Network Access Transla0on - NAT

Similar documents
Outline today. MPLS Overview. We saw tunneling on top of IP. What about tunneling below IP? Introducing Mul<- Protocol Label Switching (MPLS) 3/21/11

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

Internet Networking recitation #

Network Address Translators (NATs) and NAT Traversal

NAT (NAPT/PAT), STUN, and ICE

Lecture 10: TCP Friendliness, DCCP, NATs, and STUN

Lecture 12: TCP Friendliness, DCCP, NATs, and STUN

On the Applicability of knowledge based NAT-Traversal for Home Networks

On the Applicability of Knowledge Based NAT-Traversal for Home Networks

UNIT 12A The Internet: Fundamentals

Congestion Control. Lecture 12: TCP Friendliness, DCCP, NATs, and STUN. Chiu Jain Phase Plots. Fair A=B. Responding to Loss. Flow B rate (bps) t 1 t 3

Technical White Paper for NAT Traversal

NAT Traversal for VoIP

Lecture 11: Middleboxes and NAT (Duct tape for IPv4)

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

NAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1

How to Make the Client IP Address Available to the Back-end Server

Internet Technology 4/29/2013

MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

From POTS to VoP2P: Step 1. P2P Voice Applications. Renato Lo Cigno

COSC 301 Network Management

UDP NAT Traversal. CSCI-4220 Network Programming Spring 2015

Network Administra0on

Desktop sharing with the Session Initiation Protocol

Advanced Computer Networks

Computer Networks. Course Reference Model. Topic. Error Handling with ICMP. ICMP Errors. Internet Control Message Protocol 12/2/2014.

CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Design and Opera-on of the Internet John E. Savage Brown University

CS519: Computer Networks. Lecture 7: Apr 14, 2004 Firewalls and NATs

Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal. R. Naber

Internet Engineering Task Force (IETF) Request for Comments: 7604 Category: Informational. September 2015

CSE/EE 461: Introduction to Computer Communications Networks Autumn Module 9

Sai Praveen Sadhu George Mason University Fall 2014, ECE 646

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

UNIX Sockets. COS 461 Precept 1

Frameworks. Data Relay. Skype. Recap

Configure Basic Firewall Settings on the RV34x Series Router

Master Course Computer Networks IN2097

Category: Informational M.I.T. D. Kegel kegel.com March State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)

Lecture 14: DHCP and NAT

ANTS - A Framework for Knowledge based NAT Traversal

Network Address Translator Traversal Using Interactive Connectivity Establishment

estos STUN/TURN Server

Policy-preserving Middlebox Placement in SDN-Enabled Data Centers

ABC SBC: Secure Peering. FRAFOS GmbH

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

Chapter 15 IPv6 Transition Technologies

Table of Contents. Cisco How NAT Works

Goals of Today s Lecture. Transla'ng Addresses. Separa'ng Names and IP Addresses. Separa'ng IP and MAC Addresses

Application Note Asterisk BE with Remote Phones - Configuration Guide

Transla'ng Addresses. Goals of Today s Lecture

ICE-Lite Support on CUBE

Customer Edge Switching & Realm Gateway Tutorial Session Day 2

APP NOTES TeamLink and Firewall Detect

Network Address Translation

Secure Telephony Enabled Middle-box (STEM)

Network Layer II. Getting IP addresses. DHCP client-server scenario. DHCP client-server scenario. C compiler. You writing assignment 2

Yealink VCS Network Deployment Solution

CDCS: a New Case-Based Method for Transparent NAT Traversals of the SIP Protocol

Network Configuration Example

4. The transport layer

CompTIA Exam JK0-023 CompTIA Network+ certification Version: 5.0 [ Total Questions: 1112 ]

Switching and bridging

[MS-ICE2]: Interactive Connectivity Establishment (ICE) Extensions 2.0

In Defence of NATs. Geoff Huston APNIC. IEEE Global Internet Symposium, May 2017

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

CSC 474/574 Information Systems Security

Security Enhancement by Detecting Network Address Translation Based on Instant Messaging

An Efficient NAT Traversal for SIP and Its Associated Media sessions

Advanced Linux System Administra3on

Transition Strategies from IPv4 to IPv6: The case of GRNET

Introduction to Network Address Translation

If your router or firewall is SIP-aware or SIP ALG-enabled, you must turn it off (so the device doesn t interfere with any signalling).

CSCD58 WINTER 2018 WEEK 6 - NETWORK LAYER PART 1. Brian Harrington. February 13, University of Toronto Scarborough

If your router or firewall is SIP-aware or SIP ALG-enabled, you must turn it off (so the device doesn t interfere with any signalling).

Eyeball Any-Firewall Technology. VoIP, video telephony, and the industry s highest call completion rate

If your router or firewall is SIP-aware or SIP ALG-enabled, you must turn it off (so the device doesn t interfere with any signalling).

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.

CCNA Exploration Network Fundamentals. Chapter 06 Addressing the Network IPv4

CSC 4900 Computer Networks: Network Layer

Advanced Computer Networks. Mobility Support

ETSF10 Internet Protocols Transport Layer Protocols

Implementation Guide - VPN Network with Static Routing

How to Configure a Remote Management Tunnel for an F-Series Firewall

Real-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund

P2PSIP, ICE, and RTCWeb

20-CS Cyber Defense Overview Fall, Network Basics

EE 122 Fall 2010 Discussion Section III 5 October 2010

Introduc)on to Computer Networks

Elas%c Load Balancing, Amazon CloudWatch, and Auto Scaling Sco) Linder

Network Address Translation. All you want to know about

Network Interconnection

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

Virtual Private Networks (VPNs)

Master Course Computer Networks IN2097

APP NOTES Onsight Connect Network Requirements

IPsec NAT Transparency

Transcription:

Network Access Transla0on - NAT

Foreword Those slides have been done by gathering a lot of informa0on on the net Ø Cisco tutorial Ø Lectures from other ins0tu0ons University of Princeton University of Standford 2

Applica0ons Gateways Hosts have unique iden0fiers and are linked through devices execu0ng simple packet forwarding Ø Hosts are reachable from anywhere at any0me Ø Forwarding devices only forward packet. Do not modify nor filter packets Middleboxes sit between two end hosts Ø Middleboxes violate the end- to- end principle Ø Middleboxes take packets and may modify the traffic behavior, and even, the content of packets Ø End hosts might be unaware of the presence of middleboxes 3

Middleboxes as a solu0on to Internet challenges Security Ø DoS, DDoS aqacks Ø Virus, backdoors, Performance Ø Large propaga0on delays Ø Large bandwidth Mobility Ø Mobile devices (smartphones, connected objects, ) Private LANs Private IP addresses Source: hqp://bgp.potaroo.net/ 4

Advantages and Disadvantages Advantages Disadvantages New networking services Ø Keeping the same network infrastructure Ø Keeping the same addressing scheme Break the E2E principle Frequently hard to debug New devices per service Network complexity 5

Example of middleboxes Firewalls Intrussion detec0on systems (IDS) Transparent Web Proxies Performance Enhancing Proxies Traffic shappers Network Address Transla0on 6

Origin of NATs IP address space deple0on Pervasiveness of the Internet Ø Difficult to get as many needed IP global addresses Ø Share a single address between mul0ple hosts, without modifying the end hosts NAT has been proposed as a short- term, temporary, solu0on Ø NATs got widely deployed Ø A limit to the IPv6 success 7

Network Address Transla0on Inside Global @IP Private LAN Private @IP Inside Inside Local IP P NAT Outside Local IP G Global @IP Outside Outside Global @IP 8

IP address transla0on Make the inside part look like a single IP address Ø Private IP addresses Outgoing traffic Ø Replace the source IP address with IP G Incoming traffic Ø Replace the des0na0on IP address with IP source of the original hosts What about checksum?? 9

NAT Transla0on Table The NAT devices maintain a transla0on table which tells which internal hosts are communica0ng with a given external server Ø Create an entry upon seeing an outgoing packet Crea0ng permanent mappings also Ø How to remove unused entries? Keep 0mer 0meouts What about idle connec0ons? Traffic ini0ated inside the LAN successfully reaches the external hosts What about traffic ini0ated outside the LAN? Internal @IP External @IP 10.0.0.1 149.202.195.14 10.0.0.2 216.58.210.195 10

