Network Address

2,492 views

Published on

Published in: Technology
1 Comment
6 Likes
Statistics
Notes
No Downloads
Views
Total views
2,492
On SlideShare
0
From Embeds
0
Number of Embeds
154
Actions
Shares
0
Downloads
316
Comments
1
Likes
6
Embeds 0
No embeds

No notes for slide

Network Address

  1. 1. Network Address Translation (NAT)
  2. 2. Overview <ul><li>Motivation </li></ul><ul><li>End-to-end principle </li></ul><ul><li>Role of IP addresses </li></ul><ul><li>Basic NAT types and their behaviors </li></ul><ul><li>NAT traversal: STUN </li></ul>
  3. 3. History <ul><li>Early 1990s </li></ul><ul><ul><li>IPv4 Address consumption concern </li></ul></ul><ul><ul><li>Two approaches </li></ul></ul><ul><ul><ul><li>IPv6 and NAT </li></ul></ul></ul><ul><li>NATs were initially intended to allow devices to share an address pool dynamically </li></ul><ul><ul><li>First RFC about NAT in 1994 </li></ul></ul><ul><ul><li>NAT vs. DHCP? </li></ul></ul><ul><li>NAT goes against Internet end-to-end principle </li></ul><ul><ul><li>IETF hates NATs </li></ul></ul><ul><ul><li>No standardization -> backfire </li></ul></ul>
  4. 4. Motivation <ul><li>DSL and cable modem business model </li></ul><ul><ul><li>Not simultaneous access, no servers </li></ul></ul><ul><li>ISP wants to save money </li></ul><ul><ul><li>In PSTNs, there is extension </li></ul></ul><ul><li>Changing next higher ISP becomes easier </li></ul><ul><ul><li>Even multi-homing </li></ul></ul><ul><li>Security: Inbound traffic filtering </li></ul><ul><ul><li>stateful firewall </li></ul></ul>
  5. 5. End-to-end principle <ul><li>RFC 1958: “An end-to-end protocol design should not rely on the maintenance of state (i.e., information about the state of the end-to-end communication) inside the network. Such state should be maintained only in the endpoints, in such a way that the state can only be destroyed when the endpoint itself breaks (known as fate-sharing ). An immediate consequence of this is that datagrams are better than classical virtual circuits. The network's job is to transmit datagrams as efficiently and flexibly as possible. Everything else should be done at the fringes.” </li></ul>
  6. 6. Middle boxes <ul><li>Middle box = “any intermediary device performing functions other than the normal, standard functions of an IP router on the datagram path between a source host and destination host” </li></ul><ul><li>L2, L3, L4, L7, … </li></ul><ul><li>explicit vs. implicit </li></ul><ul><li>functional vs. optimizing </li></ul><ul><li>routing vs. processing </li></ul><ul><li>soft vs. hard state </li></ul><ul><li>fail-over vs. restart </li></ul><ul><li>Examples: </li></ul><ul><ul><li>NATs </li></ul></ul><ul><ul><li>SOCKS gateway </li></ul></ul><ul><ul><li>IP tunnel endpoint </li></ul></ul><ul><ul><li>Transport relay </li></ul></ul><ul><ul><li>Load balancers </li></ul></ul><ul><ul><li>Application firewalls </li></ul></ul><ul><ul><li>Transcoders (RFC 3234) </li></ul></ul><ul><ul><li>Proxies </li></ul></ul><ul><ul><li>Caches </li></ul></ul><ul><ul><li>Modified DNS servers </li></ul></ul><ul><ul><li>Anonymizers </li></ul></ul>
  7. 7. Private Network <ul><li>Private IP network is an IP network that is not directly connected to the Internet </li></ul><ul><li>IP addresses in a private network can be assigned arbitrarily. </li></ul><ul><ul><li>Not registered and not guaranteed to be globally unique </li></ul></ul><ul><li>Generally, private networks use addresses from the following experimental address ranges ( non-routable addresses ): </li></ul><ul><ul><li>10.0.0.0 – 10.255.255.255 </li></ul></ul><ul><ul><li>172.16.0.0 – 172.31.255.255 </li></ul></ul><ul><ul><li>192.168.0.0 – 192.168.255.255 </li></ul></ul>
  8. 8. Private Addresses
