use NAT s public address-port pairs Usually idle connections result in mapping timeout NAT UDP mapping MUST NOT expire in less than 2 minutes NATs can have application-specific timers Well-known ports It is RECOMMENDED to use more than 5 minutes However, ~100 seconds is common and even shorter than 30 second timeouts have been seen in practice NATs and NAT Traversal 2011-10-13 Page 22

Mapping Refresh NAT outbound refresh: packets from the internal to the external interface MUST be used NAT inbound refresh: packets from the external to the internal interface (attackers may keep the mapping from expiring) MAY be used 10.0.0.3 S: 10.0.0.3 : 20000 D: 192.0.2.6 : 80 Outbound refresh S: 192.0.2.1 : 20000 D: 192.0.2.6 : 80 192.0.2.6 S: 10.0.0.2 : 20000 D: 192.0.2.5 : 80 10.0.0.1 192.0.2.1 S: 192.0.2.2 : 20000 D: 192.0.2.5 : 80 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 23 Mappings refreshed 192.0.2.5

Mapping Refresh NAT outbound refresh: packets from the internal to the external interface MUST be used NAT inbound refresh: packets from the external to the internal interface (attackers may keep the mapping from expiring) MAY be used 10.0.0.3 S: 192.0.2.6 : 80 D: 10.0.3 : 20000 Inbound refresh S: 192.0.2.6 : 80 D: 192.0.2.1 : 20000 192.0.2.6 S: 192.0.2.5 : 80 D: 10.0.2 : 20000 10.0.0.1 192.0.2.1 D: 192.0.2.5 : 80 S: 192.0.2.1 : 20000 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 24 Mappings refreshed 192.0.2.5

External Address Spaces NATs MUST be able to handle external address spaces that overlap with the internal address space Internal nodes cannot communicate directly with external nodes that have the same address as another internal node However, they can use STUN techniques WLAN + NAT WLAN 10.0.0.1 10.0.0.3 ADSL + NAT 10.0.0.2 LAN 10.0.0.2 10.0.0.1 192.0.2.1 NATs and NAT Traversal 2011-10-13 Page 25

Filtering Behavior Endpoint independent: any packets allowed back Address dependent: external hosts can return packets Address and port dependent Packets sent to an address + port incoming packets allowed only from that address + port 192.0.2.6 Endpoint Independent S: 192.0.2.1 : 25000 D: 192.0.2.6 : 80 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 80 10.0.0.1 192.0.2.1 S: 192.0.2.5 : 80 D: 10.0.0.2 : 20000 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 26 S: 192.0.2.5 : 80 D: 192.0.2.1 : 25000 192.0.2.5

Filtering Behavior Endpoint independent: any packets allowed back Address dependent: external hosts can return packets Address and port dependent Packets sent to an address + port incoming packets allowed only from that address + port 192.0.2.6 Address Dependent S: 192.0.2.1 : 25000 D: 192.0.2.6 : 80 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 80 S: 192.0.2.5 : 80 D: 192.0.2.1 : 25000 10.0.0.1 192.0.2.1 Packet Dropped 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 27 192.0.2.5

Filtering Behavior Endpoint independent: any packets allowed back Address dependent: external hosts can return packets Address and port dependent Packets sent to an address + port incoming packets allowed only from that address + port 192.0.2.6 Address Dependent S: 192.0.2.1 : 25000 D: 192.0.2.6 : 80 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 80 S: 192.0.2.6 : 8080 D: 192.0.2.1 : 25000 10.0.0.1 192.0.2.1 S: 192.0.2.6 : 8080 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 28 D: 10.0.0.2 : 20000 192.0.2.5

Filtering Behavior Endpoint independent: any packets allowed back Address dependent: external hosts can return packets Address and port dependent Packets sent to an address + port incoming packets allowed only from that address + port 192.0.2.6 Address and Port Dependent S: 192.0.2.1 : 25000 D: 192.0.2.6 : 80 S: 10.0.0.2 : 20000 D: 192.0.2.6 : 80 S: 192.0.2.6 : 8080 D: 192.0.2.1 : 25000 10.0.0.1 192.0.2.1 Packet Dropped 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 29 192.0.2.5

