P2P and NAT How to traverse NAT Davide Carboni © 2005-2006.

Slides:



Advertisements
Similar presentations
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Advertisements

Firewalls and Network Address Translation (NAT) Chapter 7.
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
Network Address Translation (NAT) Prof. Sasu Tarkoma.
NAT/Firewall Traversal April NAT revisited – “port-translating NAT”
STUN Date: Speaker: Hui-Hsiung Chung 1.
SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)
Network Address Translation (NAT) Adj. Prof. Sasu Tarkoma.
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.
ESE Einführung in Software Engineering X. CHAPTER Prof. O. Nierstrasz Wintersemester 2005 / 2006.
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
Subnetting.
Circuit & Application Level Gateways CS-431 Dick Steflik.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
CP — Concurrent Programming X. CHAPTER Prof. O. Nierstrasz Wintersemester 2005 / 2006.
12. eToys. © O. Nierstrasz PS — eToys 12.2 Denotational Semantics Overview:  … References:  …
Networking Components Chad Benedict – LTEC
Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Windows Internet Connection Sharing Dave Eitelbach Program Manager Networking And Communications Microsoft Corporation.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
CS 5565 Network Architecture and Protocols
SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.
CS 3214 Computer Systems Godmar Back Lecture 24 Supplementary Material.
Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
© MMII JW RyderCS 428 Computer Networking1 Private Network Interconnection  VPN - Virtual Private Networks  NAT - Network Address Translation  Describe.
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
Chapter 13 – Network Security
STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) speaker : Wenping Zhang date :
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Greg Van Dyne December 4, Agenda Introduction Technical Overview Protocols Demonstration Future Trends References.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
I. Basic Network Concepts. I.1 Networks Network Node Address Packet Protocol.
Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Private Network Interconnection Chapter 20. Introduction Privacy in an internet is a major concern –Contents of datagrams that travel across the Internet.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Module 10: How Middleboxes Impact Performance
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)
Deploying IPv6, Now Christian Huitema Architect Windows Networking & Communications Microsoft Corporation.
Module 10: Windows Firewall and Caching Fundamentals.
DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.
jitsi. org advanced real-time communication.
Network Layer IP Address.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
NAT (Network Address Translation)
Supplementary Material
Supplementary Material
Network Address Translation
Introducing To Networking
NET323 D: Network Protocols
NET323 D: Network Protocols
Firewalls.
Request for Comments(RFC) 3489
DHCP: Dynamic Host Configuration Protocol
Presentation transcript:

P2P and NAT How to traverse NAT Davide Carboni ©

License Attribution-ShareAlike 2.5 You are free: to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a licence identical to this one. For any reuse or distribution, you must make clear to others the licence terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. This is a human-readable summary of the Legal Code (the full licence).Legal Code (the full licence) Disclaimer

The problem The large deployment of NAT builds a barrier to the development of peer-to- peer networks. Host behind a NAT/Firewall are only authorized to initiate outgoing traffic through a limited set of ports (UDP/TCP) Host behind a NAT/Firewall are never authorized to receive incoming TCP or UDP traffic initiated by a foreign host

Firewall A Firewall is a system that filters TCP/IP UDP/IP packet according to rules It can be a software running in the user machine or in a network router Rules

Firewall Rules router (Global IP addresses)

NAT the process of network address translation (NAT, also known as network masquerading or IP-masquerading) involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall. addressesIPpacketsrouterfirewall

Why NAT is so popular IPv4 address shortage standard feature in routers for home and small-office Internet connectionsrouters can enhance the reliability of local systems by stopping worms and enhance privacy by discouraging scansworms

Simple NAT NAT (Private IP addresses) (Public IP addresses) Main Internet (Public IP addresses)

Multiple NAT ISP NAT (Private IP addresses) (Public IP addresses) Main Internet ISP network Home NAT Home network

NAT Mappings ( ) ( ) ( ) : :10100 S= :4445 D= :7777 datagram S= :10100 D= :7777 datagram A

Traversing a NAT that does not collaborate

Relaying NAT Main Internet Local network NAT Local network Relay S host A host B 1 2

Connection reversal NAT Main Internet Local network rendezvous S host A host B 1 2 3

NAT policies Full cone NAT is NAT where all requests from the same internal IP address and port are mapped to the same public IP address and port. Once a mapping is created, all incoming traffic to the public address is routed to the internal host without checking the address of the remote host. A restricted cone NAT: like full cone all requests from the same internal IP address and port are mapped to the same public IP address and port. Unlike a full cone NAT, a remote host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X. A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P. A symmetric NAT is a NAT where all requests from the same internal IP address and port to a specific destination IP address and port are mapped to the same external source IP address and port. If the same internal host sends a packet with the same source address and port to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host

UDP Hole Punching Hole punching is a tecnique to allow traffic from/to a host behind a firewall/NAT without the collaboration of the NAT itself The simplest way is to use UDP packets

Full cone Host AHost C Full cone Host B ( ) ( )( )( )( ) Packet(S= :4445, D= :7777) Packet(S= :10100, D= :7777) Packet(S= :4321, D= :10100) Packet(S= :4321, D= :4445) Packet(S= :1234, D= :10100) Packet(S= :1234, D= :4445)

Full cone mapping and policy Mapping  : :10100 Policy  ALLOW ALL TO :10100

Holes in Full Cone NAT rendezvous host A host B

Restricted cone Host AHost C Restricted cone Host B ( ) ( )( )( )( ) Packet(S= :4445, D= :7777) Packet(S= :10100, D= :7777) Packet(S= :4321, D= :10100) Packet(S= :4321, D= :4445) Packet(S= :1234, D= :10100) X Packet(S= :4445, D= :7777) Packet(S= :10100, D= :7777) Packet(S= :4321, D= :10100) Packet(S= :4321, D= :4445)

