SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many...
Transcript of SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many...
![Page 1: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/1.jpg)
SIP-assisted NAT Traversal
Jianping Panweb.uvic.ca/~panOctober 25, 2005
![Page 2: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/2.jpg)
2
Internet was ...
router
client server
•infrastructures•routers, end-hosts
•applications•1-way data transfer
•requirements•data integrity
•global addressable and end-to-end reachable
![Page 3: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/3.jpg)
3
“Internet” now ...
•signaling
•media IP phone
firewallNAT
•many mid-boxes•firewalls, NATs
•many applications•2 or more-way
•many requirements•security!
•SIP•~SS7?
•IPsec•IPv4/6
•SSL/TLS•over TCP
SIP UA
Proxy
![Page 4: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/4.jpg)
4
Firewalls and NATs
•NATs: initially as a quick-fix to IPv4 address shortage•now pervasive in every networking scenario•translate source/destination address/port•update other related information (checksum etc.)
A B
N
•firewalls and NATs usually work hand-to-hand•firewalls: packet filtering w/ (known) rules
Aa:Ap=>Ba:Bp
•translate outgoing Aa:Ap to Na:Np•allow incoming Na:Np to Aa:Ap
Na:Np=>Ba:Bp
Ba:Bp=>Aa:Ap Ba:Bp=>Na:Np
![Page 5: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/5.jpg)
5
IPsec and NATIP header payload
IP header UDP header IPsec header+payload•UDP-encapsulated IPsec NAT traversal•MTU discovery?
•upper-layer header inaccessible•IP header cannot be modified
IP header payloadAH header
IP header AH header IP header payload
IP header ESP header payload ESP trailer ESP auth
IP header ESP header IP header payload ESP trailer ESP auth
transportmode
tunnelmode
•authenticated•encrypted+authed
![Page 6: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/6.jpg)
6
SIP and NATAAA/radius
•session establishment forUAs behind NATs•information embedded inSDP (local vs. global view)•NAT traversal is still an open problem!
local addr/port
global addr/port
invite
register/auth/invite •invite
local addr/port
global addr/port
?•media?
A B
![Page 7: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/7.jpg)
7
Roadmap
• Introduction– why IPsec, SIP, and NAT cannot work together
• Why NAT traversal is so difficult?• NAT traversal approaches• SIP-assisted NAT traversal
– with ordinary applications and NATs and IPsec• Network reliability & security in a big picture
![Page 8: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/8.jpg)
8
Types of NATs: full cone
*:*=>Na:Np
Ba:*=>Na:Np
*:*=>Aa:Ap
A
B
C
NAT
Aa:Ap=>Ba:Bp
Na:Np=>Ba:Bp
•outgoing mapping: Aa:Ap=>*:* to Na:Np=>*:*•incoming filtering: *:*=>Na:Np to *:*=>Aa:Ap
•NAT behaviors were never regulated!
![Page 9: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/9.jpg)
9
(IP) restricted cone
Ba:*=>Na:Np
Ba:*=>Aa:Ap
A
B
C
NATCa:Cp=>Na:Np
Aa:Ap=>Ba:BpNa:Np=>Ba:Bp
•outgoing mapping: Aa:Ap=>*:* to Na:Np=>x:* (remember x)•incoming filtering: x:*=>Na:Np to x:*=>Aa:Ap
![Page 10: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/10.jpg)
10
(IP and) port restricted cone
Ba:Bp=>Na:Np
Ba:Bp=>Aa:Ap
A
B
NAT
Aa:Ap=>Ba:Bp
Na:Np=>Ba:Bp
•outgoing mapping: Aa:Ap=>*:* to Na:Np=>x:y (rem x and y)•incoming filtering: x:y=>Na:Np to x:y=>Aa:Ap
Ba:!Bp=>Na:Np
![Page 11: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/11.jpg)
11
Symmetric NAT
Ba:Bp=>Na:Np
Ba:Bp=>Aa:ApA
B
NAT
Aa:Ap=>Ba:Bp
Na:Np=>Ba:Bp
•outgoing mapping: Aa:Ap=>Ba:Bp to Na:Np=>Ba:Bp•incoming filtering: Ba:Bp=>Na:Np to Ba:Bp=>Aa:Ap
Aa:Ap=>Ca:Cp Na:N’p=>Ca:CpCa:Cp=>Na:N’pCa:Cp=>Aa:Ap C
![Page 12: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/12.jpg)
12
Why NAT breaks things?
initiator responder
responder initiator
?
![Page 13: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/13.jpg)
13
• Manual configuration– static port forwarding at NATs (always open)
• Application layer gateway (ALG)– proxy or snoop at NATs– application-specific
NAT traversal approaches
ALG
![Page 14: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/14.jpg)
14
With NAT cooperation
• Universal Plug ’N Play (UPnP)– UPnP-aware NATs and clients– security, cascaded NAT, etc.
Open a hole for B to me
A
B
![Page 15: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/15.jpg)
15
Without NAT cooperation
• Simple Traversal of UDP thru NATs (STUN)– probe and learn allocated address/port at NATs– work with many but not all NATs
STUNserver
Aa:Ap=>Sa:Sp Na:Np=>Sa:SpTell me my
NATed addr/portNa:Np
![Page 16: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/16.jpg)
16
How about one more NAT?