Filtering Behavior Endpoint independent filtering is RECOMMENDED Opens up ports for attackers If a more stringent filtering is required Address dependent filtering is RECOMMENDED NATs and NAT Traversal 2011-10-13 Page 30

Hairpinning Internal hosts communicate using external addresses MUST be supported 10.0.0.3 S: 10.0.0.3 : 20000 D: 192.0.2.1 : 25000 S: 192.0.2.1 : 23000 D: 10.0.0.2 : 20000 10.0.0.1 192.0.2.1 192.0.2.1 : 25000 S: 10.0.0.2: 20000 10.0.0.2 NATs and NAT Traversal 2011-10-13 Page 31

Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN ICE Others NAT64 NATs and NAT Traversal 2011-10-13 Page 32

TCP Connection Establishment Three-way handshake MUST be supported Simultaneous open MUST be supported Three-way Handshake SYN SYN ACK ACK SYN SYN ACK ACK NATs and NAT Traversal 2011-10-13 Page 33

TCP Connection Establishment Three-way handshake MUST be supported Simultaneous open MUST be supported Simultaneous Open SYN SYN SYN SYN SYN ACK SYN ACK SYN ACK SYN ACK NATs and NAT Traversal 2011-10-13 Page 34

NAT TCP Session Timeout Established connections MUST NOT be less than 2 hours and 4 minutes By default TCP keepalives are sent every 2 hours Partially opened or partially closed connections MUST NOT be less than 4 minutes TIME_WAIT timeout not specified NATs and NAT Traversal 2011-10-13 Page 35

Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN ICE Others NAT64 NATs and NAT Traversal 2011-10-13 Page 36

STUN Session Traversal Utilities for NAT (RFC 5389) Originally a protocol between endpoints and reflectors Revised specification defines usages Binding discovery using STUN servers NAT keepalives Authentication (short-term password and long term credentials) TLV encoded Can run on UDP, TCP, or TLS/TCP STUN server discovered using DNS SRV Transactions Request/response Indications (not delivered reliably) Can be multiplexed with other protocols Two first bits are zeros Magic cookie FIGERPRINT attribute NATs and NAT Traversal 2011-10-13 Page 37

Binding Discovery STUN Binding Request S: 10.0.0.2 : 20000 D: 192.0.2.6 : 3478 STUN Binding Request S: 192.0.2.1 : 25000 D: 192.0.2.6 : 3478 10.0.0.2 STUN Binding Response S: 192.0.2.6 : 3478 D: 10.0.0.2 : 20000 M: 192.0.2.1 : 25000 10.0.0.1 192.0.2.1 STUN Binding Response S: 192.0.2.6 : 3478 D: 192.0.2.1 : 25000 M: 192.0.2.1 : 25000 192.0.2.6 M: STUN (XOR-)MAPPED-ADDRES TLV NATs and NAT Traversal 2011-10-13 Page 38

XOR-MAPPED-ADDRESS Some NATs inspect packets and translate IP addresses known to them Try to be smart and fix the application layer protocol The mapped address is obfuscated in the response so that NAT does not recognize it Simple XOR operation NATs and NAT Traversal 2011-10-13 Page 39

Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN ICE Others NAT64 NATs and NAT Traversal 2011-10-13 Page 40

TURN Traversal Using Relays around NAT: Relay Extensions to Session Traversal Utilities for NAT (RFC 5766) Allocate request / response Allocate an external relayed address at the relay Responses carry the mapped and the relayed address Send and Data indication STUN messages containing relayed data Send data to a remote endpoint through the relay Data received from remote endpoints through the relay Channels Send and receive relayed data with minimalistic (32-bit) header Permissions NATs and NAT Traversal 2011-10-13 Page 41

