Download presentation
Presentation is loading. Please wait.
Published byLuis Stoakes Modified over 9 years ago
1
Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera
2
METRIC OBJECTIVE Overall picture 8th October, 2013 Leone - From global measurements to local management 2 EXTERNAL NETWORKS
3
METRIC OBJECTIVE Overall picture 8th October, 2013 Leone - From global measurements to local management 3 EXTERNAL NETWORKS Each Internet provider may use a different NAT implementation attending to the mapping, the filtering of the packets, and many more parameters We want to evaluate the different implementation of NATs in different providers Guideline marked by RFC 5382 for TCP RFC 5508 for ICMP RFC 4787 for UDP UDP validator is implemented TCP and ICMP validators are under developing UDP validator is implemented TCP and ICMP validators are under developing Some tests are defined on RFC 5780 (Nat behavior discovery using STUN)
4
1.Type of mapping and filtering being used on the NAT 2.Use of the ports. Are they being overloaded? 3.IP address pool on the external realm 4.Does the NAT preserve port parity? 5.Persistence of the mapping 6.A NAT must support Hairpinning 7.Does the receipt of any ICMP packet terminate UDP mapping? 8.How does the NAT handle DF=1 packets? 9.Behavior on receipt of out-of-order fragments NAT behavioral requirements for unicast UDP June 2014 Leone - From global measurements to local management 4
5
NAT behavioral requirements for unicast UDP Example of UDP test A NAT must out-of-order packet receive June 2014 Leone - From global measurements to local management 5 UDP packet UC3M SERVER FRAG 1 FRAG 0 UDP packet Response?
6
1.The NAT must handle ICMP queries and their associated responses 2.Time on expire a determinante session mapping 3.Does NAT permit ICMP packets without any active mapping? 4.Does NAT permit ICMP Error packets from the private realm without any active mapping? 5.Support of hairpinning ICMP packets 6.Support of different sort of ICMP packets: 1.Destination Unrecheable 2.Time exceeded 3.Echo request/reply 4.Etc NAT behavioral requirements for ICMP June 2014 Leone - From global measurements to local management 6
7
NAT behavioral requirements for ICMP Example of ICMP test Behavior when there’s no mapping on the nat and a ICMP error packet is generated June 2014 Leone - From global measurements to local management 7 Initial ICMP packet Arrives? STUN SERVER Initial ICMP packet Error packet Inside this packet, there’s another that is the one that doesn’t have any mapping on the NAT
8
NAT behavioral requirements for TCP 1.Type of mapping and filtering being used on the NAT 2.Use of the ports. Are they being overloaded? 3.Support of TCP connections initiated both internally as well as externally 4.Way of handling inbound SYN packets if they are not solicitated 5.Persistence of the mapping 6.A NAT must support Hairpinning for TCP packets 7.Does the receipt of any ICMP packet terminate TCP mapping? June 2014 Leone - From global measurements to local management 8
9
Initial Results UDP tests have been executed in different probes June 2014 Leone - From global measurements to local management 9 Endpoint independent Address and port dependent
10
Initial Results UDP tests have been executed in different computers June 2014 Leone - From global measurements to local management 10 Endpoint independent Address and port dependent Endpoint independent
11
Initial Results June 2014 Leone - From global measurements to local management 11 We had tested the recommendations from the RFC, not only mapping or filtering behavior
12
Future work 1.Finish recommenders for TCP and ICMP 2.Integrate upnp functionalities into the tests 3.Deploy tests in more computers 4.Migrate tests to Android platform Estimated date for TCP and ICMP to be ready for trials: End of this month June 2014 Leone - From global measurements to local management 12
13
Leone From global measurements to local management Developing the tests & how test functionalities Miguel Ángel Díaz, Francisco Valera June 2014. Maribor Meeting
14
NAT behavioral requirements for unicast UDP A NAT must have an Endpoint- Independent Mapping behavior Depending on the use of the NAT it must have Endpoint-Independent filtering or Address-Dependentn filtering behavior Detect mapping and filtering behavior with STUN protocol June 2014 Leone - From global measurements to local management 14
15
NAT behavioral requirements for unicast UDP A NAT must have an Endpoint- Independent Mapping behavior June 2014 Leone - From global measurements to local management 15 IP:X X = Y ? IP:Y iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT:64000 Para endpoint independent
16
NAT behavioral requirements for unicast UDP A NAT must not have a port assignment behavoir of port overloading If NAT preserves port, two applications cannot use the same port to communicate with the same destination June 2014 Leone - From global measurements to local management 16 STUN SERVER IP:X X = Y ? IP:Y
17
NAT behavioral requirements for unicast UDP A NAT must not have a port assignment behavoir of port overloading If NAT preserves port, two applications cannot use the same port to communicate with the same destination June 2014 Leone - From global measurements to local management 17 STUN SERVER IP:X X = Y ? IP:Y iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT Para que no modifique el puerto de salida
18
NAT behavioral requirements for unicast UDP If the NAT that have an IP address pooling, it’s recommended to have Paired behavior Detect if the NAT implements IP Pooling on the external realm June 2014 Leone - From global measurements to local management 18 STUN SERVER Always the same mapped IP?
19
NAT behavioral requirements for unicast UDP If the NAT that have an IP address pooling, it’s recommended to have Paired behavior Detect if the NAT implements IP Pooling on the external realm June 2014 Leone - From global measurements to local management 19 STUN SERVER Always the same mapped IP? 1, ¿asignar 4 direcciones IP? 2, iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT1-IPpublicaNAT4
20
NAT behavioral requirements for unicast UDP It’s recommended that a NAT have a port parity preservation behavior of yes Detect if the NAT preserves port parity June 2014 Leone - From global measurements to local management 20 STUN SERVER Different source ports Preserve port parity?