• Traversal Using Relay NATs (TURN)– request to allocate address/port at this NAT– act as a masquerade relay
TURN
Give me an addr/portthat B can use
A B
use mine
![Page 17: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/17.jpg)
17
Trial and error ...
STUN TURN
•peer-to-peer STUN
•Interactive Connectivity Establishment (ICE)
•still not bullet-proof!
![Page 18: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/18.jpg)
18
SIP-assisted NAT traversal
• Why SIP– SIP is otherwise NAT-challenged– SIP is flexible and extensible– SIP may become pervasive
• How NAT traversal with SIP– be aware of the existence of NATs– determine the type of NATs of the most interest– establish sessions btw UAs w/ the help of proxy
![Page 19: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/19.jpg)
19
UA-Proxy NAT traversal
• Symmetric Response Routing (SRR)– UA (x.x.x.x:x)– Proxy
• return received=y.y.y.y;rport=y in SIP attributes
– UA: if x!=y, there is NAT(s)!
UDP tunnelIPsec
x=>y
keep alive
register/auth/invite
![Page 20: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/20.jpg)
20
UA-Proxy STUN: coneUA NAT Proxy
switch addr and port
IP1 IP2
•cone!
![Page 21: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/21.jpg)
21
UA-Proxy STUN: symmetricUA NAT Proxy
shor
t tim
eout
switch addr and port
•different received:rport•symmetric!
![Page 22: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/22.jpg)
22
UA-Proxy STUN: restrictedUA NAT Proxy
switch addr and port
shor
t tim
eout
switch port•port restricted!
•otherwise, (IP) restricted!
•same received:rport
![Page 23: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/23.jpg)
23
UA-UA: 4x4cone IP restricted port restricted symmetric
coneIP restricted
port restrictedsymmetric
A B√
A B
√ √ √
UA-UA?
√ √ √
√ √?
![Page 24: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/24.jpg)
24
UA-UA: cone-coneNATNAT UAProxyA B
Ba:Bp=>Na:NpMa:Mp=>Aa:Ap
Aa:Ap=>Ma:Mp Na:Np=>Ba:Bp
UA
B at Ma:Mp
mediakeepalive
Ma:MpNa:NpAa:Ap=>Pa:Pp Ba:Bp=>Pa:Pp
![Page 25: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/25.jpg)
25
UA-UA: cone/restricted-restrictedUA NATNAT UAProxy
Na:Np Ma:MpA B
Aa:Ap=>Pa:Pp Ba:Bp=>Pa:Pp
Aa:Ap=>Ma:Mp
Aa:Ap=>Ma:Mp Na:Np=>Ba:Bp
B at Ma:Mp A at Na:Np
keepalive media
Ba:Bp=>Na:Np
timeo
ut
•ICMP messages?
![Page 26: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/26.jpg)
26
UA-UA: cone/restricted-symmetricUA NATNAT UAProxy
Na:Np Ma:MpA B
Aa:Ap=>Pa:Pp
Aa:Ap=>Ma:Mp
Ba:Bp=>Pa:Pp
Aa:Ap=>Ma:M’p Na:Np=>Ba:Bp
B at Ma:Mp A at Na:Np
keepalive media
Ba:Bp=>Na:NpMa:M’p=>Aa:Ap Ma:M’p
![Page 27: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/27.jpg)
27
A close look at symmetric NATs
UA UA
STUNNAT
A B
•many symmetric NATshave predictable port allocation
probe
predict
![Page 28: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/28.jpg)
28
UA-UA: symmetric-symmetricUA NATNAT UAProxyA B
predict
probe probe
predict
keepalive media
using B’s predict Na:N’pusing A’s predict
Ma:M’p
![Page 29: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/29.jpg)
29
How about TCP
SYNa
ACKaSYNb
ACKb
listen()connect()
ISNb
ISNa
•passive listen()•active connect()•sequence number matters!
![Page 30: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/30.jpg)
30
UA-UA: TCP/NUTSSUA NATNAT UAProxyA B
TCP
predict
probe probe
predictusing B’s predict, SYNa low TTL using A’s predict, SYNbencaps SYNa
encaps SYNbencaps ACKbSYNa encaps ACKbSYNa
ACKaSYNb SYNaACKbACKb ACKa
![Page 31: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/31.jpg)
31
TCP: more issues
• UDP-encapsulated TCP/IPsec NAT traversal– port uniqueness
• Port allocation at UA– TCP-based
• Port allocation at NAT– UDP-based
• mix and match– multi-UA behind the same NAT
![Page 32: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/32.jpg)
32
SIP-assisted NAT traversal
• SIP becomes versatile– such as XML/HTTP for data transfer
• SIP protocol can be extended to supportNAT traversal– more signaling attributes
• SIP proxy can play an important role inassisting NAT traversal– already exists; may become ubiquitous; why
not use it for extra purpose?
![Page 33: SIP-assisted NAT Traversalwebhome.cs.uvic.ca/~pan/seng490/seng490-nat.pdf · firewall NAT •many mid-boxes •firewalls, NATs •many applications •2 or more-way •many requirements](https://reader035.fdocuments.in/reader035/viewer/2022071213/6028dd9668828c27267084e4/html5/thumbnails/33.jpg)
33
Thanks!
• Q&A?