  9. 9. Network Address Translation (NAT) <ul><li>NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network </li></ul><ul><li>NAT is a method that enables hosts on private networks to communicate with hosts on the Internet </li></ul><ul><li>NAT is run on routers that connect private networks to the public Internet, to replace the IP address-port pair of an IP packet with another IP address-port pair. </li></ul><ul><ul><li>Topology sensitive </li></ul></ul><ul><ul><ul><li>inside (private) vs. outside (public) </li></ul></ul></ul>
  10. 10. Basic operation of NAT <ul><li>NAT device has address translation table </li></ul>
  11. 11. Main uses of NAT <ul><li>Pooling of IP addresses </li></ul><ul><li>Supporting migration between network service providers </li></ul><ul><li>IP masquerading </li></ul><ul><li>Load balancing of servers </li></ul>
  12. 12. Pooling of IP addresses <ul><li>Scenario: Corporate network has many hosts but only a small number of public IP addresses </li></ul><ul><li>NAT solution: </li></ul><ul><ul><li>Corporate network is managed with a private address space </li></ul></ul><ul><ul><li>NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses </li></ul></ul><ul><ul><li>When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host </li></ul></ul>
  13. 13. Pooling of IP addresses
  14. 14. Supporting migration between network service providers <ul><li>Scenario: In CIDR, the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network. </li></ul><ul><li>NAT solution: </li></ul><ul><ul><li>Assign private addresses to the hosts of the corporate network </li></ul></ul><ul><ul><li>NAT device has static address translation entries which bind the private address of a host to the public address. </li></ul></ul><ul><ul><li>Migration to a new network service provider merely requires an update of the NAT device. The migration is not noticeable to the hosts on the network. </li></ul></ul><ul><ul><li>Note: </li></ul></ul><ul><ul><li>The difference to the use of NAT with IP address pooling is that the mapping of public and private IP addresses is static. </li></ul></ul>
  15. 15. Supporting migration between network service providers
  16. 16. IP masquerading <ul><li>Also called: Network address and port translation (NAPT) </li></ul><ul><li>Scenario: Single public IP address is mapped to multiple hosts in a private network. </li></ul><ul><li>NAT solution: </li></ul><ul><ul><li>Assign private addresses to the hosts of the corporate network </li></ul></ul><ul><ul><li>NAT device modifies the port numbers for outgoing traffic </li></ul></ul>
  17. 17. IP masquerading
  18. 18. Load balancing of servers <ul><li>Scenario: Balance the load on a set of identical servers, which are accessible from a single IP address </li></ul><ul><li>NAT solution: </li></ul><ul><ul><li>Here, the servers are assigned private addresses </li></ul></ul><ul><ul><li>NAT device acts as a proxy for requests to the server from the public network </li></ul></ul><ul><ul><li>The NAT device changes the destination IP address of arriving packets to one of the private addresses for a server </li></ul></ul><ul><ul><li>A sensible strategy for balancing the load of the servers is to assign the addresses of the servers in a round-robin fashion. </li></ul></ul>
  19. 19. Load balancing of servers
  20. 20. Concerns about NAT <ul><li>Performance: </li></ul><ul><ul><li>Modifying the IP header by changing the IP address requires that NAT boxes recalculate the IP header checksum </li></ul></ul><ul><ul><li>Modifying port number requires that NAT boxes recalculate TCP checksum </li></ul></ul><ul><li>Fragmentation </li></ul><ul><ul><li>Care must be taken that a datagram that is fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments. </li></ul></ul>
  21. 21. Concerns about NAT <ul><li>End-to-end connectivity: </li></ul><ul><ul><li>NAT destroys universal end-to-end reachability of hosts on the Internet. </li></ul></ul><ul><ul><li>A host in the public Internet often cannot initiate communication to a host in a private network </li></ul></ul><ul><ul><ul><li>Hamper peer-to-peer applications </li></ul></ul></ul><ul><ul><li>The problem is worse, when two hosts that are in a private network need to communicate with each other </li></ul></ul><ul><ul><li>Typically, the address-port mapping is maintained soft-state (in minutes) </li></ul></ul>
  22. 22. Concerns about NAT <ul><li>IP address in application data: </li></ul><ul><ul><li>Applications that carry IP addresses in the payload of the application data generally do not work across a private-public network boundary. </li></ul></ul><ul><ul><li>Some NAT devices inspect the payload of widely used application layer protocols and, if an IP address is detected in the application-layer header or the application payload, translate the address according to the address translation table. </li></ul></ul>
  23. 23. NAT and FTP <ul><li>Normal FTP operation </li></ul>
  24. 24. NAT and FTP <ul><li>NAT device with FTP support </li></ul>
  25. 25. NAT and FTP <ul><li>FTP in passive mode and NAT. </li></ul>
  26. 26. NAT Traversal
  27. 27. NAPT Traversal
  28. 28. NAT types <ul><li>Symmetric </li></ul><ul><li>Port restricted cone </li></ul><ul><li>Address restricted cone </li></ul><ul><li>Full cone </li></ul><ul><li>Hairpin </li></ul>Different not only on a vendor-by-vendor basis but also on a model-by-model basis
  29. 29. Symmetric NAT <ul><li>NAT mapping btw src_addr/src_port and dest_addr/dest_port is fixed </li></ul><ul><li>The most restrictive form </li></ul><ul><li>It has been observed to be rare </li></ul>
  30. 30. Full-cone NAT <ul><li>The least restrictive form </li></ul><ul><li>Binding of a local address/port can be used by any remote host </li></ul>
  31. 31. (Address) Restricted-cone NAT <ul><li>NAT binding is accessible only by the destination host </li></ul><ul><ul><li>different port can be used </li></ul></ul>
  32. 32. Port-restricted-cone NAT <ul><li>NAT binding is accessible by any remote host </li></ul><ul><ul><li>But only same port should be used </li></ul></ul><ul><li>Typically, the internal host had previously sent a packet the remote host </li></ul>
  33. 33. Hairpin NAT <ul><li>A local host can direct a packet to the public address/port of an already mapped local host </li></ul>D
  34. 34. Nondeterministic NATs <ul><li>NATs change their types of behavior when a binding conflict occurs </li></ul><ul><li>Example </li></ul><ul><ul><li>Some NATs attempt to preserve the port number in the binding </li></ul></ul><ul><ul><li>If the port number is available, the NAT behaves like a full-cone NAT </li></ul></ul><ul><ul><li>If that port is already occupied by other host, the NAT may change the type, e.g. a symmetric NAT </li></ul></ul>
  35. 35. What is STUN? Who uses it? <ul><li>STUN – Simple Traversal of User Datagram Protocol through Network Address Translators. </li></ul><ul><li>The protocol is defined in RFC 3489. </li></ul><ul><li>Protocols like SIP and applications like Google Talk use STUN to gather important information about the network configuration. </li></ul>
  36. 36. What does it do? <ul><li>STUN is a client-server protocol that “allows entities behind a NAT to first discover the presence of a NAT and the type of NAT, and then to learn the addresses bindings allocated by the NAT.” </li></ul><ul><li>In other words, it’s a means of discovering the public IP and port numbers that a NAT assigns to a node on a private LAN. </li></ul><ul><li>In addition, STUN does not require any special network configuration and works with a variety of existing networks, but not all. </li></ul>*http://tools.ietf.org/html/rfc3489
  37. 37. STUN and NAT terminology <ul><li>A STUN Client is a node that generates the STUN requests. </li></ul><ul><li>A STUN Server is a node that receives the STUN requests and generates the STUN responses. </li></ul><ul><li>NAT </li></ul><ul><ul><li>usually part of a firewall or router </li></ul></ul>
  38. 38. A picture i worth 1000 words
  39. 39. How STUN generally works <ul><li>A STUN Client sends a STUN request to a STUN Server. The Client then waits for the Server to send a STUN response </li></ul><ul><ul><li>STUN client is typically embedded in application </li></ul></ul><ul><ul><li>STUN server has two IP addresses </li></ul></ul><ul><li>The trick is to analyze the response from the server to determine the type of NAT router and the associated bindings the router has given to internal nodes. </li></ul>
  40. 40. The STUN Message <ul><li>The following STUN attributes in the payload are especially important: </li></ul><ul><ul><li>MAPPED-ADDRESS : Found in STUN responses. It contains the IP address and port number of the STUN request. I.e., the public IP and port of the STUN client. </li></ul></ul><ul><ul><li>CHANGE-REQUEST : Found in STUN requests. It contains flags for the IP address and port number of the server. If set, the client is asking the server to send the response from a different IP and port. (We will see why later) </li></ul></ul><ul><ul><li>CHANGED-ADDRESS – Found in STUN responses. It contains the alternate IP address and port number of the server due to CHANGE-REQUEST </li></ul></ul>
  41. 41. NAT discovery (test 1) <ul><li>To determine if a NAT router/firewall is present, send a STUN request to the server. Wait for a response and analyze it. </li></ul><ul><li>If the IP address and port number in the MAPPED-ADDRESS attribute of the payload in the STUN response equal the local IP address and port number that it bound to when sending the request, then the client is NOT behind a NAT router. Otherwise, it is behind a NAT router. </li></ul>
  42. 42. NAT discovery – Full Cone (test 2) <ul><li>Full Cone NAT router – The client sets the IP address and port number flags in the CHANGE-REQUEST of the STUN request. This causes the server to send the response from the alternate IP and port number. </li></ul><ul><ul><li>If the client receives the STUN response, then the client is behind a full cone router. </li></ul></ul><ul><ul><li>Otherwise, it is behind one of the other three NAT routers. </li></ul></ul>
  43. 43. NAT discovery – Symmetric (test 3) <ul><li>Symmetric NAT – The client sends two STUN requests. One request is sent to a server at IP address X and port P, and another to a server at IP address Y and port P. </li></ul><ul><ul><li>If the IP addresses and ports from the MAPPED-ADDRESS attributes in the two responses do not match, then it is behind a Symmetric NAT router. </li></ul></ul><ul><ul><li>If they do match, then it is behind one of the remaining two NAT routers. </li></ul></ul>
  44. 44. NAT discovery – Restricted (test 4) <ul><li>Restricted NAT – The port flag in the CHANGE-REQUEST attribute of the request is set. This instructs the server to send a response from a different port. </li></ul><ul><ul><li>If the response is received, it is behind a restricted NAT router. If no response is received, it is behind a port restricted NAT router. </li></ul></ul>
  45. 46. Limitations of STUN <ul><li>Does not address incoming TCP connections. </li></ul><ul><ul><li>STUNT and other proposals </li></ul></ul><ul><li>Does not allow incoming UDP connections through a symmetric NAT </li></ul><ul><li>STUN “is not a cure-all for the problems associated with NAT.” </li></ul><ul><li>“ The problems in STUN have to do with the lack of standardized behaviors and controls in NATs, which results in a proliferation of devices whose behavior is highly unpredictable, extremely variable, and uncontrollable. Ultimately, the solution is to make the environment less hostile, and to introduce controls and standardized behaviors into NAT. However, until such time as that happens, STUN provides a good short term solution given the terrible conditions under which it is forced to operate.” </li></ul>
  46. 47. NAT traversal
  47. 60. Other issues <ul><li>Symmetric NATs </li></ul><ul><ul><li>The first packet for hole punching will be dropped </li></ul></ul><ul><ul><li>And the port number (for the other peer) is changed from the one for the server </li></ul></ul><ul><ul><li>Port prediction technique </li></ul></ul><ul><ul><ul><li>May not work </li></ul></ul></ul><ul><li>Nested NATs </li></ul>

×