NAT/Firewall Traversal April 2009. NAT revisited – “port-translating NAT”

Slides:

Advertisements

Similar presentations

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Advertisements

A New Method for Symmetric NAT Traversal in UDP and TCP

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

P2P and NAT How to traverse NAT Davide Carboni ©

Network Address Translation (NAT) Prof. Sasu Tarkoma.

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

STUN Date: Speaker: Hui-Hsiung Chung 1.

SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)

Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.

1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University.

Network Address Translation (NAT) Adj. Prof. Sasu Tarkoma.

CSE 222a Final Project - UCSD Spring 2007 p2p DNS addressing Presented By- Anup Tapadia Alexander Loukissas Justin Wu.

NAT1 Network Address Translation Dr. Danny Tsang Department of Electronic & Computer Engineering Hong Kong University of Science and Technology.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

Skype & Network Management Taken from class reference : An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol Salman A. Baset and Henning Schulzrinne.

Voice over IP Skype.

1 An Analysis of the Skype Peer-to- Peer Internet Telephony Protocol Speaker ： zcchen.

 Motivation: local network uses just one IP address as far as outside world is concerned :  range of addresses not needed from ISP: just one IP address.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

NAT and NAT Traversal SEng490 Directed Study Haoran Song Supervised by Dr. Jianping Pan.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Skype Connected to a SIP PBX

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

More about Skype. Overview Any node with a public IP address having sufficient CPU, memory and network bandwidth is a candidate to become a super node.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow. What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and.

Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Middleboxes & Network Appliances EE122 TAs Past and Present.

RTP Relay Support in Intelligent Gateway Author: Pieere Pi

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

Bootstrap and Autoconfiguration (DHCP)

SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.

 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.

NAT Traversal Speaker: Chin-Chang Chang Date:

1 Integrating 3G and WLAN Services in NTP SIP-based VoIP Platform Dr. Quincy Wu National Telecommunications Program Office

1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.

STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) speaker ： Wenping Zhang date ：

Doc.: IEEE /0961r0 Submission July 2012 Alex Ashley, NDS LtdSlide 1 Layer 2 Service Discovery Protocols Date: Authors:

Firewalls. Intro to Firewalls Basically a firewall is a __________to keep destructive forces away from your ________ ____________.

1 NAT & RTP Proxy Date: 2009/7/2 Speaker: Ni-Ya Li Advisor: Quincy Wu.

TURN -01 Changes and Issues Rohan Mahy BEHAVE at IETF66 - Montreal.

1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.

Simon Millard Professional Services Manager Aculab – booth 402 The State of SIP.

An analysis of Skype protocol Presented by: Abdul Haleem.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Company Confidential 1 ICMPv6 Echo Replies for Teredo Clients draft-denis-icmpv6-generation-for-teredo-00 behave, IETF#75 Stockholm Teemu Savolainen.

Packetizer ® Copyright © 2010 Into the Cloud Future Direction of Video Conferencing 1 Simon Horne H323.net 11 February 2010.

Lecture 10. P2P VoIP D. Moltchanov, TUT, Fall 2014

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

Interactive Connectivity Establishment : ICE

VersionIHLTotal Length FlagsIdentificationFragment Offset Time To Live Destination Address OptionsPadding Protocol = 6 Type of Service IP Header TCP Destination.

Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.

Sandeep Pinnamaneni Vijay Chand Uyyuru Vivek Nemarugommula

NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

Voice Over Internet Protocol (VoIP) Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Presentation 11 – VoIP Hardware.

jitsi. org advanced real-time communication.

SOSIMPLE: A Serverless, Standards- based, P2P SIP Communication System David A. Bryan and Bruce B. Lowekamp College of William and Mary Cullen Jennings.

Johan Delimon 26/04/2016 BE-COM E-COMMUNICATIONS EVENT THE INNER WORKINGS OF SKYPE FOR BUSINESS: NETWORKING.

HIP-Based NAT Traversal in P2P-Environments

SIP connection tracking

NAT (Network Address Translation)

改良UDP洞穿技術設計物聯網通訊：以遠端門鈴監控系統為例 Improving UDP Hole Punching Technique For IoT Communications: A Remote Door-bell Monitoring System 報告時間28~32分佳楊凱勝指導教授：柯開維.

