advertisement

NAT Traversal

50 %
50 %
advertisement
Information about NAT Traversal

Published on September 7, 2007

Author: dadaista

Source: slideshare.net

Description

Overview of NAT traversal tecniques
advertisement

P2P and NAT How to traverse NAT Davide Carboni © 2005-2006

License Attribution-ShareAlike 2.5 You are free: to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions: Attribution . You must give the original author credit. Share Alike . If you alter, transform, or build upon this work, you may distribute the resulting work only under a licence identical to this one. For any reuse or distribution, you must make clear to others the licence terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. This is a human-readable summary of the Legal Code (the full licence ) . Disclaimer

The problem The large deployment of NAT builds a barrier to the development of peer-to-peer networks. Host behind a NAT/Firewall are only authorized to initiate outgoing traffic through a limited set of ports (UDP/TCP) Host behind a NAT/Firewall are never authorized to receive incoming TCP or UDP traffic initiated by a foreign host

The large deployment of NAT builds a barrier to the development of peer-to-peer networks.

Host behind a NAT/Firewall are only authorized to initiate outgoing traffic through a limited set of ports (UDP/TCP)

Host behind a NAT/Firewall are never authorized to receive incoming TCP or UDP traffic initiated by a foreign host

Firewall A Firewall is a system that filters TCP/IP UDP/IP packet according to rules It can be a software running in the user machine or in a network router Rules

A Firewall is a system that filters TCP/IP UDP/IP packet according to rules

It can be a software running in the user machine or in a network router

Firewall Rules router (Global IP addresses)

NAT the process of network address translation ( NAT , also known as network masquerading or IP-masquerading ) involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall .

the process of network address translation ( NAT , also known as network masquerading or IP-masquerading ) involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall .

Why NAT is so popular IPv4 address shortage standard feature in routers for home and small-office Internet connections can enhance the reliability of local systems by stopping worms and enhance privacy by discouraging scans

IPv4 address shortage

standard feature in routers for home and small-office Internet connections

can enhance the reliability of local systems by stopping worms and enhance privacy by discouraging scans

Simple NAT NAT (Private IP addresses) (Public IP addresses) Main Internet (Public IP addresses)

Multiple NAT ISP NAT (Private IP addresses) (Public IP addresses) Main Internet ISP network Home NAT Home network 10.0.0.12 192.168.2.12 192.168.2.99 156.148.70.32

NAT Mappings (192.168.2.2) (1.1.1.4) (1.1.1.5) 192.168.2.2:4445 <-> 1.1.1.5:10100 S=192.168.2.2:4445 D=1.1.1.4:7777 datagram S=1.1.1.5:10100 D=1.1.1.4:7777 datagram A

Traversing a NAT that does not collaborate

Relaying NAT Main Internet Local network NAT Local network 10.0.0.12 192.168.2.99 Relay S host A host B 1 2

Connection reversal NAT Main Internet Local network 1.1.1.4 192.168.2.99 rendezvous S host A host B 1 2 3

TURN protocol TURN is a protocol for UDP/TCP relaying behind a NAT Unlike STUN there is no hole punching and data are bounced to a public server called the TURN server. TURN is the last resource. For instance behind a symmetric NAT

TURN is a protocol for UDP/TCP relaying behind a NAT

Unlike STUN there is no hole punching and data are bounced to a public server called the TURN server.

TURN is the last resource. For instance behind a symmetric NAT

Role in TURN A TURN client is an entity that generates TURN requests A TURN Server is an entity that receives TURN requests, and sends TURN responses. The server is a data relay, receiving data on the address it provides to clients, and forwarding them to the clients

A TURN client is an entity that generates TURN requests

A TURN Server is an entity that receives TURN requests, and sends TURN responses.

The server is a data relay, receiving data on the address it provides to clients, and forwarding them to the clients

NAT policies Full cone NAT Restricted cone NAT Port restricted cone NAT Symmetric NAT

Full cone NAT

Restricted cone NAT

Port restricted cone NAT

Symmetric NAT

UDP Hole Punching Hole punching is a tecnique to allow traffic from/to a host behind a firewall/NAT without the collaboration of the NAT itself The simplest way is to use UDP packets

Hole punching is a tecnique to allow traffic from/to a host behind a firewall/NAT without the collaboration of the NAT itself

The simplest way is to use UDP packets

Full cone Host A Host C Full cone Host B (192.168.2.2) (1.1.1.4) (192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:4321, D=1.1.1.4:10100) Packet(S=1.1.1.5:4321, D=192.168.2.2:4445) Packet(S=1.1.1.6:1234, D=1.1.1.4:10100) Packet(S=1.1.1.6:1234, D=192.168.2.2:4445)

