Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Level Control of Ports in a Service Provider NAT environment Dave Thaler Dan Wing Alain Durand 1.

Published byEdith Tate Modified over 9 years ago

Similar presentations

Presentation on theme: "Application Level Control of Ports in a Service Provider NAT environment Dave Thaler Dan Wing Alain Durand 1."— Presentation transcript:

1 Application Level Control of Ports in a Service Provider NAT environment Dave Thaler Dan Wing Alain Durand 1

2 Port Control Protocol Service Provider NATs have problems: – Lack of control of port reservation /port forwarding – Some legacy applications will break A+P was one approach to address those issues PCP is another approach to give back control to the customers via their applications. – Enable applications to dynamically negotiate ports with the service provider NAT – Provide some level of backward compatibility with existing APIs (UPnP/NAT-PMP)

3 Port-Forwarding APIs Dave Thaler dthaler@microsoft.com 3

4 Model No change to IP model: – A full IP address is still assigned to every interface, including on NATs App/framework wants to learn the (full) IP address of another machine’s (the NAT’s) interface, and a port that machine will forward – Can’t be done using normal IP address APIs without changing the IP model – App/framework can then advertise in app-specific manner (SRV record, email, DHT, etc.) Hence this is opt-in for an app or framework 4

5 Two separate app scenarios Manage static port mapping – Management style application wants to configure a given external port to be permanently forwarded to a given port on a given machine Manage dynamic port mapping – Runtime application wants to get an external port allocated and forwarded to its port on its machine for some duration 5

6 NATUPnP Library (Windows) NATUPNPLib.UPnPNATClass upnpnat = new NATUPNPLib.UPnPNATClass(); NATUPNPLib.IStaticPortMappingCollection mappings = upnpnat.StaticPortMappingCollection; err = mappings.Add(8080, // External port "TCP", // Protocol 80, // Internal port "192.168.1.100",// Internal IP true, // Enabled "Local Web Server"); // Description External port=0 means wildcard, but many NATs don’t support 6

7 NATUPnP API Observations Either requested port is allocated or call fails Internal IP parameter allows for management applications Only supports static port mapping (no lifetime) – UPnP protocol allows lifetimes, but NATs may not support them Interface can be determined based on internal IP parameter 7

8 DNSServiceNAT (Apple) DNSServiceRef sdRef; err = DNSServiceNATPortMappingCreate(&sdRef, 0, 0, // ifIndex or 0 kDNSServiceProtocol_TCP,// Protocol htons(80),// Internal port htons(8080),// External port 3600,// Lifetime callBack, NULL); External port=0 means wildcard 8

9 DNSServiceNAT Observations Lifetime parameter allows for runtime applications External port is just a preference, it may succeed and return something else Lack of internal IP parameter means not designed for arbitrary management app 9

10 draft-wing-softwire-port-control-protocol10 Port Control Protocol draft-wing-softwire-port-control-protocol-01 IETF77, March 2010 Dan Wing, dwing@cisco.com Reinaldo Penno, rpenno@juniper.net Mohamed Boucadair, mohamed.boucadair@orange-ftgroup.com

11 draft-wing-softwire-port-control-protocol11 Port Control Protocol Need to offer port forwarding capability when Service Provider NAT are deployed – Ability to offer similar service features as per current CPE model Need to delegate port numbers to requesting applications/hosts to avoid enforcing ALGs at the Provider NAT – Overall performance of the Provider NAT not altered

12 draft-wing-softwire-port-control-protocol12 PCP Requirements Support Large Scale NATs – Spanning many subscribers Allow subscriber apps to open ports IPv6 Simple, lightweight – Application, proxying in CPE, and server Discover and control LSN – Without interfering with intermediate infrastructure

13 draft-wing-softwire-port-control-protocol13 Why Not My Favorite Protocol? (MIDCOM, UPnP IGD, NAT-PMP, DHCP …) None meet all requirements

14 draft-wing-softwire-port-control-protocol14 PCP Applicability IPv4 address sharing – No NAT44 (fixed port range) – Stateful NAT44 (e.g., DS-Lite, LSN) – Stateless NAT64/NAT46 – Stateful NAT64/NAT46 IPv6 Simple CPE Security

