PowerPoint Presentation 1 Network Address Translation (NAT) NAT network address translation 10 0 0 1 10 0 0 2 10 0 0 3 10 0 0 4 138 76 29 7 local network (e g , home network) 10 0 0/24 rest of Interne[.]
Trang 1Network Address Translation (NAT)
Trang 2NAT: network address translation
10.0.0/24
rest of Internet
datagrams with source or destination in this network
all datagrams leaving local
network have same single
source NAT IP address:
138.76.29.7,different source
Trang 3Motivation: local network uses just one IP address as far as outside world is concerned:
range of addresses not needed from ISP: just one IP address for all devices
can change addresses of devices in local network without notifying outside world
can change ISP without changing addresses of devices in local
Trang 4implementation: NAT router must:
outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)
remote clients/servers will respond using (NAT IP address, new port #) as destination addr
remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
incoming datagrams: replace (NAT IP address, new port #) in dest fields
of every incoming datagram with corresponding (source IP address, port #) stored in NAT table
NAT: network address translation
Trang 510.0.0.2
10.0.0.3
S: 10.0.0.1, 3345 D: 128.119.40.186, 80
1
10.0.0.4
138.76.29.7
1: host 10.0.0.1 sends datagram to 128.119.40.186, 80
NAT translation table WAN side addr LAN side addr
138.76.29.7, 5001 10.0.0.1, 3345
…… ……
S: 128.119.40.186, 80 D: 10.0.0.1, 3345 4
S: 138.76.29.7, 5001 D: 128.119.40.186, 80
3: reply arrives dest address:
138.76.29.7, 5001
4: NAT router changes datagram dest addr from 138.76.29.7, 5001 to 10.0.0.1, 3345
NAT: network address translation
Trang 6 16-bit port-number field:
65,000+ simultaneous connections with a single LAN-side address!
NAT is controversial:
routers should only process up to layer 3
violates end-to-end argument
NAT possibility must be taken into account by app designers, e.g., P2P applications
address shortage should instead be solved by IPv6
NAT: network address translation
Trang 7NAT traversal problem
client wants to connect to server
with address 10.0.0.1
server address 10.0.0.1 local to LAN
(client can’t use it as destination addr)
only one externally visible NATed
address: 138.76.29.7
solution1: statically configure NAT to
forward incoming connection
requests at given port to server
e.g., (123.76.29.7, port 2500) always
forwarded to 10.0.0.1 port 25000
10.0.0.1
10.0.0.4
NAT router
138.76.29.7
client
?
Trang 8NAT traversal problem
solution 2: Universal Plug and Play
(UPnP) Internet Gateway Device
(IGD) Protocol Allows NATed host
IGD
Trang 9NAT traversal problem
solution 3: relaying (used in Skype)
NATed client establishes connection to relay
external client connects to relay
relay bridges packets between connections
138.76.29.7
client
1. connection to relay initiated
NAT router
10.0.0.1
Trang 10Drawbacks of NAT
Privately addressed systems are not reachable from outside
Runs counter to the fundamental tenet of the Internet
Protocols: the “smart edge” and “dumb middle”
Modifying transport header requires recomputing transport layer checksum
Trang 11An Example
A NAT isolates private addresses and the systems using them from the Internet Packets with private addresses are not routed by the Internet directly but instead must be translated as they enter and leave the private network through the NAT router Internet hosts see traffic as coming from a public IP address of the NAT.
Trang 12 Traditional NAT (just referred to as NAT in the text):
Basic NAT: rewrite IP address only (not popular)
NAPT: Network Address Port Translation
Trang 13Basic NAT and NAPT
A basic IPv4 NAT (left) rewrites IP addresses from a pool of addresses and leaves port numbers unchanged NAPT (right), also known as IP masquerading, usually rewrites address to a single address NAPT must sometimes rewrite port numbers in order to avoid collisions In this case, the second instance of port number 23479 was rewritten to use port number 3000 so that returning traffic for 192.168.1.2 could be distinguished from the traffic returning to 192.168.1.35
Trang 14Security via NAT
blocks almost all incoming new connection requests
inhibits “probing” attacks that attempt to ascertain which IP addresses have active hosts available to exploit
NAT (especially NAPT) “hides” the number and
configuration of internal addresses from the outside.
Trang 15NAT and TCP
Observe the packet flow (RST, SYN, FIN, ACK) etc.
Use TCP state diagram and run appropriate timers to
estimate if the connection state needs to be maintained or not
Need to account for
Keepalive timers: 2 hours
Max idle time during setup/teardown: 4 mins
Trang 16NAT and UDP
No special packets (SYN, FIN, RST etc.)
Fragmentation into multiple IP packets
Port number absent in fragments after the first one
Trang 17NAT and ICMP
Error Messages
Usually contain a copy of the packet which has IP header with
IP addresses (may need to be changed as well)
Informational messages
Usually of query/response type
Query ID can be used like the port number
Trang 18NAT and tunneled Packets
Need to rewrite header of tunneled packets
Trang 19NAT and Multicast
Trang 20Address & Port Translation Behavior
Trang 21Translation and Filtering
Behavior Name Translation Behavior Filtering Behavior
Endpoint-independent X1′:x1′ = X2′:x2′ for all
Y2:y2 (required)
Allows any packets for X:x as long as any X1′:x1′ exists (recommended for greatest transparency)
Address-dependent X1′:x1′ = X2′:x2′ iffY1 = Y2 Allows packets for X:x from
Y1:y1 as long as X has previously contacted Y1 (recommended for more stringent filtering)
Address- and port-dependent X1′:x1′ = X2′:x2′ iff Y1:y1 =
Trang 22Hairpinning and NAT Loopback
A NAT that implements hairpinning or NAT loopback allows a client to reach a server on the
X1 is connecting to
external address of X2
What is the source
address of the packet
sent to X2?
Trang 23NAT Editors
What if application layer payload contains IP address and port numbers?
FTP
What if the application payload length changes
TCP numbers every byte
NAT Editors need to understand a lot of protocols and their
interactions and must have the ability to change the
corresponding bits in the packets
23
Trang 24Service Provider NAT (SPNAT),
Carrier-Grade NAT (CGN) or Large Scale NAT (LSN)
Move NATing to the ISPs
Functionally similar to NAT
Trang 25Hole Punching
A method that allows multiple devices, each behind NAT to communicate directly using pinholes
Clients first connect to a server
Server provides external addresses to the clients so that they can directly connect
Trang 26Does Hole Punching Work?
Suppose A and B both connect with server S1 and exchange their external
IP addresses (192.168.0.254 and 203.0.113.100)
S1 sends the other clients information to each client
Trang 27 Unilateral Self-Address Fixing
Client/Server based
Query server to find my external address
But answer depends on who you ask
B gets different answers from S1 and S2
Maintaining consistency between NAT topology and the server data is difficult
Trang 28Session Traversal Utilities for NAT
(STUN)
A standardized mechanism for realizing the UNSAF concept
A set of methods and a network protocol to allow an end host to discover its public IP address if it is located behind a NAT
STUN Servers have globally reachable IP addresses
Server echoes back requests sent to it in a way that allows
Trang 29TURN (Traversal Using Relays around NAT)
Used as a last resort if two systems are unable to
communicate directly
E.g., due to address or port dependent NAT bindings
Plumbing is done by the TURN server
The TURN server provides an address that is used by the clients to communicate
It is an extension of STUN
Trang 30TURN (Traversal Using Relays around NAT)
Trang 31ICE (Interactive Connectivity Establishment)
Generic technique to help applications behind NAT establish connectivity
Uses TURN to obtain candidate transport addresses that each agent may use
ICE orders the list of pairs of addresses and sends to peer
agent
Peer agent performs a similar task
A set of checks are performed to determine the best pair to use (all pairs may be checked)