Extended UDP Multiple Hole Punching Method to Traverse Large Scale NATs

Similar documents
Peer-to-Peer Systems and Security

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Technical White Paper

Chapter 3 Security and Firewall Protection

Multimedia Communication in the Internet. SIP: Advanced Topics. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS

Peer-to-Peer Communication Across Network Address Translators

Firewalls P+S Linux Router & Firewall 2013

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Microsoft Present and Future

A Measurement of NAT & Firewall Characteristics in Peer to Peer Systems

NAT and Firewall Traversal with STUN / TURN / ICE

NAT Traversal for VoIP. Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

NAT/Firewall traversal:issues and solutions

Carrier Grade NAT. Requirements and Challenges in the Real World. Amir Tabdili Cypress Consulting

Peer-to-Peer Networks Hole Punching 7th Week

Компјутерски Мрежи NAT & ICMP

NetScaler carriergrade network

IP addressing and forwarding Network layer

21.4 Network Address Translation (NAT) NAT concept

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Developing P2P Protocols across NAT

The H.323 NAT/FW Traversal Solution

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

RARP: Reverse Address Resolution Protocol

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Network Address Translation (NAT) Adapted from Tannenbaum s Computer Network Ch.5.6; computer.howstuffworks.com/nat1.htm; Comer s TCP/IP vol.1 Ch.

IPv6 Fundamentals Ch t ap 1 er I : ntroducti ti t on I o P IPv6 Copyright Cisco Academy Yannis Xydas

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

Administrative Distance

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Introduction to IP v6

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Networking Test 4 Study Guide

Network: several computers who can communicate. bus. Main example: Ethernet (1980 today: coaxial cable, twisted pair, 10Mb 1000Gb).

Application Delivery Networking

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

8.2 The Internet Protocol

Network Address Translation (NAT)

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Sage ERP Accpac Online

Sage 300 ERP Online. Mac Resource Guide. (Formerly Sage ERP Accpac Online) Updated June 1, Page 1

Firewall Defaults and Some Basic Rules

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

ProCurve Networking IPv6 The Next Generation of Networking

Internet Infrastructure Measurement: Challenges and Tools

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

Network layer" 1DT066! Distributed Information Systems!! Chapter 4" Network Layer!! goals: "

IP addressing. Interface: Connection between host, router and physical link. IP address: 32-bit identifier for host, router interface

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

NAT and Firewall Traversal with STUN / TURN / ICE

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Virtual Private Network Using Peer-to-Peer Techniques

Tunnels and Redirectors

Transport and Network Layer

CSCE 465 Computer & Network Security

Guidance Regarding Skype and Other P2P VoIP Solutions

IP Addressing. -Internetworking (with TCP/IP) -Classful addressing -Subnetting and Supernetting -Classless addressing

Computer Networks I Laboratory Exercise 1

NAT Traversal for VoIP

How To Configure A Vyatta As A Ds Internet Connection Router/Gateway With A Web Server On A Dspv.Net (Dspv) On A Network With A D

FIREWALL AND NAT Lecture 7a

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

ASA/PIX: Load balancing between two ISP - options

Network layer: Overview. Network layer functions IP Routing and forwarding

Network Layer: Network Layer and IP Protocol

WiFi Cable Modem Router C3700

Tech-Note Bridges Vs Routers Version /06/2009. Bridges Vs Routers

2. IP Networks, IP Hosts and IP Ports

Application Note. Cell Janus Load Balancing Algorithms Technical Overview

Network performance in virtual infrastructures

Packet filtering and other firewall functions

- Introduction to Firewalls -

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

EITF25 Internet Techniques and Applications L5: Wide Area Networks (WAN) Stefan Höst

- IPv4 Addressing and Subnetting -

SIP Trunking Configuration with

IP Addressing A Simplified Tutorial

NAT (Network Address Translation)

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

VegaStream Information Note Considerations for a VoIP installation

Wireless Cable Voice Gateway CG3700EMR-1CMNDS

Customer Guide. BT Business - BT SIP Trunks. BT SIP Trunks: Firewall and LAN Guide. Issued by: BT Business Date Issue: v1.

RWC4YD3S723QRVHHHIZWJXPTQMO6GKEQR

Address Resolution Protocol (ARP)

Communications and Networking

Iperf Tutorial. Jon Dugan Summer JointTechs 2010, Columbus, OH

Additional Information: A link to the conference website is available at:

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Transcription:

APAN Network Research Workshop 2010 at the 30th APAN Meeting August 9, 2010 Hanoi, Vietnam i-path Project Extended UDP Multiple Hole Punching Method to Traverse Large Scale NATs Kazuhiro Tobe, Akihiro Shimoda, and Shigeki Goto Waseda University {tobe, shimo, goto}@goto.info.waseda.ac.jp August 9, 2010 1

Outline Background & Purpose Proposed Method Evaluation Discussion Conclusion August 9, 2010 2

The Problem in NATs A network behind a NAT cannot be accessed from external hosts Peer-to-Peer (P2P) apps does not work on a host behind a NAT e.g. VoIP apps, Online games private address network Background (1) Problem in Network Address Translator (NAT) global address network the Internet discards an in-bound initiation packet NAT Traversal UDP Hole Punching End hosts can directly communicate each other beyond NATs by using the UDP Hole Punching. However, they can traverse the only Cone NAT [RFC3489] i.e., cannot traverse a Symmetric NAT. Ford, B.; Srisuresh, P.; Kegel, D. Peer-to-Peer Communication Across Network Address Translators. USENIX Annual Technical Conference, pp.179-192, 2005. August 9, 2010 3

Our Previous Method UDP Multiple Hole Punching Extends the concept of the UDP Hole Punching host-a NAT-A (Cone NAT) server-a server-b NAT-B (Symmetric NAT) host-b (7) Conducts Port Prediction helped by two servers Sends numerous UDP packets with low TTL values (9) Time Exceeded (8) Can traverse a Symmetric NAT without relay servers Low loads and low-delay cf. TURN, ICE, Teredo (11) (10) August 9, 2010 4 Wei, Y.; Yamada, D.; Yoshida, S.; Goto, S. A New Method for Symmetric NAT Traversal in UDP and TCP. APAN Network Research Workshop 2008, pp.11-18, August 2008.

IPv4 address exhaustion will occur (IANA:2011, RIR:2012) [Huston] => LSNs or CGNs will be deployed in ISPs Port number limitation Blocks such apps that Listen at a specific port Establish multiple sessions Multiple levels of NATs NAT Traversal will be difficult e.g. UPnP will not work needs August improving 9, 2010 Background (2) Large Scale NAT/Carrier Grade NAT UDP Multiple Hole Punching private address realm home network ISP network home NAT home network [Huston] G. Huston, IPv4 Address Report, http://www.potaroo.net/tools/ipv4/index.html Large Scale NAT ISP shared address realm home NAT the Internet home network ISP network global address realm home network 5

Summary of Background & Purpose NATs in ISPs (and NATs in buildings) decrease the possibility of traversing Symmetric NATs by the existing NAT Traversal methods Port number limitation Multiple levels of NATs Extends the concept of UDP Multiple Hole Punching method to traverse Large Scale NATs effectively Extended Port Prediction New algorithm for Low TTL Value Determination i-path Network Transparency August 9, 2010 6

Proposed Method Extended Port Prediction Capturing Method Scanning Method New Algorithm for Low TTL Value Determination i-path Network Transparency August 9, 2010 7

A Part of Our Previous Method (1) Port Prediction A technique to examine ports assigned by a NAT and to predict the next assigned port Success => A host can traverse a Symmetric NAT by using Hole Punching +1 +1 +1 Can find regularity (Predictable) Case: Random A UDP Multiple Punching host send numerous packets (the last resort) - 4-4 - 61!? Cannot find regularity (Random)

Problem (1) in the Previous Method Problem (1) in Port Prediction Problem (1) A possibility that a UDP Multiple Hole Punching host fails in Port Prediction Symmetric NATs may assign new port numbers for other hosts during Port Prediction => Estimated to be random, while it is really a predictable algorithm A host may open more ports than necessary wastes port numbers of Large Scale NATs 9

Proposed Method (1) Extended Port Prediction Capturing Method captures packets in the network behind NATs counts the number of initiation packets of UDP sessions during Port Prediction Scanning Method counts the number of running hosts (N) in the network before Port Prediction estimates the potential error ([0, E]) E = w * N, where w refers to a weight August 9, 2010 10

Proposed Method Extended Port Prediction Capturing Method Scanning Method New Algorithm for Low TTL Value Determination i-path Network Transparency August 9, 2010 11

A Part of Our Previous Method (2) Low TTL Value Determination End hosts send UDP packets whose TTL is set so low that the packets are dropped between the NAT on the sender side and the NAT on the destination side Existing algorithms for Low TTL Value Determination UDP Multiple Hole Punching: manual (by the experimenter) NATBLASTER: Traceroute (only proposed, not implemented) case initialttl == 2 TTL -> 1 NAT router (1st hop) Time Exceeded TTL -> 0 router (2nd hop) router (3rd hop) InitialTTL must be 1 < initialttl < 5 router (4th hop) NAT router (5th hop) August 9, 2010 12

Problem (2) in the Existing Method Problem (2) in Port Prediction NATs are cascaded => The packets must be discarded between the NAT on the sender side and the NAT on the destination side 2 < initialttl < 4 Problem (2) impossible to know how many NATs are cascaded Traceroute/Tracert provides end hosts with routers IP addresses It can be a hint but some routers do not return ICMP messages NAT router (1st hop) NAT router (2nd hop) router (3rd hop) NAT router (4th hop) NAT router (5th hop) August 9, 2010 13

Proposed Method (2) Low TTL Value Determination Solution (2) sets the initial TTL value to half of the end-to-end hop count [assumption] NATs are concentrated close to end hosts and do not exist in the center part of a network Requires only the hop count to the destination $ tracert 208.77.188.166 Tracing route to www.example.com [208.77.188.166] over a maximum of 30 hops: 1 * * * Request timed out. 2 * * * Request timed out. 11 * * * Request timed out. 12 144 ms 147 ms 146 ms www.example.com [208.77.188.166] Trace complete. e.g. hop count=12 -> initialttl := 12/2 = 6 August 9, 2010 14

Proposed Method Extended Port Prediction Capturing Method Scanning Method New Algorithm for Low TTL Value Determination i-path Network Transparency August 9, 2010 15

Our Previous Method i-path Routers Provide end hosts with the network status info along a path In addition to info traceroute/tracert provides, e.g., geographical location, traffic volume, etc Observe the info disclosure policy of routers Disclose only the info all of the stakeholders* allow to disclose *stakeholders = e.g. the sender/receiver and ISPs Kobayashi, K.; Goto, S.; Murase, I.; Mochinaga, D. Design for an End-to-end Cross-layer Measurement Protocol and its API toward Network Visibility Respecting Disclosure Policies. IEICE Technical Report Internet Architecture 108(409), pp.11-16, January 2009. August 9, 2010 16

Proposed Method (3) NAT Traversal by i-path Network Transparency i-path routers disclose NAT information NAT on/off: helps Low TTL Value Determination NAT property: improves the Port Prediction accuracy End Hosts can obtain all the routers along a path Can Work in networks behind Multiple levels of NATs cf. UPnP (Universal Plug and Play) NAT : on Type : Symmetric NAT Port : Incremental (1) Timer : 60 [s] i-path router (NAT : on) i-path router (NAT : on) NAT : off NAT : on Type : Cone NAT Timer : 60 [s] i-path router (NAT : off) NAT : off i-path router (NAT : off) NAT : on Type : Cone NAT Timer : 30 [s] i-path router (NAT : on) August 9, 2010 17

Evaluation Several Java programs Invoke a Ruby program Testbed by VMware ESXi home NAT-1 LSN-1 LSN-2 home NAT-2 private (flexnes) (flexnes) global realm (flexnes) (flexnes) private realm-1 Linux.1.2.1.1.1 realm-2.2.66.2 vs router vs Sym.1.65 (10.0.0.0/24) (10.0.1.0/24) virtual switch vs vs (promiscuous mode) virtual switch ISP-1 (192.0.2.0.129 (192.0.2.64/26) ISP-2.2.3 shared /26) shared virtual switch (vs).2 address address realm.130.131 realm internal host-1,2 (192.168.0.0/24) external server-1, 2 (192.0.2.128/26) internall host-3 (192.168.1.0/24) August 9, 2010 18

Discussion Capturing Method vs. Scanning Method Universal Plug and Play (UPnP) vs. i-path Multiple levels of NAT Authentication mechanism Capturing Method UPnP X X Scanning Method Accuracy O+ O Required privilege Root/Administrator User mode i-path August 9, 2010 19 O O

Conclusion Extends UDP Multiple Hole Punching method Improves the accuracy of Port Prediction Proposes a practical Low TTL Value Determination Discloses the info of NATs by the i-path framework Future Work Verifies the assumption that our LTVD is based on NAT router (1st hop) NAT router (2nd hop) router (3rd hop) router (4th hop) NAT router (5th hop) August 9, 2010 20

Acknowledgement This research is supported by the National Institute of Information and Communications Technology, Japan. i-path Project http://i-path.goto.info.waseda.ac.jp/trac/i-path/ August 9, 2010 21

Thank You August 9, 2010 22

Q & A August 9, 2010 23