NAT Traversal

49
P2P and NAT How to traverse NAT Davide Carboni © 2005-2006

description

Overview of NAT traversal tecniques

Transcript of NAT Traversal

Page 1: NAT Traversal

P2P and NAT

How to traverse NATDavide Carboni © 2005-2006

Page 2: NAT Traversal

LicenseAttribution-ShareAlike 2.5 You are free:to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a licence identical to this one.For any reuse or distribution, you must make clear to others the licence terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above.This is a human-readable summary of the Legal Code (the full licence). Disclaimer

Page 3: NAT Traversal

The problem

The large deployment of NAT builds a barrier to the development of peer-to-peer networks.

Host behind a NAT/Firewall are only authorized to initiate outgoing traffic through a limited set of ports (UDP/TCP)

Host behind a NAT/Firewall are never authorized to receive incoming TCP or UDP traffic initiated by a foreign host

Page 4: NAT Traversal

Firewall

A Firewall is a system that filters TCP/IP UDP/IP packet according to rules

It can be a software running in the user machine or in a network router

Rules

Page 5: NAT Traversal

Firewall

Rules

router

(Global IP addresses)

Page 6: NAT Traversal

NAT

the process of network address translation (NAT, also known as network masquerading or IP-masquerading) involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall.

Page 7: NAT Traversal

Why NAT is so popular

IPv4 address shortage standard feature in routers for home

and small-office Internet connections can enhance the reliability of local

systems by stopping worms and enhance privacy by discouraging scans

Page 8: NAT Traversal

Simple NAT

NAT

(Private IP addresses)

(Public IP addresses)

Main Internet

(Public IP addresses)

Page 9: NAT Traversal

Multiple NAT

ISPNAT

(Private IP addresses)

(Public IP addresses)

Main Internet

ISP network

HomeNAT

Home network

10.0.0.12

192.168.2.12

192.168.2.99

156.148.70.32

Page 10: NAT Traversal

NAT Mappings

(192.168.2.2)

(1.1.1.4)

(1.1.1.5)

192.168.2.2:4445 <-> 1.1.1.5:10100

S=192.168.2.2:4445D=1.1.1.4:7777

datagram S=1.1.1.5:10100D=1.1.1.4:7777

datagramA

Page 11: NAT Traversal

Traversing a NAT that does not collaborate

Page 12: NAT Traversal

Relaying

NAT

Main Internet

Local network

NAT

Local network

10.0.0.12

192.168.2.99

Relay S

host A

host B

12

Page 13: NAT Traversal

Connection reversal

NAT

Main Internet

Local network

1.1.1.4

192.168.2.99

rendezvous S

host A

host B

1

2

3

Page 14: NAT Traversal

TURN protocol

TURN is a protocol for UDP/TCP relaying behind a NAT

Unlike STUN there is no hole punching and data are bounced to a public server called the TURN server.

TURN is the last resource. For instance behind a symmetric NAT

Page 15: NAT Traversal

Role in TURN

A TURN client is an entity that generates TURN requests

A TURN Server is an entity that receives TURN requests, and sends TURN responses.

The server is a data relay, receiving data on the address it provides to clients, and forwarding them to the clients

Page 16: NAT Traversal

NAT policies

Full cone NAT Restricted cone NAT Port restricted cone NAT Symmetric NAT

Page 17: NAT Traversal

UDP Hole Punching

Hole punching is a tecnique to allow traffic from/to a host behind a firewall/NAT without the collaboration of the NAT itself

The simplest way is to use UDP packets

Page 18: NAT Traversal

Full cone

Host A Host CFull cone

Host B

(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)

Packet(S=192.168.2.2:4445,D=1.1.1.5:7777)

Packet(S=1.1.1.4:10100,D=1.1.1.5:7777)

Packet(S=1.1.1.5:4321,D=1.1.1.4:10100)

Packet(S=1.1.1.5:4321,D=192.168.2.2:4445)

Packet(S=1.1.1.6:1234,D=1.1.1.4:10100)

Packet(S=1.1.1.6:1234,D=192.168.2.2:4445)