Relay Operations TURN Allocate Request S: 10.0.0.2 : 20000 D: 192.0.2.6 : 3478 R: 192.0.2.6 : 30000 TURN Allocate Request S: 192.0.2.1 : 25000 D: 192.0.2.6 : 3478 10.0.0.2 TURN Allocate Response S: 192.0.2.6 : 3478 D: 10.0.0.2 : 20000 M: 192.0.2.1 : 25000 R: 192.0.2.6 : 30000 10.0.0.1 192.0.2.1 TURN Allocate Response S: 192.0.2.6 : 3478 D: 192.0.2.1 : 25000 M: 192.0.2.1 : 25000 192.0.2.6 NATs and NAT Traversal 2011-10-13 Page 42 192.0.2.4 192.0.2.5

Relay Operations R: 192.0.2.6 : 30000 Packet Dropped 10.0.0.2 10.0.0.1 192.0.2.1 192.0.2.6 The client needs to set a permission in the relay in order to receive data through it Equivalent to a NAT with: Address dependent filtering policy Endpoint independent mapping S: 192.0.2.4 : 27000 D: 192.0.2.6 : 30000 NATs and NAT Traversal 2011-10-13 Page 43 192.0.2.4 192.0.2.5

Relay Operations R: 192.0.2.6 : 30000 Packet Dropped 10.0.0.2 10.0.0.1 192.0.2.1 192.0.2.6 The client needs to set a permission in the relay in order to receive data through it Equivalent to a NAT with: Address dependent filtering policy Endpoint independent mapping S: 192.0.2.5 : 27000 D: 192.0.2.6 : 30000 192.0.2.4 192.0.2.5 NATs and NAT Traversal 2011-10-13 Page 44

Relay Operations CreatePermission XOR-PEER-ADDRESS 192.0.2.4 CreatePermission resp. DataIndication XOR-PEER-ADDRESS 192.0.2.4 CreatePermission XOR-PEER-ADDRESS 192.0.2.4 CreatePermission resp. DataIndication XOR-PEER-ADDRESS 192.0.2.4 R: 192.0.2.6 : 30000 10.0.0.2 10.0.0.1 192.0.2.1 192.0.2.6 The client needs to set a permission in the relay in order to receive data through it Equivalent to a NAT with: Address dependent filtering policy Endpoint independent mapping S: 192.0.2.6 :30000 D: 192.0.2.4 192.0.2.4 192.0.2.5 NATs and NAT Traversal 2011-10-13 Page 45

Relay Operations Data Indication XOR-PEER-ADDRESS 192.0.2.4 Data Indication XOR-PEER-ADDRESS 192.0.2.4 R: 192.0.2.6 : 30000 10.0.0.2 10.0.0.1 192.0.2.1 192.0.2.6 The client needs to set a permission in the relay in order to receive data through it Equivalent to a NAT with: Address dependent filtering policy Endpoint independent mapping S: 192.0.2.4 D: 192.0.2.6 : 30000 192.0.2.4 192.0.2.5 NATs and NAT Traversal 2011-10-13 Page 46

Relay Operations R: 192.0.2.6 : 30000 Packet Dropped 10.0.0.2 10.0.0.1 192.0.2.1 192.0.2.6 The client needs to set a permission in the relay in order to receive data through it Equivalent to a NAT with: Address dependent filtering policy Endpoint independent mapping S: 192.0.2.5 : 27000 D: 192.0.2.6 : 30000 192.0.2.4 192.0.2.5 NATs and NAT Traversal 2011-10-13 Page 47

Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN ICE Others NAT64 NATs and NAT Traversal 2011-10-13 Page 48

ICE Interactive Connectivity Establishment : A Protocol for Network Address Translator Traversal for Offer/Answer Protocols (RFC 5245) Uses and extends STUN and TURN protocols Overall procedure: Endpoints gather all the addresses they can Using e.g. STUN and/or TURN Addresses (candidates) are exchanged with the peer Connectivity checks are run between the candidates The highest priority candidate pair that works is selected for use NATs and NAT Traversal 2011-10-13 Page 49

Gathering Addresses Address types Host candidates Server-reflexive candidates Relayed candidates Peer-reflexive candidates Duplicated addresses are removed Foundation: used to freeze addresses (related to connectivity checks) Same type Bases with the same IP address Same STUN server NATs and NAT Traversal 2011-10-13 Page 50

