NAT1 Network Address Translation Dr. Danny Tsang Department of Electronic & Computer Engineering Hong Kong University of Science and Technology

NAT2 Outline  What are Firewall and NAT?  Problems created by Firewall and NAT?  Solutions m Traversal of NAT/Firewall  Goal m Understand how firewall and NAT function m Be aware of problems created by Firewall and NAT m Master the NAT traversal techniques

NAT3 Firewalls isolates organization’s internal net from open Internet, protect the local network from being accessed by unauthorized sources firewall

NAT4 Firewalls: Why prevent denial of service attacks: m SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections. prevent illegal modification/access of internal data. m e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network (set of authenticated users/hosts) two types of firewalls: m application-level m packet-filtering

NAT5 Packet Filtering  internal network connected to Internet via router firewall  router filters packet-by-packet, decision to forward/drop packet based on: m source IP address, destination IP address m TCP/UDP source and destination port numbers m ICMP message type m TCP SYN and ACK bits Should arriving packet be allowed in? Departing packet let out?

NAT6 Packet Filtering  Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. m All incoming and outgoing UDP flows and telnet connections are blocked.  Example 2: Block inbound TCP segments with ACK=0. m Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.

NAT7 Application gateways  ALG filters packets on application messages while firewall filters packets on IP/TCP/UDP fields.  Example: allow select internal users to telnet outside. host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter 1. Require all telnet users to telnet through ALG. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router blocks all telnet connections not originating from ALG.

NAT8 Default Behavior of Firewall  A firewall identifies networks as inside or outside  Packets can get from the inside to the outside  Packets from the outside that are associated with an inside originated connections are allowed back in  Packets originated from the outside are not allowed to the inside

NAT9 Limitations of firewalls and gateways  IP spoofing: router can’t know if data “really” comes from claimed source  if multiple app’s. need special treatment, each has own app. gateway.  client software must know how to contact gateway. m e.g., must set IP address of proxy in Web browser  filters often use all or nothing policy for UDP.  tradeoff: degree of communication with outside world, level of security  many highly protected sites still suffer from attacks.

NAT10 NAT: Network Address Translation local network (e.g., home network) /24 rest of Internet Datagrams with source or destination in this network have /24 address for source, destination (as usual) All datagrams leaving local network have same single source NAT IP address: , different source port numbers

NAT11 NAT: Network Address Translation  Motivation: local network uses just one IP address as far as outside word is concerned: m no need to be allocated range of addresses from ISP: - just one IP address is used for all devices m can change addresses of devices in local network without notifying outside world m can change ISP without changing addresses of devices in local network m devices inside local net not explicitly addressable, visible by outside world (a security plus).

NAT12 NAT Traversal in VoIP  NATs map a private IP address space to externally visible (public) IP addresses m Conserve limited public IP addresses m Shield internal hosts from outside world  Useful for enterprises, cable modem networks, broadband access routers, internet cafes…  NATs interfere with peer-to-peer protocols such as SIP m SIP clients must identify the IP address and ports they will use to receive media streams (in payload of their signaling messages) m But they don’t know their externally visible addresses  “One of the SIP community’s biggest problems”

NAT13 NAT: Network Address Translation Implementation: NAT router must: m outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)... remote clients/servers will respond using (NAT IP address, new port #) as destination addr. m remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair m incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table

NAT14 NAT: Network Address Translation S: , 3345 D: , : host sends datagram to , 80 NAT translation table WAN side addr LAN side addr , , 3345 …… S: , 80 D: , S: , 5001 D: , : NAT router changes datagram source addr from , 3345 to , 5001, updates table S: , 80 D: , : Reply arrives dest. address: , : NAT router changes datagram dest addr from , 5001 to , 3345 Bindings can only be initiated by outgoing traffic

NAT15 NAT: Pros  Use of a single registered IP address for an entire network  Independence of ISP IP addresses  Transparent to end systems in some cases (increased security)  Delays need for IPv4 replacement m 16-bit port-number field: 60,000 simultaneous connections with a single WAN-side address!  Mask the true internal IP addresses of the internal network

NAT16 NAT: Cons  Violates end-to-end argument m NAT possibility must be taken into account by app designers, e.g, P2P application  Increases local support burden and complexity

NAT17 Outline  What are Firewall and NAT?  Problems created by Firewall and NAT?  Solutions m Traverse of NAT/Firewall

NAT18 NAT & Firewall Problem  NAT & Firewall are employed to prevent hackers or unauthorized persons to access to the internal network  Voice and video over IP are not NAT & Firewall friendly  Provide secure two-way communication connection cross the NAT & Firewall m Firewall Problem m NAT Problem

NAT19 Firewall Problem for VoIP Internet 1. INVITE A B 2.OK 1. User A is able to call User B since the firewall allows inside to outside sessions 2. User B is able to respond back to User A at the VoIP signaling layer 3. PROBLEM: Media traffic sent by User B from outside will be blocked since it uses a different socket than the VoIP signaling 4. PROBLEM: If User B tries to initiate a call to User A, it will be blocked by firewall 5. PROBLEM: If symmetric RTP is not used, the RTP fails to get back inside from B (S-RTP = the UA uses the same socket/port for sending and receiving the RTP) 3.Media 4.INVITE 5. Media (A) 5.Media (B)

NAT20 NAT Problem for VoIP Internet 1. INVITE 2. OK 1. User A sends an invite to User B, NAT translate the layer 3 address, but not the layer 5 (SIP,SDP) addresses 2. User B receives the invite and responds back to the NAT address 3. PROBLEM: User B tries to send RTP to User A with IP:Port (c= :m= 8000), but this fails since it can not route to User A 3. Media ? Notes: VoIP devices on the Internet cannot make calls to private address (where to send them?) do no know the type of NAT being used (cone, symmetric and so on), so they do not know about what kinds of bindings to use do not know if the bindings are still open

NAT INVITE SIP/ Via: SIP/2.0/UDP :5060;branch=a71b6d57-507c77f2 003 Via: SIP/2.0/UDP :5060;received= ;rport= From: ;tag=108bcd To: sip: 006 Contact: sip: 007 Call-ID: 008 CSeq: INVITE 009 Content-Length: Content-Type: application/sdp 011 User-Agent: HearMe SoftPHONE v=0 014 o=deltathree 0 0 IN IP s=deltathree 016 c=IN IP t= m=audio 8000 RTP/AVP a=ptime: a=x-ssrc:00aea3c0 Internal IP address External IP address seen by SIP proxy from outside Internal IP address for RTP stream Sip trace SIP Signaling SDP Signaling

NAT22 Symmetric RTP  Classical RTP is unidirectional (i.e.two RTP sessions, one in each direction)  Endpoints use UDP port symmetry to establish bi-directional traffic m Sending and receiving ports for the RTP and RTCP traffic should be the same on the endpoint behind the NAT/Firewall  Connection oriented  Usage m require that endpoints use UDP port symmetry to establish bi-directional traffic

NAT23 Solution to NAT Traversal Let clients be aware of their external IP:PORT  Ask the NAT m Universal Plug and Play (UPnP)  Ask someone outside the NAT m Simple Traversal of UDP Through NATs (STUN) m Traversal Using Relay NAT (TURN) m Interactive Connectivity Establishment (ICE)  Make NAT & Firewall SIP friendly m Application Layer Gateway

NAT24 Universal Plug and Play (UPnP)  Proposed by Microsoft  Client talks with NAT gateway and ask about IP and ports  Will NOT work with cascading NAT

NAT25 Universal Plug and Play (UPnP) 1. What is my IP:Port assigned Source : :9001 Will NOT work with cascading NAT for security issue

NAT26 Solution to NAT/Firewall Traversal Let clients be aware of their external IP:PORT  Ask the NAT m Universal Plug and Play (UPnP)  Ask someone outside the NAT m Simple Traversal of UDP Through NATs (STUN) m Traversal Using Relay NAT (TURN) m Interactive Connectivity Establishment (ICE)  Make NAT & Firewall SIP friendly m Application Layer Gateway

NAT27 STUN  Simple Traversal of UDP Through NATs  Types of NATs m Full Cone m (Address) Restricted Cone m Port Restricted Cone m Symmetric  Not suitable for Symmetric NAT Increasing security

NAT28 Types of NATs: Full Cone All the incoming traffic can get through from the pinhole to client A if they know the IP : Port mapping Client A : : : :6988 Client B Client C Client D NAT translation table LAN side addr WAN side addr , ,9000 ……

NAT29 Types of NATs: (Address) Restricted Cone Filter traffic only by IP : block incoming traffic from other IP (client C and D) address. Incoming traffic from same authorized IP but different ports will be accepted Client A : : : :6988 Client B : :2134 Client C Client D Traffic from B with different source ports can get through NAT translation table LAN side addr WAN side addr , ,9000 ……

NAT30 Types of NATs: Port Restricted Cone Client A : : :6988 Client B Client C Client D Filter by both IP and Port: set up one to many mapping :7868 NAT translation table LAN side addr WAN side addr , , 9000 …… : :

NAT31 Types of NATs: Port Restricted Cone (con’t) Client A : : :6988 Client B Client C Client D Filter by both IP and Port: set up only one entry for multiple remote clients :7868 NAT translation table LAN side addr WAN side addr , , 9000 …… : : Only one entry is set up in the table for :8000 to different clients outside

NAT32 Types of NATs: Symmetric Client A : : :6988 Client B Client C Client D Filter by both IP and Port, NAT assign a mapping for each source-destination pair : : : , , , , NAT translation table LAN side addr WAN side addr