Page 19: NAT Traversal

Full cone mapping and policy

Mapping 192.168.2.2:4445 <-> 1.1.1.4:10100

Policy ALLOW ALL TO 1.1.1.4:10100

Page 20: NAT Traversal

Holes in Full Cone

NAT

rendezvous

host A

host B

1

2

3

4

5

Page 21: NAT Traversal

Restricted cone

Host A Host CRestricted

coneHost B

(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)

Packet(S=192.168.2.2:4445,D=1.1.1.5:7777)

Packet(S=1.1.1.4:10100,D=1.1.1.5:7777)

Packet(S=1.1.1.5:4321,D=1.1.1.4:10100)

Packet(S=1.1.1.5:4321,D=192.168.2.2:4445)

Packet(S=1.1.1.6:1234,D=1.1.1.4:10100)

X

Packet(S=192.168.2.2:4445,D=1.1.1.6:7777)

Packet(S=1.1.1.4:10100,D=1.1.1.6:7777)

Packet(S=1.1.1.6:4321,D=1.1.1.4:10100)

Packet(S=1.1.1.6:4321,D=192.168.2.2:4445)

Page 22: NAT Traversal

Restricted cone mapping and policy Mapping

192.168.2.2:4445 <-> 1.1.1.4:10100

Policy ALLOW 1.1.1.5 TO 1.1.1.4:10100 ALLOW 1.1.1.6 TO 1.1.1.4:10100

Page 23: NAT Traversal

Holes in Restricted Cone

NAT

rendezvous

host A

host B

1

2

35 4

6

Page 24: NAT Traversal

Port restricted cone

Host A Host CPort - restr

coneHost B

(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)

Packet(S=192.168.2.2:4445,D=1.1.1.5:7777)

Packet(S=1.1.1.4:10100,D=1.1.1.5:7777)

Packet(S=1.1.1.5:4321,D=1.1.1.4:10100)

Packet(S=1.1.1.5:7777,D=192.168.2.2:4445)

X

Packet(S=1.1.1.5:7777,D=1.1.1.4:10100)

Page 25: NAT Traversal

Port restricted cone mapping and policy Mapping

192.168.2.2:4445 <-> 1.1.1.4:10100

Policy ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10100

Page 26: NAT Traversal

Holes in Port restricted Cone

NAT

rendezvous

host A

host B

1

2

35 4

6

Page 27: NAT Traversal

Symmetric NAT

Host A Host Csymmetric Host B

(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)

Packet(S=192.168.2.2:4445,D=1.1.1.5:7777)

Packet(S=1.1.1.4:10100,D=1.1.1.5:7777)

Packet(S=1.1.1.5:7777,D=192.168.2.2:4445)

Packet(S=1.1.1.5:7777,D=1.1.1.4:10100)

Packet(S=192.168.2.2:4445,D=1.1.1.6:7777)

Packet(S=1.1.1.4:10179,D=1.1.1.6:7777)

Packet(S=1.1.1.6:7777,D=192.168.2.2:4445)

Packet(S=1.1.1.6:7777,D=1.1.1.4:10179)

Packet(S=1.1.1.6:7777,D=1.1.1.4:10100)

X

Page 28: NAT Traversal

Symmetric mapping and policy Mapping

192.168.2.2:4445 <-> 1.1.1.4:10100 192.168.2.2:4445 <-> 1.1.1.4:10179

Policy ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10179

Page 29: NAT Traversal

Holes in Symmetric

Page 30: NAT Traversal

STUN protocol

protocol to discover the presence and types of NAT and firewalls between them and the public Internet

STUN allows applications to determine the public IP addresses allocated to them by the NAT

Page 31: NAT Traversal

STUN protocol

STUN is specified in RFC 3489 and defines the operations and the message format needed to understand the type of NAT

Page 32: NAT Traversal

TCP Hole Punching

TCP connections between hosts behind NATs is slightly more complex than for UDP

Berkeley sockets allows a TCP socket to initiate an outgoing or to listen for incoming connections but not both.