Prioritizing Addresses Priority = 2 24 (type preference) + 2 8 (local preference) + 2 (256 component ID) Type preference [0-126]: preference for the type of candidate (e.g., server reflexive) Local preference [0-65535]: preference for the interface the candidate was obtained from (e.g., multihomed hosts) Component ID [1-256]: for media with multiple components (e.g., RTP and RTCP) NATs and NAT Traversal 2011-10-13 Page 51

Connectivity Checks Five states for a pair: Waiting, in progress, succeeded, failed, frozen Periodic checks and triggered checks Periodic checks performed in priority order Incoming check may cause a triggered check Connectivity is checked with STUN Binding Requests Carry a concatenation of user names and the remote password NATs and NAT Traversal 2011-10-13 Page 52

ICE Roles Controlling agent Agent that generates the initial offer Selects which pair to eventually use Implementation specific stopping criteria USE-CANDIDATE attribute Controlled agent Generates checks and responds to them like the controlling agent Waits for the controlling agent to decide which candidate to use ICE lite agents Know they are not behind a NAT e.g., PSTN gateways, conferencing servers Always in controlled role Just respond to checks NATs and NAT Traversal 2011-10-13 Page 53

ICE Example (1) One endpoint is behind a NAT One endpoint has a public IP address Endpoints use TURN servers NATs and NAT Traversal 2011-10-13 Page 54

192.0.2.2 192.0.2.22 192.0.2.1 Allocate Request Allocate Response M: 192.0.2.1 : 25000 R: 192.0.2.2 : 30000 10.0.0.1 Allocate Request Allocate Response M: 192.0.2.1 : 25000 R: 192.0.2.2 : 30000 A 10.0.0.2 192.0.2.23 NATs and NAT Traversal 2011-10-13 Page 55 B

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 192.0.2.1 10.0.0.1 Allocate Response M: 192.0.2.1 : 25000 R: 192.0.2.2 : 30000 INVITE (offer) 10.0.0.2 192.0.2.23 NATs and NAT Traversal 2011-10-13 Page 56

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 192.0.2.1 Allocate Request Allocate Response M: 192.0.2.23 : 35000 R: 192.0.2.22 : 45000 10.0.0.1 10.0.0.2 192.0.2.23 NATs and NAT Traversal 2011-10-13 Page 57

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 192.0.2.23 : 35000 Server Relayed: reflexive: 192.0.2.23 192.0.2.22 : 35000 45000 Relayed: 192.0.2.22 : 45000 192.0.2.1 Allocate Response M: 192.0.2.23 : 35000 R: 192.0.2.22 : 45000 10.0.0.1 200 OK (answer) 10.0.0.2 192.0.2.23 NATs and NAT Traversal 2011-10-13 Page 58 ACK

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 192.0.2.23 : 35000 Relayed: 192.0.2.22 : 45000 192.0.2.1 Binding 10.0.0.1 Binding Request Binding Response M: 192.0.2.1 : 25000 Request Binding Response M: 192.0.2.1 : 25000 10.0.0.2 192.0.2.23 NATs and NAT Traversal 2011-10-13 Page 59

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 192.0.2.23 : 35000 Relayed: 192.0.2.22 : 45000 192.0.2.1 Binding 10.0.0.1 Binding Request Binding Response M: 192.0.2.23 : 35000 Request Binding Response M: 192.0.2.23 : 35000 10.0.0.2 192.0.2.23 NATs and NAT Traversal 2011-10-13 Page 60

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 192.0.2.23 : 35000 Relayed: 192.0.2.22 : 45000 192.0.2.1 10.0.0.1 Binding Request Binding Response M: 192.0.2.23 : 35000 Binding Request USE-CANDIDATE Binding Response M: 192.0.2.23 : 35000 10.0.0.2 192.0.2.23 NATs and NAT Traversal 2011-10-13 Page 61

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 192.0.2.23 : 35000 Relayed: 192.0.2.22 : 45000 192.0.2.1 10.0.0.1 INVITE (offer) 200 OK (answer) ACK 10.0.0.2 192.0.2.23 NATs and NAT Traversal 2011-10-13 Page 62