NAT33 STUN  External Query m Ask a server on the Internet what I “look” like m Compared the returned answer (external address) with my own address (local internal address) m Put my “real address” in signaling to allow media traffic in  This works IF: m The client send and receive RTP on the same port (why ?) m SIP request must be sent immediately. After a while the mapping might change m In the case of Address Restricted Cone or Port Restricted Cone it must send out data to the other end first

NAT34 STUN Solution 1. Send query to STUN server to ask IP:Port assigned by NAT2. Put assigned IP:Port in SDP 3. Incoming media get through with the informed IP:Port Useless for symmetric NAT since holes punctured by STUN can not be used by others NAT translation table LAN side addr WAN side addr , , , , 9001 Assigned for STUN by NAT Assigned for RTP by NAT, Symmetric NAT case RTP is only authorized to get through using 9001 but not 9000 due to the NAT/Firewall combination

NAT35 STUN (Cont’)  With the information sent by STUN, client can determine m If it is on the open Internet m If it is behind a firewall that blocks UDP m If it is behind a NAT and what type of NAT it is behind  Will NOT work for symmetric NAT m Typical in Large Enterprise

NAT36 TURN  Solve ‘Symmetric’ NAT case by allowing Media Flows Through TURN Server directly m Not the case with STUN servers m Increase voice latency m Increase probability of packet loss  Few SIP clients support TURN today (complex and not-yet a standard)  No free TURN server available (only commercial)  Skype seems to support TURN

NAT37 TURN Solution Media makes use of the hole punctured by TURN directly NAT translation table LAN side addr WAN side addr , , 9000 … Assigned for both TURN and SIP by NAT

NAT38 Interactive Connectivity Establishment  Learns about the network topology in which the clients exist and the various sets of network addresses by which these devices can communicate  Framework to unify the various NAT traversal techniques m STUN, TURN and Realm Specific IP (RSIP)  Benefits from the collective functionality of each while avoiding any one protocol's drawback

NAT39 Initiator Client A Responder Client B 1. Gather address 2. Initiate Messages 3. Gather address 4. Accept Messages 5. Address-fixing 6. Address-fixing 7. Media 8. Media TURN,STUN Servers Highest Preference Address Is Used (INVITE) (200 OK) The more The happier

NAT40 ICE  ICE Properties m Always will find a means for communicating if one physically exists m Always finds the communications path with fewest relays m Always finds the communication path cheapest for the service provider m Does not require any knowledge of topology, NAT types, or anything m Can guarantee that the phone won’t ring unless audio works when you pickup

NAT41 Solution to NAT Traversal Let clients be aware of their external IP:PORT  Ask the NAT m Universal Plug and Play (UPnP)  Ask someone outside the NAT m Simple Traversal of UDP Through NATs (STUN) m Traversal Using Relay NAT (TURN) m Interactive Connectivity Establishment (ICE)  Make NAT & Firewall SIP aware m Application Layer Gateway

NAT42 Application Layer Gateway  Make Firewall/NAT SIP aware  Analyze the address information inside the packet payload and dynamically open or close holes for media communications  Needed to be updated for each new application which restricts it for large corporate networks  No commercial SIP ALGs today

NAT43 Application Layer Gateway Solution Understanding the signaling messages and their relationship with resulting media flows ---- Media Friendly

NAT44 Solution to NAT Traversal Let clients be aware of their external IP:PORT  Ask the NAT m Universal Plug and Play (UPnP)  Ask someone outside the NAT m Simple Traversal of UDP Through NATs (STUN) m Traversal Using Relay NAT (TURN) m Interactive Connectivity Establishment (ICE)  Make NAT & Firewall SIP aware m Application Layer Gateway

NAT45 Summary  Problem address m Provide “secure” “two-way” communication connection cross the NAT & Firewall  Traverse techniques mainly used m Universal Plug and Play (UPnP) m Simple Traversal of UDP Through NATs (STUN) m Traversal Using Relay NAT (TURN) m Interactive Connectivity Establishment (ICE) m Application Layer Gateway

NAT46 Reference  T. Dierks and C. Allen, “The TLS protocol version 1.0,”, United States,  S. Blake-Wilson, M. Nystrom, D. Hopwood, J. Mikkelsen, and T. Wright, “Transport layer security (TLS) extensions,”, United States,  J. Rosenberg, J. Weinberger, C. Huitema, and R. Mahy, “STUN: Simple traversal of user datagram protocol (UDP) through network address translators (NATs),”, United States,  J. Rosenberg, R. Mahy, and C. Huitema, “TURN: traversal using relay NAT,” July 2004, Internet draft, Work in progress, Internet Engineering Task Force.  J. Rosenberg, “Interactive connectivity establishment (ICE): A methodology for network address translator (NAT) traversal for multimedia session establishment protocols,” 2005, work in Progress RFC draft. [Online]. Available:  Cisco white paper: VoIP Traversal of NAT and Firewall  T. Chapuran, “Voice over IP: Architectures, applications and challenges,” 2002, telcordia Technologies. [Online]. Available: tc.ppt