Full cone mapping and policy Mapping 192.168.2.2:4445 <-> 1.1.1.4:10100 Policy ALLOW ALL TO 1.1.1.4:10100

Mapping

192.168.2.2:4445 <-> 1.1.1.4:10100

Policy

ALLOW ALL TO 1.1.1.4:10100

Holes in Full Cone NAT rendezvous host A host B 1 2 3 4 5

Restricted cone Host A Host C Restricted cone Host B (192.168.2.2) (1.1.1.4) (192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:4321, D=1.1.1.4:10100) Packet(S=1.1.1.5:4321, D=192.168.2.2:4445) Packet(S=1.1.1.6:1234, D=1.1.1.4:10100) X Packet(S=192.168.2.2:4445, D=1.1.1.6:7777) Packet(S=1.1.1.4:10100, D=1.1.1.6:7777) Packet(S=1.1.1.6:4321, D=1.1.1.4:10100) Packet(S=1.1.1.6:4321, D=192.168.2.2:4445)

Restricted cone mapping and policy Mapping 192.168.2.2:4445 <-> 1.1.1.4:10100 Policy ALLOW 1.1.1.5 TO 1.1.1.4:10100 ALLOW 1.1.1.6 TO 1.1.1.4:10100

Mapping

192.168.2.2:4445 <-> 1.1.1.4:10100

Policy

ALLOW 1.1.1.5 TO 1.1.1.4:10100

ALLOW 1.1.1.6 TO 1.1.1.4:10100

Holes in Restricted Cone NAT rendezvous host A host B 1 2 3 5 4 6

Port restricted cone Host A Host C Port - restr cone Host B (192.168.2.2) (1.1.1.4) (192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:4321, D=1.1.1.4:10100) Packet(S=1.1.1.5:7777, D=192.168.2.2:4445) X Packet(S=1.1.1.5:7777, D=1.1.1.4:10100)

Port restricted cone mapping and policy Mapping 192.168.2.2:4445 <-> 1.1.1.4:10100 Policy ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10100

Mapping

192.168.2.2:4445 <-> 1.1.1.4:10100

Policy

ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100

ALLOW 1.1.1.6:7777 TO 1.1.1.4:10100

Holes in Port restricted Cone NAT rendezvous host A host B 1 2 3 5 4 6

Symmetric NAT Host A Host C symmetric Host B (192.168.2.2) (1.1.1.4) (192.168.2.1) (1.1.1.5) (1.1.1.6) Packet(S=192.168.2.2:4445, D=1.1.1.5:7777) Packet(S=1.1.1.4:10100, D=1.1.1.5:7777) Packet(S=1.1.1.5:7777, D=192.168.2.2:4445) Packet(S=1.1.1.5:7777, D=1.1.1.4:10100) Packet(S=192.168.2.2:4445, D=1.1.1.6:7777) Packet(S=1.1.1.4:10179, D=1.1.1.6:7777) Packet(S=1.1.1.6:7777, D=192.168.2.2:4445) Packet(S=1.1.1.6:7777, D=1.1.1.4:10179) Packet(S=1.1.1.6:7777, D=1.1.1.4:10100) X

Symmetric mapping and policy Mapping 192.168.2.2:4445 <-> 1.1.1.4:10100 192.168.2.2:4445 <-> 1.1.1.4:10179 Policy ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10179

Mapping

192.168.2.2:4445 <-> 1.1.1.4:10100

192.168.2.2:4445 <-> 1.1.1.4:10179

Policy

ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100

ALLOW 1.1.1.6:7777 TO 1.1.1.4:10179

Holes in Symmetric

STUN protocol protocol to discover the presence and types of NAT and firewalls between them and the public Internet STUN allows applications to determine the public IP addresses allocated to them by the NAT

protocol to discover the presence and types of NAT and firewalls between them and the public Internet

STUN allows applications to determine the public IP addresses allocated to them by the NAT

STUN protocol STUN is specified in RFC 3489 and defines the operations and the message format needed to understand the type of NAT

STUN is specified in RFC 3489 and defines the operations and the message format needed to understand the type of NAT

TCP Hole Punching TCP connections between hosts behind NATs is slightly more complex than for UDP Berkeley sockets allows a TCP socket to initiate an outgoing or to listen for incoming connections but not both .

TCP connections between hosts behind NATs is slightly more complex than for UDP

Berkeley sockets allows a TCP socket to initiate an outgoing or to listen for incoming connections but not both .

