Internet Networking recitation #

Similar documents
Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

Network Address Translators (NATs) and NAT Traversal

Internet Technology 4/29/2013

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

UDP NAT Traversal. CSCI-4220 Network Programming Spring 2015

Desktop sharing with the Session Initiation Protocol

Lecture 10: TCP Friendliness, DCCP, NATs, and STUN

Lecture 12: TCP Friendliness, DCCP, NATs, and STUN

A Proposal for a NAT Traversal System that Does Not Require Additional Functions at Terminals

NAT (NAPT/PAT), STUN, and ICE

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.

P2PSIP, ICE, and RTCWeb

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

The trace file is here:

Congestion Control. Lecture 12: TCP Friendliness, DCCP, NATs, and STUN. Chiu Jain Phase Plots. Fair A=B. Responding to Loss. Flow B rate (bps) t 1 t 3

Real-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT

From POTS to VoP2P: Step 1. P2P Voice Applications. Renato Lo Cigno

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

An Efficient NAT Traversal for SIP and Its Associated Media sessions

Secure Networking with NAT Traversal for Enhanced Mobility

A SIMPLE INTRODUCTION TO TOR

Network Access Transla0on - NAT

Technical White Paper for NAT Traversal

Internet Engineering Task Force (IETF) Request for Comments: 7604 Category: Informational. September 2015

Latest Peer-to-Peer Technologies II Artjom Lind 1

Network Address Translator Traversal Using Interactive Connectivity Establishment

IPv6 Transition Mechanisms

IP Security IK2218/EP2120

Internet Engineering Task Force (IETF) Request for Comments: 5780 Category: Experimental ISSN: May 2010

Gossip Peer Sampling in Real World

CS519: Computer Networks. Lecture 7: Apr 14, 2004 Firewalls and NATs

IT 341: Introduction to System

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

Internet Networking recitation #2 IP Checksum, Fragmentation

Category: Standards Track June Mobile IPv6 Support for Dual Stack Hosts and Routers

On the Applicability of knowledge based NAT-Traversal for Home Networks

Chapter 15 IPv6 Transition Technologies

Lab Exercise UDP. Objective. Requirements. Step 1: Capture a Trace

On the Applicability of Knowledge Based NAT-Traversal for Home Networks

ICS 451: Today's plan

CDCS: a New Case-Based Method for Transparent NAT Traversals of the SIP Protocol

CS 161 Computer Security

Mobile IP Overview. Based on IP so any media that can support IP can also support Mobile IP

Expires: August 22, 2005 Microsoft R. Mahy Airspace February 21, 2005

Security Concerns With Tunneling draft-ietf-v6ops-tunnel-security-concerns-00

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

ICE / TURN / STUN Tutorial

estos STUN/TURN Server

BEng. (Hons) Telecommunications. Examinations for / Semester 2

Proposal of a NAT traversal system independent of user terminals and its implementation

ANTS - A Framework for Knowledge based NAT Traversal

NAT Traversal for VoIP

An IP Network: Application s View. SIP & NATs / Firewalls. An IP Network: Router s View. Reminder: Internet Architecture

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

If your router or firewall is SIP-aware or SIP ALG-enabled, you must turn it off (so the device doesn t interfere with any signalling).

CNBK Communications and Networks Lab Book: Purpose of Hardware and Protocols Associated with Networking Computer Systems

If your router or firewall is SIP-aware or SIP ALG-enabled, you must turn it off (so the device doesn t interfere with any signalling).

Cisco IP Fragmentation and PMTUD

If your router or firewall is SIP-aware or SIP ALG-enabled, you must turn it off (so the device doesn t interfere with any signalling).

Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal. R. Naber

IPv6 Transition Technologies (TechRef)

IPsec NAT Transparency

BEAWebLogic SIP Server. Configuring Network Resources

Advanced Computer Networks

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

Designing for and Living with NATs and Firewalls

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

CSC 4900 Computer Networks: Security Protocols (2)

CSEP 561 Internetworking. David Wetherall

VERSION Lab 3: Link Layer

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

Department of Computer Science. Burapha University 6 SIP (I)

Network Address Translation

Network Requirements

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Advanced Computer Networks. IP Mobility

Examination 2D1392 Protocols and Principles of the Internet 2G1305 Internetworking 2G1507 Kommunikationssystem, fk SOLUTIONS

Network Address Translation Problem

Mobile IPv6 Support for Dual Stack Mobile Nodes and Routers

Advanced Computer Networks. Mobility Support

ISA 674 Understanding Firewalls & NATs

WebRTC: IETF Standards Update September Colin Perkins

In Defence of NATs. Geoff Huston APNIC. IEEE Global Internet Symposium, May 2017

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Network Protocols - Revision

Internet Control Message Protocol (ICMP)

Sample excerpt. Virtual Private Networks. Contents

Network Layer II. Getting IP addresses. DHCP client-server scenario. DHCP client-server scenario. C compiler. You writing assignment 2

RMIT University. Data Communication and Net-Centric Computing COSC 1111/2061. Lecture 2. Internetworking IPv4, IPv6

CSE/EE 461: Introduction to Computer Communications Networks Autumn Module 9

IPv6 Transition Mechanisms

The ISP Column A monthly column on things Internet. IPv6 Transition Tools and Tui. February Geoff Huston

CSE 461 Midterm Winter 2018

Outline. SC/CSE 3213 Winter Sebastian Magierowski York University. ICMP ARP DHCP NAT (not a control protocol) L9: Control Protocols

Network Address Translation. All you want to know about

Transcription:

recitation # UDP NAT Traversal Winter Semester 2013, Dept. of Computer Science, Technion 1

UDP NAT Traversal problems 2 A sender from the internet can't pass a packet through a NAT to a destination host. NAT middle boxes don't like UDP flows, because they don t know when the flow ends. Most firewalls block UDP flows by default.