21
NAT behavioral requirements for unicast UDP A NAT UDP mapping timer must not expire in less than two minutes for applications that dont use 0-1023 range port June 2014 Leone - From global measurements to local management 21 Binding request : X Binding request : Y Response to Y or to X? STUN SERVER 1, Bind de dos sockets a dos puertos conocidos iptables -t nat -A POSTROUTING -o eth1 –p udp –dport Y -j DNAT --to IPprivadaNODO:X
22
NAT behavioral requirements for unicast UDP A NAT must support Hairpinning. External IP behavior June 2014 Leone - From global measurements to local management 22 Binding request : X Binding request to mapped address: Y Response? STUN SERVER
23
NAT behavioral requirements for unicast UDP A NAT must support Hairpinning June 2014 Leone - From global measurements to local management 23 Binding request : X Binding request to mapped address: Y Response? STUN SERVER 1, iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 –sport X -j SNAT --to IPpublicaNAT:64000 2, iptables -t nat -A POSTROUTING -o eth0 –p udp –d IPpublicaNAT –dport 64000 -j SNAT --to IPpublicaNAT:64000 3, iptables -t nat -A POSTROUTING -o eth0 –p udp –d IPpublicaNAT –dport 64000 -j DNAT --to IPprivadaNodo:Y
24
NAT behavioral requirements for unicast UDP Receipt of any sort of ICMP message must not terminate the NAT mapping. Mirar desde donde son los icmp June 2014 Leone - From global measurements to local management 24 Binding request : X Same mapping? Binding request : X ICMP request STUN SERVER
25
NAT behavioral requirements for unicast UDP Receipt of any sort of ICMP message must not terminate the NAT mapping June 2014 Leone - From global measurements to local management 25 Binding request : X Same mapping? Binding request : X ICMP request STUN SERVER iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT:64000 Para que sea siempre el mismo
26
NAT behavioral requirements for unicast UDP If the packet received on an internal IP address has DF=1, the NAT must send back an ICMP message “Fragmentation needed and DF set” to the host June 2014 Leone - From global measurements to local management 26 UDP packet with DF = 1 Response? Wireshark
27
NAT behavioral requirements for unicast UDP A NAT must support receiving in-order and out-of-order fragments, sot it must have received out of order behavior June 2014 Leone - From global measurements to local management 27 UDP packet Response? UC3M SERVER FRAG 1 FRAG 0 UDP packet Wireshark
28
NAT behavioral requirements for ICMP Same process as the UDP RFC Nat device must permit ICMP queries and their associated responses June 2014 Leone - From global measurements to local management 28 ICMP request ICMP response Internet ICMP request ICMP response Does the ping get the response?
29
NAT behavioral requirements for ICMP An ICMP session timer must not expire in less than 60 seconds June 2014 Leone - From global measurements to local management 29 UC3M LEONE SERVER ICMP packet Sleep 60 ICMP packet
30
NAT behavioral requirements for ICMP If the NAT has an active mapping for the embedded payload of an incoming error packet, it must change the transport headers, leaving the error code unchanged June 2014 Leone - From global measurements to local management 30 UC3M LEONE SERVER UDP packet ICMP error packet Do we get the error packet? Code and type == 3 ? Do we get the error packet? Code and type == 3 ?
31
NAT behavioral requirements for ICMP If the NAT has an active mapping for the embedded payload of an outgoing error packet, it must change the transport headers, leaving the error code unchanged June 2014 Leone - From global measurements to local management 31 UC3M LEONE SERVER UDP packet ICMP error packet UDP packet with the result
32
NAT behavioral requirements for ICMP All NAT devices must support the traversal of hairpinned ICMP error messages June 2014 Leone - From global measurements to local management 32 STUN SERVER UDP packet ICMP error packet Mapped IP and port
33
NAT behavioral requirements for ICMP A NAT must support Destination unreachable, Time exceeded and echo request/reply packets June 2014 Leone - From global measurements to local management 33 STUN SERVER UDP packet TTL = 3 Time exceeded error packet Tested on previous tests Tested doing ping
34
NAT behavioral requirements for TCP A NAT must have an “Endpoint-Independent Mapping” behavior June 2014 Leone - From global measurements to local management 34 STUN SERVER Connect to STUN server from port X Connect to alternative STUN server address If the mapping in these two cases is the same, then it has a an “Endpoint-Independent Mapping” behavior
35
NAT behavioral requirements for TCP A NAT must not have a “Port assigment behavior of “Port overloading”” June 2014 Leone - From global measurements to local management 35 STUN SERVER If there’s any port being reused, the NAT fails this requirement
36
NAT behavioral requirements for TCP A NAT must support “hairpinning” June 2014 Leone - From global measurements to local management 36 STUN SERVER Binding request to mapped address: Y
37
NAT behavioral requirements for TCP Receipt of any sort of ICMP message must not terminate the NAT mapping June 2014 Leone - From global measurements to local management 37 Binding request : X Same mapping? Binding request : X ICMP request STUN SERVER
38
NAT behavioral requirements for TCP A NAT must not respond to an unsolicited inbound SYN packet for at least 6 seconds after the pakcet is received. If during this interval the NAT receives and translates an outbound SYN for the connection the NAT must silently drop the original unsolicited SYN A NAT must handle the TCP simultaneous-open mode of connection initiation June 2014 Leone - From global measurements to local management 38
39
NAT behavioral requirements for TCP June 2014 Leone - From global measurements to local management 39 If there’s no reset nor ICMP error, and the SYN packet arrived to the server OK Initial UDP packet STUN SERVER SYN packet RESET? SYN packet ICMP unreachable? UDP packet containing the result Initial UDP packet
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.