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 192.0.2.23 : 35000 Relayed: 192.0.2.22 : 45000 192.0.2.1 10.0.0.1 data 10.0.0.2 192.0.2.23 NATs and NAT Traversal 2011-10-13 Page 63

ICE Example (2) Both endpoint are behind NATs Endpoints use TURN servers NATs and NAT Traversal 2011-10-13 Page 64

192.0.2.2 192.0.2.22 192.0.2.1 Allocate Request 192.0.2.21 10.0.0.1 Allocate Request Allocate Response M: 192.0.2.1 : 25000 R: 192.0.2.2 : 30000 Allocate Response M: 192.0.2.1 : 25000 R: 192.0.2.2 : 30000 Host A gathers candidates 10.0.1.1 A 10.0.0.2 10.0.1.2 NATs and NAT Traversal 2011-10-13 Page 65 B

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 192.0.2.1 192.0.2.21 10.0.0.1 Allocate Response M: 192.0.2.1 : 25000 R: 192.0.2.2 : 30000 and forms a candidate list that is sent to host B 10.0.1.1 INVITE (offer) 10.0.0.2 10.0.1.2 NATs and NAT Traversal 2011-10-13 Page 66

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Allocate 192.0.2.1 Allocate Response Request 192.0.2.21 M: 192.0.2.21 : 25000 R: 192.0.2.22 : 30000 10.0.0.1 Host B gathers candidates Allocate Response M: 192.0.2.21 : 25000 R: 192.0.2.22 : 30000 10.0.1.1 Allocate Request 10.0.0.2 10.0.1.2 NATs and NAT Traversal 2011-10-13 Page 67

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 10.0.1.2 : 20000 Server reflexive: 192.0.2.21 : 25000 Relayed: 192.0.2.22 : 30000 192.0.2.1 192.0.2.21 10.0.0.1 and sends them to host A Allocate Response M: 192.0.2.21 : 25000 10.0.1.1 R: 192.0.2.22 : 30000 200 OK (answer) 10.0.0.2 10.0.1.2 NATs and NAT Traversal 2011-10-13 Page 68 ACK

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 10.0.1.2 : 20000 Server reflexive: 192.0.2.21 : 25000 Relayed: 192.0.2.22 : 30000 192.0.2.1 192.0.2.21 10.0.0.1 Connectivity checks sent to host candidates fail due to hosts being in different subnets 10.0.1.1 Binding Request Binding Request 10.0.0.2 10.0.1.2 NATs and NAT Traversal 2011-10-13 Page 69 Packets Dropped

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 10.0.1.2 : 20000 Server reflexive: 192.0.2.21 : 25000 Relayed: 192.0.2.22 : 30000 192.0.2.1 Binding Request 192.0.2.21 Packet Dropped 10.0.0.1 Binding Request B s NAT implements address dependent filtering 10.0.1.1 10.0.0.2 10.0.1.2 NATs and NAT Traversal 2011-10-13 Page 70

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 10.0.1.2 : 20000 Server reflexive: 192.0.2.21 : 25000 Relayed: 192.0.2.22 : 30000 192.0.2.1 Binding Request 192.0.2.21 Binding Response 10.0.0.1 10.0.1.1 Binding Binding Response Binding Resp. Request Also A s NAT implements address dependent filtering, but has now a binding for B s mapped address (due to the earlier connectivity check) Request 10.0.0.2 10.0.1.2 NATs and NAT Traversal 2011-10-13 Page 72

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 10.0.1.2 : 20000 Server reflexive: 192.0.2.21 : 25000 Relayed: 192.0.2.22 : 30000 192.0.2.1 Binding Response 192.0.2.21 Binding Request 10.0.0.1 10.0.1.1 Binding Binding Request Binding Req. Resp. A performs a triggered check which now succeeds (there is a binding in B s NAT too) Resp. 10.0.0.2 10.0.1.2 NATs and NAT Traversal 2011-10-13 Page 73