15 draft-wing-softwire-port-control-protocol15 PCP Basics Lightweight – Designed for deployment at large scale – Does not require heavy treatment at the Server side Quick convergent Request/answer model – No permanent sessions are required to be maintained between the Client and the Server A subscriber can only open pinholes for his own devices – PCP isn’t needed in every internal server – E.g., Customer Premise router can open pinhole for webcam or TiVo

16 draft-wing-softwire-port-control-protocol16 PCP and IPv6 NAT64 – Open ports for incoming IPv4 traffic E.g., IPv6 HTTP server in the home accessed from IPv4 Internet draft-ietf-v6ops-cpe-simple-security-09 – Open pinholes in IPv6 CPE

17 draft-wing-softwire-port-control-protocol17 Client Models

18 draft-wing-softwire-port-control-protocol18 PCP Client Model: UPnP IGD Proxy Proxies UPnP IGD to PCP Provides compatibility for UPnP IGD Applications which want specific port will likely get an error – Can’t help that PCP Server Customer Premise Router UPnP IGD proxy UPnP IGD PCP Client

19 draft-wing-softwire-port-control-protocol19 PCP Client Model: NAT-PMP Proxy Proxies NAT-PMP to PCP Provides compatibility for UPnP IGD No loss of semantics PCP Server Customer Premise Router NAT-PMP proxy NAT-PMP PCP Client

20 draft-wing-softwire-port-control-protocol20 PCP Client Model: HTTP Subscriber manages their own port forwarding – Similar to http://192.168.1.1, login as “admin” – Instructions at http://www.portforward.com Not for “Grandma” PCP Server Customer Premise Router HTTP managed HTTP PCP Client

21 draft-wing-softwire-port-control-protocol21 PCP Client Model: PCP on host Application (or OS) implements PCP client Customer premise router does nothing – Does not proxy PCP draft-ietf-v6ops-cpe-simple-security PCP Server Customer Premise Router PCP Client

22 draft-wing-softwire-port-control-protocol22 Server Models

23 draft-wing-softwire-port-control-protocol23 PCP Server Model: Embedded PCP Client Service Provider NAT PCP Server Internet PCP Server embedded in Service Provider’s NAT Similar to UPnP IGD, NAT-PMP

24 draft-wing-softwire-port-control-protocol24 PCP Server Model: Separate PCP Server PCP Client Service Provider NAT Internet H.248, MIDCOM, proprietary, etc. PCP Server is outside of the NAT Allows existing NAT control protocol

25 draft-wing-softwire-port-control-protocol25 Questions draft-wing-softwire-port-control-protocol-01

26 draft-wing-softwire-port-control-protocol26 PCP Server Models PCP Client PCP Server PCP Client Service Provider NAT PCP Server Internet H.248, MIDCOM, proprietary, etc. IPv6

27 draft-wing-softwire-port-control-protocol27 PCP Client Models PCP Server Customer Premise Router UPnP IGD proxy UPnP IGD PCP Server Customer Premise Router NAT-PMP proxy NAT-PMP PCP Server Customer Premise Router PCP Client PCP Server Customer Premise Router HTTP managed HTTP PCP Client

28 Mapping APIs/protocols to PCP Apps shouldn’t have to know which case they’re in DNSServiceNAT API / NAT-PMP protocol maps directly NATUPnP (v1) API / UPnP-IGD protocol more complicated – It can be done successfully, but it’s kludgy 28

Download ppt "Application Level Control of Ports in a Service Provider NAT environment Dave Thaler Dan Wing Alain Durand 1."

Similar presentations

www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.

Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.
Deployment Considerations for Dual-stack Lite draft-lee-softwire-dslite-deployment-00 Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed.

Deployment Considerations for Dual-stack Lite draft-lee-softwire-dslite-deployment-00 Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed.
IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.

IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.
IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.

IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.

What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.
IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.

IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.
Wi-Fi Structures.

Wi-Fi Structures.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
1 IPv6 in CableLabs DOCSIS 3.0 IETF v6ops wg meeting IETF#65 Ralph Droms Alain Durand

1 IPv6 in CableLabs DOCSIS 3.0 IETF v6ops wg meeting IETF#65 Ralph Droms Alain Durand
Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )

Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )
A Model of IPv6 Internet Access Service via L2TPv2 Shin Miyakawa NTT Communications 2006/7/10 IETF66th.

A Model of IPv6 Internet Access Service via L2TPv2 Shin Miyakawa NTT Communications 2006/7/10 IETF66th.

Similar presentations

Ads by Google