Restricted cone mapping and policy Mapping  : :10100 Policy  ALLOW TO :10100  ALLOW TO :10100

Holes in Restricted Cone NAT rendezvous host A host B

Port restricted cone Host AHost C Port - restr cone Host B ( ) ( )( )( )( ) Packet(S= :4445, D= :7777) Packet(S= :10100, D= :7777) Packet(S= :4321, D= :10100) Packet(S= :7777, D= :4445) X Packet(S= :7777, D= :10100)

Port restricted cone mapping and policy Mapping  : :10100 Policy  ALLOW :7777 TO :10100  ALLOW :7777 TO :10100

Holes in Restricted Cone NAT rendezvous host A host B

Symmetric NAT Host AHost CsymmetricHost B ( ) ( )( )( )( ) Packet(S= :4445, D= :7777) Packet(S= :10100, D= :7777) Packet(S= :7777, D= :4445) Packet(S= :7777, D= :10100) Packet(S= :4445, D= :7777) Packet(S= :10179, D= :7777) Packet(S= :7777, D= :4445) Packet(S= :7777, D= :10179) Packet(S= :7777, D= :10100) X

Symmetric mapping and policy Mapping  : :10100  : :10179 Policy  ALLOW :7777 TO :10100  ALLOW :7777 TO :10179

Holes in Symmetric NATs The only way to traverse this NAT is by Connection Reversal or Relaying.

STUN protocol (to simplify hole punching) protocol to discover the presence and types of NAT and firewalls between them and the public Internet STUN allows applications to determine the public IP addresses allocated to them by the NAT

STUN protocol STUN is specified in RFC 3489 and defines the operations and the message format needed to understand the type of NAT

TURN protocol TURN is a protocol for UDP/TCP relaying behind a NAT Unlike STUN there is no hole punching and data are bounced to a public server called the TURN server. TURN is the last resource. For instance behind a symmetric NAT

Role in TURN A TURN client is an entity that generates TURN requests A TURN Server is an entity that receives TURN requests, and sends TURN responses. The server is a data relay, receiving data on the address it provides to clients, and forwarding them to the clients

TCP Hole Punching TCP connections between hosts behind NATs is slightly more complex than for UDP Berkeley sockets allows a TCP socket to initiate an outgoing or to listen for incoming connections but not both.

TCP Hole punching we need to use a single local TCP port to listen for incoming TCP connections and to initiate multiple outgoing TCP connections concurrently to bind multiple sockets to the same local endpoint BSD systems have introduced a SO_REUSEADDR and SO_REUSEPORT

TCP Hole punching NAT Main Internet Local network NAT Local network rendezvous S host A host B

TCP Hole punching NAT Main Internet Local network NAT Local network rendezvous S host A host B : :

STUNT Simple Traversal of UDP Through NATs and TCP too (STUNT), which extends STUN to include TCP functionality A JAVA implementation of STUNT is available See

Traversing a NAT that collaborates

Socks SOCKS is a client server protocol that allows a client behind a firewall to use a server in the public Internet to relay traffic Two operations: CONNECT and BIND It is widely adopted, for instance Mozilla can be configured to use SOCKS Two versions. SOCKS4 and SOCKS5

SOCKS CONNECT NAT Socks proxy host A server S 1. CONNECT 2. connect()

SOCKS BIND NAT Socks proxy host A listening on 4445 server S 1. BIND (localport=4445, S) 3. connect(33102) 2. Ok. Port=33102

SOCKS and Java SocketAddress addr = new InetSocketAddress("socks.mydomain.com", 1080);socks.mydomain.com Proxy proxy = new Proxy(Proxy.Type.SOCKS, addr); URL url = new URL("ftp://ftp.gnu.org/README");ftp://ftp.gnu.org/README URLConnection conn = url.openConnection(proxy);

SOCKS4 and SOCKS5 SOCKS4 doesn't support authentication while SOCKS5 has the built-in mechanism to support a variety of authentications methods. SOCKS4 doesn't support UDP proxy while SOCKS5 does. SOCKS4 clients require full support of DNS while SOCKS5 clients can rely on SOCKS5 server to perform the DNS lookup.

UPnP NAT Traversal Internet Gateway Device (IGD) protocol[1] is defined by UPnP It is implemented in some internet routers.routers It allows applications to automatically configure NAT routing. IGD makes it easy to do the following:  Learn the public (external) IP address  Enumerate existing port mappings  Add and remove port mappings  Assign lease times to mappings

UPnP API provided by COM IStaticPortMapping::get_ExternalIPAddress() IStaticPortMapping::get_ExternalPort() IStaticPortMapping::get_InternalPort() IStaticPortMapping::get_Protocol() IStaticPortMapping::get_InternalClient() IStaticPortMapping::get_Enabled() IStaticPortMapping::get_Description()

UPnP Port Forward

Issues with UPnP Oppents to IGD see a significant security risk UPnP allows any program, even malicious programs, to create a port mapping through the router. with UPnP, the port mapping can be created even without any knowledge of the administrative password to the router

References Peer-to-Peer Communication Across NAT STUN Protocol RFC. TCP NAT traversal. Traversal Using Relay NAT (TURN) IETF RFC

References (2) SOCKS5 IETF RFC SOCKS4 Java Networking and Proxies Using UPnP for Programmatic Port Forwardings and NAT Traversal

License Attribution-ShareAlike 2.5 You are free: to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a licence identical to this one. For any reuse or distribution, you must make clear to others the licence terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. This is a human-readable summary of the Legal Code (the full licence).Legal Code (the full licence) Disclaimer

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.