Could SP-NAT Save the Internet?

Slides:



Advertisements
Similar presentations
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Advertisements

1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
STUN Date: Speaker: Hui-Hsiung Chung 1.
CS 4700 / CS 5700 Network Fundamentals Lecture 13: Middleboxes and NAT (Duct tape for IPv4) Revised 3/9/2013.
Firewalls and Intrusion Detection Systems
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.
Introduction To Networking
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)
Middleboxes & Network Appliances EE122 TAs Past and Present.
4: Addressing Working At A Small-to-Medium Business or ISP.
TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
FIREWALL Mạng máy tính nâng cao-V1.
CS 5565 Network Architecture and Protocols
SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
INTRODUCTION TO NETWORKS 8/2/2015 SSIG SOUTHERN METHODIST UNIVERSITY.
Networking Basics CCNA 1 Chapter 11.
Sniffer, tcpdump, Ethereal, ntop
S305 – Network Infrastructure Chapter 5 Network and Transport Layers.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Module 10: Windows Firewall and Caching Fundamentals.
Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.
Data Communications and Networks Chapter 6 – IP, UDP and TCP ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
Kittiphan Techakittiroj (25/06/59 19:10 น. 25/06/59 19:10 น. 25/06/59 19:10 น.) Network Address Translation Kittiphan Techakittiroj
H.323 NAT Traversal Problem particular to H.323(RAS->Q.931->H.245):  RAS from private network to public network can pass NAT  Q931 、 H.245 adopts the.
HIP-Based NAT Traversal in P2P-Environments
28/09/2016 Mildly Penetrative Packet Inspection Shane Alcock WAND.
1/10/2016 Passive Network Analysis Using Libtrace Shane Alcock.
CS 3700 Networks and Distributed Systems
TECH TIP – Videoconferencing settings for Apple AirPort Extreme wireless access point. SYMPTOM / ISSUE After connecting a set-top videoconferencing system.
By: Hunza, Omar and Anum Chapter 4 pg(76-79).
NAT (Network Address Translation)
Chapter 5 Network and Transport Layers
Chapter 9: Transport Layer
Port Scanning James Tate II
Instructor Materials Chapter 9: Transport Layer
Shane Alcock and Richard Nelson University of Waikato
Port Connection Status
Ian McDonald, Richard Nelson
CS 3700 Networks and Distributed Systems
Process-to-Process Delivery
© 2003, Cisco Systems, Inc. All rights reserved.
Net 221D : Computer Networks Fundamentals
Introduction to Networking
Introducing To Networking
Hiding Network Computers Gateways
NET323 D: Network Protocols
Working at a Small-to-Medium Business or ISP – Chapter 7
New Solutions For Scaling The Internet Address Space
* Essential Network Security Book Slides.
CS 3700 Networks and Distributed Systems
NET323 D: Network Protocols
Lecture 12 Internet Protocols Internet resource allocation and QoS
Firewalls Jiang Long Spring 2002.
Chapter 11: Network Address Translation for IPv4
Request for Comments(RFC) 3489
Transport Layer 9/22/2019.
Presentation transcript:

Could SP-NAT Save the Internet? WAND, University of Waikato

Service Provider NAT Aim is to reduce IPv4 address consumption Multiple subscribers share a single public IPv4 address NAT device is located within the ISP-managed network Internets ISP NAT Subscribers

Research Questions Provisioning How many subscribers per NAT device? Can existing subscriber behaviour be accommodated? What level of restrictions would affect the least subscribers? Incoming sessions How many subscribers are accepting incoming sessions? What services are those subscribers running?

Analysis Analyse traces captured from two different NZ ISPs ISP 2007 – DSL customer traffic from February 2007 ISP 2009 – Captured from a new monitor in January 2009 Track sessions (flows) for each subscriber IP Outgoing session creation rate Peak concurrent outgoing sessions Incoming sessions – quantity and protocol

Session Counting TCP Sessions Must begin with a SYN packet Incoming sessions must also observe a SYN ACK A session is expired after a period of inactivity Incomplete 3-way handshake = 4 minutes Established TCP connection = 2 hours and 4 minutes If a RST or FIN ACK is observed = immediate expiry UDP Sessions All sessions are expired after 2 minutes and 20 seconds of inactivity

Outgoing Sessions

Outgoing Sessions

Incoming Sessions NAT violates the IP connectivity model External devices cannot directly connect to hosts behind NAT This creates problems for end-users that wish to ... Operate Internet services, such as a web server Participate in peer-to-peer

Incoming Sessions Possible solutions Port forwarding Subscribers cannot interact with the NAT device directly Can only forward each port number once per NAT device NAT traversal techniques Supported by some but not all applications Lack of standardisation for NAT device behaviour BEHAVE IETF working group is trying to resolve this

Incoming Sessions Questions How many subscribers are accepting incoming connections? What services are they operating? What ports are being used to run services? As an aside, how useful are port numbers for identifying services?

Incoming Sessions Observed subscriber IPs that accept an incoming TCP connection For ISP 2007: For ISP 2009: 44.2 % 30.8 %

Incoming TCP Sessions (ISP 2007) How many server ports are being used by each IP?

Incoming TCP Sessions (ISP 2007) Broken down by server port

Incoming TCP Sessions (ISP 2009) Broken down by server port

Incoming TCP Sessions (ISP 2007) Using the four-byte L7 protocol analysis rules

Incoming TCP Sessions (ISP 2009) Using the four-byte L7 protocol analysis rules

Incoming TCP Sessions (ISP 2007) Byte counts instead of flow counts

Incoming TCP Sessions (ISP 2009) Byte counts instead of flow counts

Incoming TCP Sessions (ISP 2007) Utilization of TCP port 80 (byte counts)

Incoming TCP Sessions (ISP 2009) Utilization of TCP port 80 (byte counts)

WAND Network Research Group Department of Computer Science The University of Waikato Private Bag 3105 Hamilton, New Zealand www.crc.net.nz www.wand.net.nz www.waikato.ac.nz

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.