VoIP Attempt 1 3 s=8.8.8.8, 80 d=221.10.5.8, 2745 Knowing the public IP may not be sufficient to successfully transmit with UDP. It must also have a corresponding entry in the NAT table.

VoIP Attempt 2 4 s=192.168.0.1, 2745 d=8.8.8.8, 80 s=221.10.5.8, 1340 d=8.8.8.8, 80 s=8.8.8.8, 80 d=221.10.5.8, 2745 An entry was created in the NAT from the packet first transmitted to the public IP host. But, by the time the second host replied, the NAT dropped the entry.

VoIP most common scenario 5 Host A Host B Both hosts can t establish a connection before creating a corresponding entry in their NAT first. Even if such entries exist in both, Each host may need to know the public port of the other before establishing a connection.

6 STUN Using a server in public network, with a known public IP address. Usually discovered by a DNS request for server record (SRV). The outbound binding request to the STUN server establishes NAT routing entries along the path. The STUN server learns the client public IP address. And then return this information back to the client

Stun client 192.168.201.128 STUN cont NAT 192.168.201.1-206.123.31.67 STUN server 64.251.14.14 7 STUN Binding Request Source: 192.168.201.128:45897 STUN Binding Request Source: 206.123.31.67:55123 STUN Binding Response STUN Binding Response Destination: 206.123.31.67:55123 Payload: 206.123.31.67:55123 Destination: 192.168.201.128:45897 Payload: 206.123.31.67:55123

8 NAT TYPES Full Cone Only IP address translation. Any external host can send a packet to the internal host. Restricted Cone An external host can send a packet to the internal host only if the internal host had previously sent a packet to the external host.

9 NAT TYPES cont Port Restricted Cone A Port Restricted Cone NAT is like a Restricted Cone NAT, but the restriction includes port numbers. Symmetric Each request from the same internal IP address and port to a specific destination IP address and port is mapped to a unique external source IP address and port.

10 STUN Discovery process In order to find out if the client is behind a NAT or not the STUN protocol uses 3 tests. In addition, the tests examine what type of NAT is the client behind of. To perform the tests the client can set the following flags in the request binding : "change IP" it instruct the server to send the Binding Responses from a different IP. "change Port" it instruct the server to send the Binding Responses from a different port.

STUN Discovery Test I 11 In test I, the client sends a STUN Binding Request to a server without any flags. This causes the server to send the response back to the address and port that the request came from.

STUN Discovery Test II & Test III 12 In test II, the client sends a Binding Request with both the "change IP" and "change port" flags. In test III, the client sends a Binding Request with only the "change port" flag set.

STUN algorithm 13 Source from wiki

STUN Limitations 14 Stun does not work with Symmetric NAT. Client A can discover he is behind a Symmetric NAT, and knows his own Global IP and Port from the STUN response. The only ones who can communicate with the client inside a NAT, are those who the client sent outbound packets to them. The NAT will drop packets from anyone else.

15 UDP Hole Punching Hole punching is a technique to allow traffic from/to a host behind a firewall/nat without the collaboration of the NAT itself

16 UDP Hole Punching Alice (with private address) wants to call Bob Alice talks to public (STUN) server, so server knows Alice's external address/port. Bob also talks to public server, so server knows about bob too Public server tells Alice about Bob and Bob about Alice.

17 UDP Hole Punching Bob sends a datagram to Alice (creating a hole in his NAT). Alice does the same. The first datagram may be dropped (if it gets before a hole was punched). From now on datagarms may pass freely.

18 Does it always work? What if one of the sides uses a symmetric NAT? What can we do in those cases??

TURN 19 TURN - Traversal Using Relays around NAT, is a fallback, which can run over UDP and switch to TCP if all else fails. Public relay server is used to shuttle the data between the peers. Both clients begin their connections by sending an allocate request to the same TURN server. Once the negotiation is complete, both peers communicate by sending their data to the TURN server, which then relays it to the other peer.

Turn example 20 Client A Relay Server Client B The relay must have enough capacity to service all the data flows. As a result, TURN is best used as a last resort fallback for cases where direct connectivity fails.

21 ICE Interactive Connectivity Establishment (ICE) is a protocol, and a set of methods, that seek to establish the most efficient tunnel between the participants. Direct connection where possible leveraging STUN negotiation where needed. Finally, fallback to TURN if all else fails.

Relay Server ICE example 22 Client A Client B STUN server A STUN server B

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback