recitation # UDP NAT Traversal Winter Semester 2013, Dept. of Computer Science, Technion 1
UDP NAT Traversal problems 2 A sender from the internet can't pass a packet through a NAT to a destination host. NAT middle boxes don't like UDP flows, because they don t know when the flow ends. Most firewalls block UDP flows by default.
VoIP Attempt 1 3 s=8.8.8.8, 80 d=221.10.5.8, 2745 Knowing the public IP may not be sufficient to successfully transmit with UDP. It must also have a corresponding entry in the NAT table.
VoIP Attempt 2 4 s=192.168.0.1, 2745 d=8.8.8.8, 80 s=221.10.5.8, 1340 d=8.8.8.8, 80 s=8.8.8.8, 80 d=221.10.5.8, 2745 An entry was created in the NAT from the packet first transmitted to the public IP host. But, by the time the second host replied, the NAT dropped the entry.
VoIP most common scenario 5 Host A Host B Both hosts can t establish a connection before creating a corresponding entry in their NAT first. Even if such entries exist in both, Each host may need to know the public port of the other before establishing a connection.
6 STUN Using a server in public network, with a known public IP address. Usually discovered by a DNS request for server record (SRV). The outbound binding request to the STUN server establishes NAT routing entries along the path. The STUN server learns the client public IP address. And then return this information back to the client
Stun client 192.168.201.128 STUN cont NAT 192.168.201.1-206.123.31.67 STUN server 64.251.14.14 7 STUN Binding Request Source: 192.168.201.128:45897 STUN Binding Request Source: 206.123.31.67:55123 STUN Binding Response STUN Binding Response Destination: 206.123.31.67:55123 Payload: 206.123.31.67:55123 Destination: 192.168.201.128:45897 Payload: 206.123.31.67:55123
8 NAT TYPES Full Cone Only IP address translation. Any external host can send a packet to the internal host. Restricted Cone An external host can send a packet to the internal host only if the internal host had previously sent a packet to the external host.
9 NAT TYPES cont Port Restricted Cone A Port Restricted Cone NAT is like a Restricted Cone NAT, but the restriction includes port numbers. Symmetric Each request from the same internal IP address and port to a specific destination IP address and port is mapped to a unique external source IP address and port.
10 STUN Discovery process In order to find out if the client is behind a NAT or not the STUN protocol uses 3 tests. In addition, the tests examine what type of NAT is the client behind of. To perform the tests the client can set the following flags in the request binding : "change IP" it instruct the server to send the Binding Responses from a different IP. "change Port" it instruct the server to send the Binding Responses from a different port.
STUN Discovery Test I 11 In test I, the client sends a STUN Binding Request to a server without any flags. This causes the server to send the response back to the address and port that the request came from.
STUN Discovery Test II & Test III 12 In test II, the client sends a Binding Request with both the "change IP" and "change port" flags. In test III, the client sends a Binding Request with only the "change port" flag set.
STUN algorithm 13 Source from wiki
STUN Limitations 14 Stun does not work with Symmetric NAT. Client A can discover he is behind a Symmetric NAT, and knows his own Global IP and Port from the STUN response. The only ones who can communicate with the client inside a NAT, are those who the client sent outbound packets to them. The NAT will drop packets from anyone else.
15 UDP Hole Punching Hole punching is a technique to allow traffic from/to a host behind a firewall/nat without the collaboration of the NAT itself
16 UDP Hole Punching Alice (with private address) wants to call Bob Alice talks to public (STUN) server, so server knows Alice's external address/port. Bob also talks to public server, so server knows about bob too Public server tells Alice about Bob and Bob about Alice.
17 UDP Hole Punching Bob sends a datagram to Alice (creating a hole in his NAT). Alice does the same. The first datagram may be dropped (if it gets before a hole was punched). From now on datagarms may pass freely.
18 Does it always work? What if one of the sides uses a symmetric NAT? What can we do in those cases??
TURN 19 TURN - Traversal Using Relays around NAT, is a fallback, which can run over UDP and switch to TCP if all else fails. Public relay server is used to shuttle the data between the peers. Both clients begin their connections by sending an allocate request to the same TURN server. Once the negotiation is complete, both peers communicate by sending their data to the TURN server, which then relays it to the other peer.
Turn example 20 Client A Relay Server Client B The relay must have enough capacity to service all the data flows. As a result, TURN is best used as a last resort fallback for cases where direct connectivity fails.
21 ICE Interactive Connectivity Establishment (ICE) is a protocol, and a set of methods, that seek to establish the most efficient tunnel between the participants. Direct connection where possible leveraging STUN negotiation where needed. Finally, fallback to TURN if all else fails.
Relay Server ICE example 22 Client A Client B STUN server A STUN server B