TCP Hole punching we need to use a single local TCP port to listen for incoming TCP connections and to initiate multiple outgoing TCP connections concurrently to bind multiple sockets to the same local endpoint BSD systems have introduced a SO_REUSEADDR and SO_REUSEPORT

we need to use a single local TCP port to listen for incoming TCP connections and to initiate multiple outgoing TCP connections concurrently

to bind multiple sockets to the same local endpoint BSD systems have introduced a SO_REUSEADDR and SO_REUSEPORT

TCP Hole punching NAT Main Internet Local network NAT Local network 10.0.0.12 192.168.2.99 rendezvous S host A host B 1.1.1.4 1.1.1.5 1.1.1.6

TCP Hole punching NAT Main Internet Local network NAT Local network rendezvous S host A host B 1.1.1.4:1234 1.1.1.5:4444 1.1.1.6

STUNT Simple Traversal of UDP Through NATs and TCP too (STUNT), which extends STUN to include TCP functionality A JAVA implementation of STUNT is available See http://nutss.gforge.cis.cornell.edu/stunt.php

Simple Traversal of UDP Through NATs and TCP too (STUNT), which extends STUN to include TCP functionality

A JAVA implementation of STUNT is available

See http://nutss.gforge.cis.cornell.edu/stunt.php

Traversing a NAT that collaborates

Socks SOCKS is a client server protocol that allows a client behind a firewall to use a server in the public Internet to relay traffic Two operations: CONNECT and BIND It is widely adopted, for instance Mozilla can be configured to use SOCKS Two versions. SOCKS4 and SOCKS5

SOCKS is a client server protocol that allows a client behind a firewall to use a server in the public Internet to relay traffic

Two operations: CONNECT and BIND

It is widely adopted, for instance Mozilla can be configured to use SOCKS

Two versions. SOCKS4 and SOCKS5

SOCKS CONNECT NAT Socks proxy host A server S 1. CONNECT 2. connect()

SOCKS BIND NAT Socks proxy host A listening on 4445 server S 1. BIND (localport=4445, S) 3. connect(33102) 2. Ok. Port=33102

SOCKS and Java SocketAddress addr = new InetSocketAddress(&quot; socks.mydomain.com &quot;, 1080); Proxy proxy = new Proxy(Proxy.Type.SOCKS, addr); URL url = new URL(&quot; ftp://ftp.gnu.org/README &quot;); URLConnection conn = url.openConnection(proxy);

SocketAddress addr =

new InetSocketAddress(&quot; socks.mydomain.com &quot;, 1080);

Proxy proxy = new Proxy(Proxy.Type.SOCKS, addr);

URL url = new URL(&quot; ftp://ftp.gnu.org/README &quot;);

URLConnection conn = url.openConnection(proxy);

SOCKS4 and SOCKS5 SOCKS4 doesn't support authentication while SOCKS5 has the built-in mechanism to support a variety of authentications methods. SOCKS4 doesn't support UDP proxy while SOCKS5 does. SOCKS4 clients require full support of DNS while SOCKS5 clients can rely on SOCKS5 server to perform the DNS lookup.

SOCKS4 doesn't support authentication while SOCKS5 has the built-in mechanism to support a variety of authentications methods.

SOCKS4 doesn't support UDP proxy while SOCKS5 does.

SOCKS4 clients require full support of DNS while SOCKS5 clients can rely on SOCKS5 server to perform the DNS lookup.

UPnP NAT Traversal Internet Gateway Device ( IGD ) protocol[1] is defined by UPnP It is implemented in some internet routers . It allows applications to automatically configure NAT routing. IGD makes it easy to do the following: Learn the public (external) IP address Enumerate existing port mappings Add and remove port mappings Assign lease times to mappings

Internet Gateway Device ( IGD ) protocol[1] is defined by UPnP

It is implemented in some internet routers .

It allows applications to automatically configure NAT routing.

IGD makes it easy to do the following:

Learn the public (external) IP address

Enumerate existing port mappings

Add and remove port mappings

Assign lease times to mappings

UPnP API provided by COM IStaticPortMapping::get_ExternalIPAddress() IStaticPortMapping::get_ExternalPort() IStaticPortMapping::get_InternalPort() IStaticPortMapping::get_Protocol() IStaticPortMapping::get_InternalClient() IStaticPortMapping::get_Enabled() IStaticPortMapping::get_Description()

IStaticPortMapping::get_ExternalIPAddress()

IStaticPortMapping::get_ExternalPort()

IStaticPortMapping::get_InternalPort()

IStaticPortMapping::get_Protocol()

IStaticPortMapping::get_InternalClient()

