Network Access Transla0on - NAT
Foreword Those slides have been done by gathering a lot of informa0on on the net Ø Cisco tutorial Ø Lectures from other ins0tu0ons University of Princeton University of Standford 2
Applica0ons Gateways Hosts have unique iden0fiers and are linked through devices execu0ng simple packet forwarding Ø Hosts are reachable from anywhere at any0me Ø Forwarding devices only forward packet. Do not modify nor filter packets Middleboxes sit between two end hosts Ø Middleboxes violate the end- to- end principle Ø Middleboxes take packets and may modify the traffic behavior, and even, the content of packets Ø End hosts might be unaware of the presence of middleboxes 3
Middleboxes as a solu0on to Internet challenges Security Ø DoS, DDoS aqacks Ø Virus, backdoors, Performance Ø Large propaga0on delays Ø Large bandwidth Mobility Ø Mobile devices (smartphones, connected objects, ) Private LANs Private IP addresses Source: hqp://bgp.potaroo.net/ 4
Advantages and Disadvantages Advantages Disadvantages New networking services Ø Keeping the same network infrastructure Ø Keeping the same addressing scheme Break the E2E principle Frequently hard to debug New devices per service Network complexity 5
Example of middleboxes Firewalls Intrussion detec0on systems (IDS) Transparent Web Proxies Performance Enhancing Proxies Traffic shappers Network Address Transla0on 6
Origin of NATs IP address space deple0on Pervasiveness of the Internet Ø Difficult to get as many needed IP global addresses Ø Share a single address between mul0ple hosts, without modifying the end hosts NAT has been proposed as a short- term, temporary, solu0on Ø NATs got widely deployed Ø A limit to the IPv6 success 7
Network Address Transla0on Inside Global @IP Private LAN Private @IP Inside Inside Local IP P NAT Outside Local IP G Global @IP Outside Outside Global @IP 8
IP address transla0on Make the inside part look like a single IP address Ø Private IP addresses Outgoing traffic Ø Replace the source IP address with IP G Incoming traffic Ø Replace the des0na0on IP address with IP source of the original hosts What about checksum?? 9
NAT Transla0on Table The NAT devices maintain a transla0on table which tells which internal hosts are communica0ng with a given external server Ø Create an entry upon seeing an outgoing packet Crea0ng permanent mappings also Ø How to remove unused entries? Keep 0mer 0meouts What about idle connec0ons? Traffic ini0ated inside the LAN successfully reaches the external hosts What about traffic ini0ated outside the LAN? Internal @IP External @IP 10.0.0.1 149.202.195.14 10.0.0.2 216.58.210.195 10
NAT benefits and drawbacks Benefits Ø Communicate private LANs with the global Internet Ø No need to renumber hosts in case of change of the ISP Ø Communicate 2 private LANs with conflic0ng IP addresses Drawbacks Ø Again, problem with E2E principles A lot of Internet bugs are introduced by middleboxes Ø Needs sta0c mapping to set up servers behind NATs Ø Hosts behind NATs cannot be pinged Ø Limits the development of IPv6, the clean solu0on to the address deple0on problem 11
Shortcoming of NAT Transla0on Table What happen when two different internal hosts want to communicate with the same external host Ø Traffic from inside to outside OK Ø Traffic from outside to inside?? Internal @IP External @IP 10.0.0.1 149.202.195.14 10.0.0.2 216.58.210.195 10.0.0.3 216.58.210.195 12
Port- Transla0ng NATs Port- transla0ng NATs or Network Address Port Transla0on expand the table to include addi0onal fields Ø PT- NATs might translate both the IP and the Port number to avoid ambiguity Enable many- to- one communica0on Inside Global @IP Inside Global Port Outside Local @IP Outside Local Port Outside Global @IP Outside Global Port Transport Protocol 10.0.0.1 41000 149.202.190.54 40000 149.202.195.14 80 TCP 10.0.0.2 42000 149.202.190.54 40001 216.58.210.195 80 TCP 10.0.0.3 41000 149.202.190.54 40002 216.58.210.195 80 TCP 10.0.0.3 41000 149.202.190.54 40003 216.58.210.195 80 TCP 13
Address and Port transla0on Example 149.202.190.54:50001 149.202.195.14:80 10.0.0.1:40001 149.202.195.14:80 NAT Inside Outside 14
Transla0on Methods Full Cone NAT From PortX From PortY Port5000 Port20000 NAT From PortA Inside From PortB 15
Transla0on Methods (Address)- Restricted Cone NAT From PortX From PortY Port5000 Port20000 NAT From PortA Inside From PortB 16
Transla0on Methods Port- Restricted Cone NAT (1) From PortX From PortY Port5000 Port20000 NAT From PortA Inside From PortB 17
Transla0on Methods Port- Restricted Cone NAT (2) From PortX From PortY Port5000 Port20000 NAT From PortA Inside From PortB 18
Transla0on Methods Symmetric NAT (1) From PortX From PortY Port5000 Port20000 NAT From PortA Inside From PortB 19
Transla0on Methods Symmetric NAT (2) From PortX From PortY Port5000 Port20000 Port20001 NAT From PortA Inside From PortB 20
NAT Traversal 21
Problem and solu0ons to NAT traversal Problem: the inside host must ini0ate the connec0on with the outside host to let data flow Ø Servers at the private LAN will not receive incoming connec0ons, eg. Preven0ng the right execu0on of P2P applica0ons. Solu0ons: Ø Individual solu0ons: manual mapping (port forwarding) Ø NAT- behavior based approaches hole punching using STUN (IETF - RFC 3489) Ø External Data- Relay TURN (IETF - Dran) Ø Frameworks integra0ng several techniques ICE as the most promising for VoIP (IETF Dran) 22
STUN Session Traversal U0li0es for NAT (STUN) RFC 5389 The client sends a biding request to a STUN server The STUN server responds with a success message providing the IP address and port as seen by the server Messages are exchanges in UDP The client uses the informa0on provided by the STUN server to provide its external iden0ty to a 0er server providing a networking service (e.g. SIP) STUN works well with Full Cone NATs, Address Restricted Cone NAT, Port Restricted Cone NAT STUN does not work with symmetric NATs 23
STUN and hole punching determine external IP address/port and exchange it through Rendezvous Point both hosts send packets towards the other host outgoing packet creates hole establish connec0on hole is created by first packet From hqps://www.net.in.tum.de/fileadmin/tum/teaching/ masterkurs_rechnernetze/ws0910/mnet_04_network_layer_nat.pdf 24
Symmetric NAT traversal Connec0ons from inside LAN to outside Internet is possible Traversal Using Relays around NAT - TURN Ø Hosts from private LANs connect to a relay server Ø The relay server forwards packets between hosts in private LANs Skype, one of the most famous data relay with TURN NAT Server Relay NAT 25