Application Level Control of Ports in a Service Provider NAT environment Dave Thaler Dan Wing Alain Durand 1.

Slides:

Advertisements

Similar presentations

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Advertisements

Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

Deployment Considerations for Dual-stack Lite draft-lee-softwire-dslite-deployment-00 Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed.

IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.

IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.

IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.

Wi-Fi Structures.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

1 IPv6 in CableLabs DOCSIS 3.0 IETF v6ops wg meeting IETF#65 Ralph Droms Alain Durand

Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )

A Model of IPv6 Internet Access Service via L2TPv2 Shin Miyakawa NTT Communications 2006/7/10 IETF66th.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Windows Internet Connection Sharing Dave Eitelbach Program Manager Networking And Communications Microsoft Corporation.

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.

9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.

Microsoft DirectAccess & Work Folders NICHOLAS A. HAY MONROE COUNTY ISD

Module 7: Firewalls and Port Forwarding 1. Overview Firewall configuration for Web Application Hosting Forwarding necessary ports for Web Application.

Network Layer4-1 DHCP: Dynamic Host Configuration Protocol Goal: allow host to dynamically obtain its IP address from network server when it joins network.

Implementing IP Addressing Services Accessing the WAN – Chapter 7.

Transport Layer 3-1 Chapter 4 Network Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012  CPSC.

CIS 3360: Internet: Network Layer Introduction Cliff Zou Spring 2012.

© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5 Darren Shaver – Modified Fall.

Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.

 An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network.

Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.

Sharing a single IPv4 address among many broadband customers

Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Lectu re 1 Recap: “Operational” view of Internet r Internet: “network of networks” m Requires sending, receiving of messages r protocols control sending,

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

NAT64-CPE Mode Operation for Opening Residential Service Gang Chen Hui

Public 4over6: WGLC feedback Peng Wu IETF84. Feedback from WGLC Relationship with stateless 4-over-6 solutions? Different primary targets and application.

Diameter NAT Control Application (draft-brockners-diameter-nat-control-00.txt) IETF 74, March 2009 Presenter: Wojciech Dec

Chapter 5. An IP address is simply a series of binary bits (ones and zeros). How many binary bits are used? 32.

This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

CHAPTER 10: DHCP Routing & Switching. Objectives 10.0 Introduction 10.1 Dynamic Host Configuration Protocol v Dynamic Host Configuration Protocol.

© 2015 Infoblox Inc. All Rights Reserved. Tom Coffeen, IPv6 Evangelist UKNOF January 2015 Tom Coffeen, IPv6 Evangelist UKNOF January 2015 DHCPv6 Operational.

CCNA4-1 Chapter 7-1 IP Addressing Services Scaling Networks With Network Address Translation (NAT)

CCNA4-1 Chapter 7-1 NAT Chapter 11 Routing and Switching (CCNA2)

Lightweight 4over6: An Extension to DS-Lite Architecture draft-cui-softwire-b4-translated-ds-lite-09 Y. Cui, Q. Sun, M. Boucadair, T. Tsou, Y. Lee and.

IETF 80 th Lightweight Address Family Transition for IPv6 draft-sunq-v6ops-laft6-01 Chongfeng Xie( China Telecom ) Qiong Sun( China Telecom)

Instructor Materials Chapter 4: Network Addressing

NAT、DHCP、Firewall、FTP、Proxy

NAT (Network Address Translation)

Chapter 4: Network Layer

Affinity Depending on the application and client requirements of your Network Load Balancing cluster, you can be required to select an Affinity setting.

IPv6 Deployment: Business Cases and Development Options

Introducing To Networking

New Solutions For Scaling The Internet Address Space

Implementing IP Addressing Services

CIS 82 Routing Protocols and Concepts Chapter 11 NAT

Implementing IP Addressing Services

DHCP: Dynamic Host Configuration Protocol

Computer Networks Protocols

Presentation transcript:

Application Level Control of Ports in a Service Provider NAT environment Dave Thaler Dan Wing Alain Durand 1

Port Control Protocol Service Provider NATs have problems: – Lack of control of port reservation /port forwarding – Some legacy applications will break A+P was one approach to address those issues PCP is another approach to give back control to the customers via their applications. – Enable applications to dynamically negotiate ports with the service provider NAT – Provide some level of backward compatibility with existing APIs (UPnP/NAT-PMP)

Port-Forwarding APIs Dave Thaler 3

Model No change to IP model: – A full IP address is still assigned to every interface, including on NATs App/framework wants to learn the (full) IP address of another machine’s (the NAT’s) interface, and a port that machine will forward – Can’t be done using normal IP address APIs without changing the IP model – App/framework can then advertise in app-specific manner (SRV record, , DHT, etc.) Hence this is opt-in for an app or framework 4

Two separate app scenarios Manage static port mapping – Management style application wants to configure a given external port to be permanently forwarded to a given port on a given machine Manage dynamic port mapping – Runtime application wants to get an external port allocated and forwarded to its port on its machine for some duration 5

NATUPnP Library (Windows) NATUPNPLib.UPnPNATClass upnpnat = new NATUPNPLib.UPnPNATClass(); NATUPNPLib.IStaticPortMappingCollection mappings = upnpnat.StaticPortMappingCollection; err = mappings.Add(8080, // External port "TCP", // Protocol 80, // Internal port " ",// Internal IP true, // Enabled "Local Web Server"); // Description External port=0 means wildcard, but many NATs don’t support 6

NATUPnP API Observations Either requested port is allocated or call fails Internal IP parameter allows for management applications Only supports static port mapping (no lifetime) – UPnP protocol allows lifetimes, but NATs may not support them Interface can be determined based on internal IP parameter 7

DNSServiceNAT (Apple) DNSServiceRef sdRef; err = DNSServiceNATPortMappingCreate(&sdRef, 0, 0, // ifIndex or 0 kDNSServiceProtocol_TCP,// Protocol htons(80),// Internal port htons(8080),// External port 3600,// Lifetime callBack, NULL); External port=0 means wildcard 8

DNSServiceNAT Observations Lifetime parameter allows for runtime applications External port is just a preference, it may succeed and return something else Lack of internal IP parameter means not designed for arbitrary management app 9

draft-wing-softwire-port-control-protocol10 Port Control Protocol draft-wing-softwire-port-control-protocol-01 IETF77, March 2010 Dan Wing, Reinaldo Penno, Mohamed Boucadair,

draft-wing-softwire-port-control-protocol11 Port Control Protocol Need to offer port forwarding capability when Service Provider NAT are deployed – Ability to offer similar service features as per current CPE model Need to delegate port numbers to requesting applications/hosts to avoid enforcing ALGs at the Provider NAT – Overall performance of the Provider NAT not altered

draft-wing-softwire-port-control-protocol12 PCP Requirements Support Large Scale NATs – Spanning many subscribers Allow subscriber apps to open ports IPv6 Simple, lightweight – Application, proxying in CPE, and server Discover and control LSN – Without interfering with intermediate infrastructure

draft-wing-softwire-port-control-protocol13 Why Not My Favorite Protocol? (MIDCOM, UPnP IGD, NAT-PMP, DHCP …) None meet all requirements

draft-wing-softwire-port-control-protocol14 PCP Applicability IPv4 address sharing – No NAT44 (fixed port range) – Stateful NAT44 (e.g., DS-Lite, LSN) – Stateless NAT64/NAT46 – Stateful NAT64/NAT46 IPv6 Simple CPE Security

draft-wing-softwire-port-control-protocol15 PCP Basics Lightweight – Designed for deployment at large scale – Does not require heavy treatment at the Server side Quick convergent Request/answer model – No permanent sessions are required to be maintained between the Client and the Server A subscriber can only open pinholes for his own devices – PCP isn’t needed in every internal server – E.g., Customer Premise router can open pinhole for webcam or TiVo

draft-wing-softwire-port-control-protocol16 PCP and IPv6 NAT64 – Open ports for incoming IPv4 traffic E.g., IPv6 HTTP server in the home accessed from IPv4 Internet draft-ietf-v6ops-cpe-simple-security-09 – Open pinholes in IPv6 CPE

draft-wing-softwire-port-control-protocol17 Client Models

draft-wing-softwire-port-control-protocol18 PCP Client Model: UPnP IGD Proxy Proxies UPnP IGD to PCP Provides compatibility for UPnP IGD Applications which want specific port will likely get an error – Can’t help that PCP Server Customer Premise Router UPnP IGD proxy UPnP IGD PCP Client

draft-wing-softwire-port-control-protocol19 PCP Client Model: NAT-PMP Proxy Proxies NAT-PMP to PCP Provides compatibility for UPnP IGD No loss of semantics PCP Server Customer Premise Router NAT-PMP proxy NAT-PMP PCP Client

draft-wing-softwire-port-control-protocol20 PCP Client Model: HTTP Subscriber manages their own port forwarding – Similar to login as “admin” – Instructions at Not for “Grandma” PCP Server Customer Premise Router HTTP managed HTTP PCP Client

draft-wing-softwire-port-control-protocol21 PCP Client Model: PCP on host Application (or OS) implements PCP client Customer premise router does nothing – Does not proxy PCP draft-ietf-v6ops-cpe-simple-security PCP Server Customer Premise Router PCP Client

draft-wing-softwire-port-control-protocol22 Server Models

draft-wing-softwire-port-control-protocol23 PCP Server Model: Embedded PCP Client Service Provider NAT PCP Server Internet PCP Server embedded in Service Provider’s NAT Similar to UPnP IGD, NAT-PMP

draft-wing-softwire-port-control-protocol24 PCP Server Model: Separate PCP Server PCP Client Service Provider NAT Internet H.248, MIDCOM, proprietary, etc. PCP Server is outside of the NAT Allows existing NAT control protocol

draft-wing-softwire-port-control-protocol25 Questions draft-wing-softwire-port-control-protocol-01

draft-wing-softwire-port-control-protocol26 PCP Server Models PCP Client PCP Server PCP Client Service Provider NAT PCP Server Internet H.248, MIDCOM, proprietary, etc. IPv6

draft-wing-softwire-port-control-protocol27 PCP Client Models PCP Server Customer Premise Router UPnP IGD proxy UPnP IGD PCP Server Customer Premise Router NAT-PMP proxy NAT-PMP PCP Server Customer Premise Router PCP Client PCP Server Customer Premise Router HTTP managed HTTP PCP Client

Mapping APIs/protocols to PCP Apps shouldn’t have to know which case they’re in DNSServiceNAT API / NAT-PMP protocol maps directly NATUPnP (v1) API / UPnP-IGD protocol more complicated – It can be done successfully, but it’s kludgy 28