Page 33: NAT Traversal

TCP Hole punching

we need to use a single local TCP port to listen for incoming TCP connections and to initiate multiple outgoing TCP connections concurrently

to bind multiple sockets to the same local endpoint BSD systems have introduced a SO_REUSEADDR and SO_REUSEPORT

Page 34: NAT Traversal

TCP Hole punching

NAT

Main Internet

Local network

NATLocal network

10.0.0.12

192.168.2.99

rendezvous S

host A

host B

1.1.1.41.1.1.5

1.1.1.6

Page 35: NAT Traversal

TCP Hole punching

NAT

Main Internet

Local network

NAT

Local network

rendezvous S

host A

host B1.1.1.4:1234

1.1.1.5:4444

1.1.1.6

Page 36: NAT Traversal

STUNT

Simple Traversal of UDP Through NATs and TCP too (STUNT), which extends STUN to include TCP functionality

A JAVA implementation of STUNT is available

See http://nutss.gforge.cis.cornell.edu/stunt.php

Page 37: NAT Traversal

Traversing a NAT that collaborates

Page 38: NAT Traversal

Socks

SOCKS is a client server protocol that allows a client behind a firewall to use a server in the public Internet to relay traffic

Two operations: CONNECT and BIND It is widely adopted, for instance Mozilla

can be configured to use SOCKS Two versions. SOCKS4 and SOCKS5

Page 39: NAT Traversal

SOCKS CONNECT

NAT

Socks proxy

host A

server S

1. CONNECT

2. connect()

Page 40: NAT Traversal

SOCKS BIND

NAT

Socks proxy

host A listening on 4445

server S

1. BIND (localport=4445, S)

3. connect(33102)

2. Ok. Port=33102

Page 41: NAT Traversal

SOCKS and Java

SocketAddress addr = new InetSocketAddress("socks.mydomain.com", 1080);

Proxy proxy = new Proxy(Proxy.Type.SOCKS, addr);

URL url = new URL("ftp://ftp.gnu.org/README");

URLConnection conn = url.openConnection(proxy);

Page 42: NAT Traversal

SOCKS4 and SOCKS5

SOCKS4 doesn't support authentication while SOCKS5 has the built-in mechanism to support a variety of authentications methods.

SOCKS4 doesn't support UDP proxy while SOCKS5 does.

SOCKS4 clients require full support of DNS while SOCKS5 clients can rely on SOCKS5 server to perform the DNS lookup.

Page 43: NAT Traversal

UPnP NAT Traversal

Internet Gateway Device (IGD) protocol[1] is defined by UPnP

It is implemented in some internet routers. It allows applications to automatically

configure NAT routing. IGD makes it easy to do the following:

Learn the public (external) IP address Enumerate existing port mappings Add and remove port mappings Assign lease times to mappings

Page 44: NAT Traversal

UPnP API provided by COMIStaticPortMapping::get_ExternalIPAddress()IStaticPortMapping::get_ExternalPort()IStaticPortMapping::get_InternalPort() IStaticPortMapping::get_Protocol() IStaticPortMapping::get_InternalClient()IStaticPortMapping::get_Enabled()IStaticPortMapping::get_Description()

Page 45: NAT Traversal

UPnP Port Forward

Page 46: NAT Traversal

Issues with UPnP

Oppents to IGD see a significant security risk

UPnP allows any program, even malicious programs, to create a port mapping through the router.

with UPnP, the port mapping can be created even without any knowledge of the administrative password to the router

Page 47: NAT Traversal

References

Peer-to-Peer Communication Across NAT http://www.brynosaurus.com/pub/net/p2pnat/

STUN Protocol RFC. http://www.ietf.org/rfc/rfc3489.txt

TCP NAT traversal. http://nutss.gforge.cis.cornell.edu//stunt.php

Traversal Using Relay NAT (TURN) IETF RFC

Page 48: NAT Traversal

References (2)

SOCKS5 IETF RFC http://www.ietf.org/rfc/rfc1928.txt

SOCKS4 http://archive.socks.permeo.com/protocol/socks4.protocol

Java Networking and Proxies http://java.sun.com/j2se/1.5.0/docs/guide/net/proxies.html

Using UPnP for Programmatic Port Forwardings and NAT Traversalhttp://www.codeproject.com/internet/PortForward.asp

Page 49: NAT Traversal

LicenseAttribution-ShareAlike 2.5 You are free:to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a licence identical to this one.For any reuse or distribution, you must make clear to others the licence terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above.This is a human-readable summary of the Legal Code (the full licence). Disclaimer