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.1 Binding Request 192.0.2.2 192.0.2.22 Binding Response Send Indication Host candidate: 10.0.1.2 : 20000 Server reflexive: 192.0.2.21 : 25000 Relayed: 192.0.2.22 : 30000 Data Indication 192.0.2.21 10.0.0.1 Binding Request Binding Response Send Indication 10.0.1.1 Data Indication Further checks may be done until stopping criteria is met 10.0.0.2 10.0.1.2 NATs and NAT Traversal 2011-10-13 Page 74

Host candidate: 10.0.0.2 : 20000 Server reflexive: 192.0.2.1 : 25000 Relayed: 192.0.2.2 : 30000 192.0.2.2 192.0.2.22 Host candidate: 10.0.1.2 : 20000 Server reflexive: 192.0.2.21 : 25000 Relayed: 192.0.2.22 : 30000 192.0.2.1 Binding Response 192.0.2.21 10.0.0.1 Binding Resp. Binding Request USE-CANDIDATE 10.0.0.2 10.0.1.2 NATs and NAT Traversal 2011-10-13 Page 75 Binding Request USE-CANDIDATE Finally, controlling agent nominates the highest priority pair for use (and data can be sent and received using the server reflexive candidates) Binding Resp. 10.0.1.1 Req.

Other NAT Traversal Methods Middle box communications Signaling with NATs to create proper state in them UPnP, PCP, SOCKS, MIDCOM, etc. UDP/TCP hole punching Number of variations for creating NAT bindings by sending packets to different addresses One of the techniques used by ICE Transparently for applications Teredo (own variant of UDP hole punching and IPv6 over UDP) Host Identity Protocol (uses ICE and UDP encapsulation) NATs and NAT Traversal 2011-10-13 Page 76

Comparing NAT Traversal Mechanisms ICE HIP Very effective for UDP TCP more problematic (see draft-ietf-mmusic-ice-tcp) Uses ICE for creating a UDP tunnel through which any (IP) protocol can be run As effective as ICE but for any protocol Teredo Similar UDP tunnel as with HIP First version (RFC 4380) had fairly limited success With extensions (RFC 6081) supports more NAT types; but still lower success probability than with ICE NATs and NAT Traversal 2011-10-13 Page 77

NAT64 and DNS64 A client in IPv6-only network may need to communicate with a server in the IPv4-Internet NAT64 (RFC 6146) translates packets between IPv6 and IPv4 DNS64 generates IPv6 addresses for servers that do not have one Uses specific IPv6-prefix for routing traffic via the NAT64 Problems with hosts without a DNS entry NATs and NAT Traversal 2011-10-13 Page 78

DNS64 DNS64 DNS response: 64:FF9B::192.0.2.5 DNS query: www.aalto.fi www.aalto.fi IPv6 LAN IPv4 Internet 2001:DB8::1 NAT64 64:FF9B::/96 192.0.2.1 192.0.2.5 NATs and NAT Traversal 2011-10-13 Page 79

NAT64 DNS64 www.aalto.fi 2001:DB8::1 S: 2001:DB8::1 D: 64:FF9B::192.0.2.5 IPv6 LAN S: 64:FF9B::192.0.2.5 D: 2001:DB8::1 NAT64 64:FF9B::/96 192.0.2.1 S: 192.0.2.1 D: 192.0.2.5 IPv4 Internet S: 192.0.2.5 D: 192.0.2.1 192.0.2.5 NATs and NAT Traversal 2011-10-13 Page 80

Summary NA(P)Ts originally invented to save IPv4 addresses Can serve a whole subnet with a single IP address Works (fairly well) for client-server, but breaks P2P connectivity NATs have different (and often un-deterministic) behavior Endpoint-(in)dependent mapping and/or filtering IP address and port assignment, timeouts, etc. NAT traversal developed to fix connectivity STUN and TURN for server-reflexive and relayed addresses ICE uses STUN and TURN for gathering candidates and running connectivity checks between them; tries various possible combinations and selects the best NAT64 provides IPv4 connectivity when network only provides IPv6 NATs and NAT Traversal 2011-10-13 Page 81

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback