Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Of knights-and-drawbridges-nat-behaviour

460 views

Published on

Understanding NAT with a simple analogy.

Published in: Engineering
  • Be the first to comment

Of knights-and-drawbridges-nat-behaviour

  1. 1. Of Knights and Drawbridges Auro Tripathy auro@shatterline.com A halt-who-goes-there medieval story about the modern mystery of NAT Traversal
  2. 2. 2 Using an Analogy to explain NATs NAT NAT NAT NAT +-+ +-+ +-+ +-+ +----+ | | | | | | | | +----+ |EP-a|---+ +...+ +---((Public Network))---+ +...+ +---|EP-b| +----+ | | | | | | | | +----+ +-+ +-+ +-+ +-+ EP = End Point NAT = Network Address Translation Source : https://tools.ietf.org/html/draft-takeda-symmetric-nat-traversal-00
  3. 3. 3 Imagine…  The fortress (your home) is a private network  The tenant is an end-point device (e.g. PC, network attached storage, wireless thermostat, wireless smoke-alarm, IoT device)  The NAT is the “moat”, to defend the fort.  A tenant can send out a packet by lowering the drawbridge  Until a tenant sends a packet out of the fort, the fort is locked-down; there are no drawbridges
  4. 4. 4 Fortifying your defenses with a Moat  Lowering the drawbridge is an opportunity for unintended “knight” to come in  The bridge must be defended against uninvited knights.  The rules of the drawbridge define the Moat  Full-Cone NAT (least restrictive crossing)  Restricted-Cone NAT  Port-restricted cone NAT  Symmetric NAT (most restrictive crossing)
  5. 5. 5 Full-Cone NAT  When the tenant (end-point) in the fort sends a knight (packet) out, a drawbridge will be lowered with a guard to determine who can come-in using that drawbridge.  For an in-coming knight (packet), the guard checks:  Are you, Sire, visiting the tenant who created this drawbridge?  If yes, go on in.  The guard does not check  where the knight (packet) came from(could be any end-point).  Whether the knight had an invitation
  6. 6. 6 The Invitation Letter  The trick to traverse a NAT with UDP is to utilize the 'invitation letter” (packet).  The invitation packet is not necessarily a 'special' invitation packet. The first part of outgoing data transmission works as an invitation because it lowers a drawbridge assigns a guard for incoming knights.
  7. 7. 7 Restricted-Cone NAT  A drawbridge will be lowered when a tenant(endpoint) in the fort sends an invitation letter (a packet) for the first time to another fort.  The guard on the drawbridge will check if the in-coming knight (packet) is visiting the tenant who lowered this drawbridge.  The guard also checks if the knight came from the fort that received the invitation letter from the tenant.  The guard does not check the invitation letter, just the fort name to which the invitation was sent.
  8. 8. 8 Port-restricted-Cone NAT  A drawbridge will be lowered when a tenant(endpoint) in a fort sends an invitation letter (a packet) for the first time to a tenant in another fort.  The guard will check if each knight (packet) trying to enter (via the drawbridge) is visiting the tenant who lowered the drawbridge.  The guard checks if the knight came from the fort that received the invitation letter from the tenant.  The guard also checks if the knight has received the invitation letter from the tenant. You came from the correct fort, do you have the invitation?
  9. 9. 9 Symmetric-Cone NAT  In the case of non-symmetric NATS, the same drawbridge will be used whenever the same tenant in a fort sends an invitation packet to a different destination.  In a symmetric NAT, a new drawbridge will be always lowered every time the tenant in the fort sends an “invitation” packet. Fort Moat Drawbridge Tenant  Each invitation has it own drawbridge  The drawbridge for a knight to enter from one fort is not the same for other knights to enter from other forts
  10. 10. 10 Summary NAT-Type Intended for Tenant who lowered the Drawbridge? Invitation to Fort F2 and coming from Fort F2? Has the Invitation Letter? Coming-in on the same drawbridge that the invitation went out on? Full Cone Yes, Go-on in Not Checked Not Checked Not-Checked Restricted Cone Yes and… Yes, go-on in Not Checked Not Checked Port-Restricted Cone Yes and … Yes, and … Yes, go-on in Not Checked Symmetric Cone* Yes Yes, and… Yes, and Yes, go-on in F2
  11. 11. 11 Applying the Analogy  In this analogy, a 'tenant' represents local UDP port.  Several tenants comprise a device. Each device has an IP address.  A fort protects multiple devices with a NAT (the moat)  A drawbridge is a mapping and a rule for incoming packets.
  12. 12. 12 References https://tools.ietf.org/html/draft-takeda-symmetric-nat-traversal-00

×