IStaticPortMapping::get_Enabled()

IStaticPortMapping::get_Description()

UPnP Port Forward

Issues with UPnP Oppents to IGD see a significant security risk UPnP allows any program, even malicious programs, to create a port mapping through the router. with UPnP, the port mapping can be created even without any knowledge of the administrative password to the router

Oppents to IGD see a significant security risk

UPnP allows any program, even malicious programs, to create a port mapping through the router.

with UPnP, the port mapping can be created even without any knowledge of the administrative password to the router

References Peer-to-Peer Communication Across NAT http://www.brynosaurus.com/pub/net/p2pnat/ STUN Protocol RFC. http://www.ietf.org/rfc/rfc3489.txt TCP NAT traversal. http://nutss.gforge.cis.cornell.edu//stunt.php Traversal Using Relay NAT (TURN) IETF RFC

Peer-to-Peer Communication Across NAT http://www.brynosaurus.com/pub/net/p2pnat/

STUN Protocol RFC. http://www.ietf.org/rfc/rfc3489.txt

TCP NAT traversal. http://nutss.gforge.cis.cornell.edu//stunt.php

Traversal Using Relay NAT (TURN) IETF RFC

References (2) SOCKS5 IETF RFC http://www.ietf.org/rfc/rfc1928.txt SOCKS4 http://archive.socks.permeo.com/protocol/socks4.protocol Java Networking and Proxies http://java.sun.com/j2se/1.5.0/docs/guide/net/proxies.html Using UPnP for Programmatic Port Forwardings and NAT Traversal http://www.codeproject.com/internet/PortForward.asp

SOCKS5 IETF RFC http://www.ietf.org/rfc/rfc1928.txt

SOCKS4 http://archive.socks.permeo.com/protocol/socks4.protocol

Java Networking and Proxies http://java.sun.com/j2se/1.5.0/docs/guide/net/proxies.html

Using UPnP for Programmatic Port Forwardings and NAT Traversal http://www.codeproject.com/internet/PortForward.asp

License Attribution-ShareAlike 2.5 You are free: to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions: Attribution . You must give the original author credit. Share Alike . If you alter, transform, or build upon this work, you may distribute the resulting work only under a licence identical to this one. For any reuse or distribution, you must make clear to others the licence terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. This is a human-readable summary of the Legal Code (the full licence ) . Disclaimer

Add a comment

Related pages

NAT traversal - Wikipedia, the free encyclopedia

NAT traversal (or network address translation traversal) is a computer networking methodology with the goal of establishing and maintaining Internet ...
Read more

Netzwerkadressübersetzung – Wikipedia

Die Netzwerkadressübersetzung (englisch Network Address Translation, kurz NAT) ist in Rechnernetzen der Sammelbegriff für Verfahren, die automatisiert ...
Read more

NAT Traversal tutorial - IPSec over NAT - VPN, Spam, Firewall

NAT Traversal tutorial - IPSec over NAT . NAT-T (NAT Traversal) Nat Traversal also known as UDP encapsulation allows traffic to get to the specified ...
Read more

How Does NAT-T work with IPSec? | VPN | Cisco Support ...

How Does NAT-T work with IPSec? Document. Mon, 02/29/2016 - 01:12. athukral May 23rd, 2011. ... Here is the RFC for the IPSec aware NAT (NAT-Traversal) ...
Read more

NAT Traversal (NAT-T) - LANCOM Systems

Anmerkung: NAT-T kann nur bei VPN-Verbindungen eingesetzt werden, die zur Authentifizierung ESP (Encapsulating Security Payload) verwenden. ESP ...
Read more

NAT Traversal, die Lösung aller VPN-Probleme? - Pro-Linux

Auf dem diesjährigen Linuxtag wurde über NAT Traversal referriert. Dies bietet die Möglichkeit, VPN-Endpunkte hinter einem NAT-Device ...
Read more

Network address translation - Wikipedia, the free encyclopedia

Network address translation (NAT) ... NAT traversal is possible in both TCP- and UDP-based applications, but the UDP-based technique is simpler, ...
Read more

NAT traversal - Fortinet

NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do not contain a port number. As a result, the packets cannot be demultiplexed.
Read more

IPsec - Security Architecture for IP (VPN)

NAT-Traversal ist im IKE-Protokoll integriert (Negotiation of NAT-Traversal in the IKE). Während des Aufbaus einer IKE Security Association, ...
Read more

Directory Traversal – Wikipedia

Unter Directory Traversal versteht man eine Sicherheitslücke in Web-Programmen wie z. B. einem Webserver oder einer Webanwendung, bei der durch ...
Read more