NAT Traversal for VoIP Dr. Quincy Wu National Chi Nan University

Request for Comments(RFC) 3489

Presentation transcript:

NAT/Firewall Traversal April 2009

NAT revisited – “port-translating NAT”

NAT’s effect on applications NAT affects P2P applications where each peer may need to be contacted. VoIP is one such application: each user needs to have an address for other users to “call” him/her. –E.g. in SIP’s case, the addresses in the INVITE message sent by UA are all private addresses! Cannot be used by target UA to reply. The problem is complicated by different types of NAT STUN is a protocol/algorithm to differentiate different NATs or firewalls

RFC 3489 STUN = Simple Traversal of UDP datagram protocol through NATs Simple protocol that lets application discover if it is behind firewalls and NAT boxes if so, what kind of firewall/NAT boxes And external port/address assigned by the NAT Useful for interactive multimedia application when each peer needs its contact information known, e.g. Skype

NAT and STUN Node with private address X NAT box Stun client Application at address Y port P Stun server request response NAT box has public address Z Maps “X at port R” to “Z at port Q” May do filtering so not all nodes knowing Z/Q can talk to X State: X/R = Z/Q

Types of NATs Full cone NAT – no filtering at NAT Restricted cone NAT – NAT with filtering: only previously contacted node can talk to X Port-restricted NAT – NAT with filtering: only previously contacted port number can be used to talk to X Symmetric NAT – most restrictive filtering: when X talks to different external appls Y/P and Z/Q, they result in different external address/port for X

Symmetric NAT discovery

Full cone NAT discovery

Restricted cone NAT discovery

Port-restricted cone NAT discovery

Firewalls Node with private address X Firewall Stun client Application at address Y port P Stun server request response Some firewall may block all UDP Some firewall may allow UDP response if sent from Y/P where an earlier UDP request was sent to (“symmetric firewall”)

Different cases detectable using STUN Node has public address Node behind firewall that blocks UDP Node behind symmetric firewall Full cone NAT Symmetric NAT Restricted NAT or port-restricted NAT

STUN Request and Response The STUN response from the server may include: MAPPED-ADDRESS- In Binding Responses. It contains the IP address and port of client. CHANGED-ADDRESS- In Binding Responses. It contains the alternate IP address and port of the server. SOURCE-ADDRESS- In Binding Response. It contains the IP address and port of server. The STUN request can contain a flag to request the STUN server to use alternative address and port to send STUN response CHANGE-REQUEST- In Binding Request. It contains flags for the alternate IP address and port of server.

Flow chart for NAT discovering process

How to find STUN servers Application specific way –E.g. Skype probably relies on public Super Nodes to serve as STUN servers –Super Nodes are found in Host Cache, initially populated by the well-known login server Using SRV records in DNS –The application/service provider populates SRV record for STUN servers –This is similar to how SIP proxy servers are found

“Hole Punching” – RFC5128 Alice (with private address) wants to call Bob Bob is also behind NAT box (with private address) Alice talks to public (STUN) server, so server knows Alice’s external address/port Bob also talks to public server, so server knows about Bob too Public server tells Alice about Bob, and Bob about Alice Bob sends packet to Alice (creating a “hole” in his NAT) AliceBob server1 2 34

Direct connection Now when Alice sends a packet back to Bob, Bob’s NAT does not filter it, assuming it is return packet from earlier request Alice’s NAT also allows Bob’s future packets to return This assumes Alice’s NAT will use the same external address/port (for server) to talk to Bob. This does not work if NATs are Symmetric NATs AliceBob server1 2 34

Brute force methods If both NATs are symmetric, may still be able to guess the address/port of the hole, by port scanning! –Such techniques are very ad hoc Last resort: use a relay (all stream data go through a third party) –Performance is worse off –Need someone to be relay

Reference For more detailed description, read an article about NAT in The Internet Protocol Journal, Vol 7, Num 3, September Also at: Read about UDP hole punching from Wikipedia. IETF RFC 5128