NAT benefits and drawbacks Benefits Ø Communicate private LANs with the global Internet Ø No need to renumber hosts in case of change of the ISP Ø Communicate 2 private LANs with conflic0ng IP addresses Drawbacks Ø Again, problem with E2E principles A lot of Internet bugs are introduced by middleboxes Ø Needs sta0c mapping to set up servers behind NATs Ø Hosts behind NATs cannot be pinged Ø Limits the development of IPv6, the clean solu0on to the address deple0on problem 11

Shortcoming of NAT Transla0on Table What happen when two different internal hosts want to communicate with the same external host Ø Traffic from inside to outside OK Ø Traffic from outside to inside?? Internal @IP External @IP 10.0.0.1 149.202.195.14 10.0.0.2 216.58.210.195 10.0.0.3 216.58.210.195 12

Port- Transla0ng NATs Port- transla0ng NATs or Network Address Port Transla0on expand the table to include addi0onal fields Ø PT- NATs might translate both the IP and the Port number to avoid ambiguity Enable many- to- one communica0on Inside Global @IP Inside Global Port Outside Local @IP Outside Local Port Outside Global @IP Outside Global Port Transport Protocol 10.0.0.1 41000 149.202.190.54 40000 149.202.195.14 80 TCP 10.0.0.2 42000 149.202.190.54 40001 216.58.210.195 80 TCP 10.0.0.3 41000 149.202.190.54 40002 216.58.210.195 80 TCP 10.0.0.3 41000 149.202.190.54 40003 216.58.210.195 80 TCP 13

Address and Port transla0on Example 149.202.190.54:50001 149.202.195.14:80 10.0.0.1:40001 149.202.195.14:80 NAT Inside Outside 14

Transla0on Methods Full Cone NAT From PortX From PortY Port5000 Port20000 NAT From PortA Inside From PortB 15

Transla0on Methods (Address)- Restricted Cone NAT From PortX From PortY Port5000 Port20000 NAT From PortA Inside From PortB 16

Transla0on Methods Port- Restricted Cone NAT (1) From PortX From PortY Port5000 Port20000 NAT From PortA Inside From PortB 17

Transla0on Methods Port- Restricted Cone NAT (2) From PortX From PortY Port5000 Port20000 NAT From PortA Inside From PortB 18

Transla0on Methods Symmetric NAT (1) From PortX From PortY Port5000 Port20000 NAT From PortA Inside From PortB 19

Transla0on Methods Symmetric NAT (2) From PortX From PortY Port5000 Port20000 Port20001 NAT From PortA Inside From PortB 20

NAT Traversal 21

Problem and solu0ons to NAT traversal Problem: the inside host must ini0ate the connec0on with the outside host to let data flow Ø Servers at the private LAN will not receive incoming connec0ons, eg. Preven0ng the right execu0on of P2P applica0ons. Solu0ons: Ø Individual solu0ons: manual mapping (port forwarding) Ø NAT- behavior based approaches hole punching using STUN (IETF - RFC 3489) Ø External Data- Relay TURN (IETF - Dran) Ø Frameworks integra0ng several techniques ICE as the most promising for VoIP (IETF Dran) 22

STUN Session Traversal U0li0es for NAT (STUN) RFC 5389 The client sends a biding request to a STUN server The STUN server responds with a success message providing the IP address and port as seen by the server Messages are exchanges in UDP The client uses the informa0on provided by the STUN server to provide its external iden0ty to a 0er server providing a networking service (e.g. SIP) STUN works well with Full Cone NATs, Address Restricted Cone NAT, Port Restricted Cone NAT STUN does not work with symmetric NATs 23

STUN and hole punching determine external IP address/port and exchange it through Rendezvous Point both hosts send packets towards the other host outgoing packet creates hole establish connec0on hole is created by first packet From hqps://www.net.in.tum.de/fileadmin/tum/teaching/ masterkurs_rechnernetze/ws0910/mnet_04_network_layer_nat.pdf 24

Symmetric NAT traversal Connec0ons from inside LAN to outside Internet is possible Traversal Using Relays around NAT - TURN Ø Hosts from private LANs connect to a relay server Ø The relay server forwards packets between hosts in private LANs Skype, one of the most famous data relay with TURN NAT Server Relay NAT 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback