Date post: | 08-Apr-2018 |
Category: |
Documents |
Upload: | edy-widodo |
View: | 220 times |
Download: | 0 times |
of 21
8/7/2019 072 The Reality of Network Address Translators
1/21
The reality of Network Address Translators
by
Harald Welte
8/7/2019 072 The Reality of Network Address Translators
2/21
Reality of NAT
Contents
RFC3489: STUNRFC3714: IAB problem statement / congestion controlRFC3448: TFRC, TFRC-PSDCCPNSIS: GIMPS / NAT NSLPBEHAVE
8/7/2019 072 The Reality of Network Address Translators
3/21
Reality of NAT
NAT Basics
Network Address Translation is an old techniqueWidely used throughout the net as a way to cope with addressshortageMore and more popular with to DSL and cable modem routersUnfortunately not standardized at allNAT itself is not a security technology !!
8/7/2019 072 The Reality of Network Address Translators
4/21
Reality of NAT
NAT Basics
What does NAT do?Rewrite addresses of packets as they pass a particular forwarding machine
What can be translated?
Layer 3 (IP) addressesLayer 4 (TCP/UDP/SCTP/...) specific addressesLayer 5+ (e.g. FTP PORT statements)
Where can it be translated?Traditionally, at a routerBut also possible on a bridge
8/7/2019 072 The Reality of Network Address Translators
5/21
8/7/2019 072 The Reality of Network Address Translators
6/21
Reality of NAT
Why is NAT a nightmare
NAT might have been a solution 8 years agoHowever,it is very much designed for the traditional client/server paradigmthe Internet sees more advanced applications such aspeer-to-peer networksVoice over IPMultimedia streamsprotocols are getting increasingly complexmultiple layer 4 connections comprising one logical connectionembedding layer 3/4 addresses in payload leads to ALG requirementdirect client-to-client transmission of media streams not possible due to deployment of NAT.
8/7/2019 072 The Reality of Network Address Translators
7/21
Reality of NAT
NAT Basics
But well, even eight years ago....NATing a FTP connection is a real PITA. Why?First you change the source ip/port of the control connectionThen your ftp client sends a PORT command (in ASCII!!!)PORT 123,123,123,123,1,0
Then your ftp nat ALG needs to change that toPORT 1,1,1,1,10,10Thus, the resulting string is shorter!therefore you need to mangle every sequence number of each successive packetnow think of multiple port commands being issued within a single TCP window and retransmissionsif that is not enough, think of SACKSummaryIt is ugly as hellDifficult to impossible to get right in all cases
8/7/2019 072 The Reality of Network Address Translators
8/21
Reality of NAT
Why is NAT a nightmare
Todays NATs horribly violate the network layering modela NAT (although it operats on a rotuer or bridge) requires knowledge of theapplication protocolssupport for every new protocol needs to be added to all NATs
Also, you loose the ability to encrypt the payloadSIP can PGP-encrypt SDP.However, port numbers are inside SDPTherefore, if you use crypto, it just cant work
8/7/2019 072 The Reality of Network Address Translators
9/21
Reality of NAT
Types of NAT (STUN RFC3489)
Full Coneall requests from the same internal IP and port are mapped to the same externalIP address and port
any external host can send a packet to the internal host by sending a packet tothe mapped address
Restricted Coneall requests from the same internal IP and port are mapped to the same externalIP address and port.an external host can send a packet to the internal host only if the internal hosthad previously ent a packet to that particular external host
8/7/2019 072 The Reality of Network Address Translators
10/21
Reality of NAT
Types of NAT (STUN RFC3489)
Port Restricted Conelike restricted cone, but includes port numbersan external host can send a packet with source IP X and port P to the internalhost only of the internal host had perviously sent a packet to IP address X andport P
Symmetricall requests from same internal IP address and port to a specifica destination IPand port are mapped to the same external IP and port.if the same host sends a packet with the same source address and port, but to adifferent estination, a different mapping is used. Only the external host thatreceives a packet can send a packet back to the external host
8/7/2019 072 The Reality of Network Address Translators
11/21
Reality of NAT
Types of NAT: draft-audet-nat-behave
Address and port bindingExternal NAT binding is endpoint independentExternal NAT binding is endpoint address dependentExternal NAT binding is endpoint address and port dependent
Port AssignmentPort PreservationPort Overloading
Bind Refresh ScopePer bindingPer sessionOnly outgoing or also incoming?
8/7/2019 072 The Reality of Network Address Translators
12/21
Reality of NAT
Types of NAT: draft-audet-nat-behave
Filtering of unsolicited packetsExternal filtering is endpoint independentExternal filtering is endpoint address dependentExternal filtering is endpoint address and port dependent
Hairpinning BehaviourWhat happens if two endpoints are behind same nat
Deterministic PropertiesChaning over time:Port preservationPort allocation algorithmAddress and port bindingFiltering
Multicast Behaviour
8/7/2019 072 The Reality of Network Address Translators
13/21
Reality of NAT
The IETF and NAT
The IETF has long ignored the fact that NATs are commonplaceTherefore, theres a lack of standardization in NAT behaviourFurthermore, it is impossible to make a protocol work with all existing NATsProtocol designers normally dont consider NAT when developing new protocols
8/7/2019 072 The Reality of Network Address Translators
14/21
Reality of NAT
The IETF and NAT
SIP was the first IETF protocol that had _serious_ NAT issuesTherefore, the SIP working group came up with FCP (Firewall Control Protocol)Later, a new working group MIDCOM was foundedMIDCOM took several years but didnt really come up with a solution
Now there are dozens of groups publishing papers, drafts andRFCs.Most of them are targeted at UDP-only operationMost of them target consumer side NAT devices
8/7/2019 072 The Reality of Network Address Translators
15/21
Reality of NAT
How to solve the NAT problem?
At a protocol leveldesigning protocols in a way to operate on most/all NATsSIP has some extensions for thisIPsec also introduced NAT-T to tackle the problemVery difficult because of the number of differnet implementations and lack ofstandardization
At a NAT levelMaking NATs interoperate with all different kinds of protocols
Support operations like hole-punching for UDP and TCPProblematic because of large existing deployment
8/7/2019 072 The Reality of Network Address Translators
16/21
Reality of NAT
How to solve the NAT problem?
With a specific NAT configuration protocolFCPMIDCOMGIMPS NSIS NAT NSLPuPnP
There is no good solution without standardization
8/7/2019 072 The Reality of Network Address Translators
17/21
Reality of NAT
RFC3489: STUN
RFC3489: STUN (Simple Traversal of UDP Through NAT)Helps endpoints to find out whether they are behind some form ofNAT by communication with a host known to have an official IPTries to create NAT binding(s) on NAT devices
allows applications to open ports on the NATimplemented with lots of apps, including gnomemeeting
8/7/2019 072 The Reality of Network Address Translators
18/21
Reality of NAT
RFC3714
IAB problem statement about media traffic without congestioncontroldanger of congestion collapse with VoIP / streaming mediaIETF actions to counter this problemupgrade RTP to make packet loss monitoring a MUST
TFRC (TCP Friently Rate Control)TFRC-PS (TCP Friendly Rate Control - Packet Size)DCCP (Datagram Congestion Control Protocol)Adaptive Audio Codecsspecified drop rate for mimimum sending rate (tables)
Result:Well see new layer four protocols that need NAT, too
8/7/2019 072 The Reality of Network Address Translators
19/21
Reality of NAT
NSIS WG
NSIS (Next Step In Signalling) WG:Signalling Transport protocol for Signalling QoS, NAT, FirewallsGIMPS (Generic Internet Messaging Protocol for Signalling)Builds on top of TCP/UDP/SCTP/DCCPcan be combined with TLS and IPsecHas Messages with Router Alert that are to be processed by Routers/Firewalls/NATs
NAT NSIS Signalling Layer Protocolwants to establish a connection between two ends, any number of Firewalls / NATs in betweendraft-aoun-nsis-nslp-natfw-migration-02draft-tschofenig-nsis-natfw-security-problems-00draft-aoun-nsis-nslp-natfw-intrarealm-00.txtdraft-martin-nsis-nslp-natfw-sip-00.txt
draft-fessi-nsis-natfw-threats-01.txt
8/7/2019 072 The Reality of Network Address Translators
20/21
Reality of NAT
BEHAVE
Behave working groupParts of IETF acknowledge NAT is realityAcknowledges lack of standardizationwants to provide vendor guidelines for NAT implementationfocus on UDP and TCP unicastwill adress multicast NAT, toogoal: NAT-BEHAVE BCP RFCsecond document describing protocol design for BEHAVE-compliant NATscurrent draft:require outbound-only UDP timer refresh
strongly discourages port persistencyrequires no NAT for IPv6
8/7/2019 072 The Reality of Network Address Translators
21/21
Reality of NAT
Thanks
Thanks toAlan Cox, Alexey Kuznetsov, David Miller, Andi Kleenfor implementing (one of?) the worlds best TCP/IP stacksPaul Rusty Russellfor starting the netfilter/iptables projectfor trusting me to maintain it today
Astaro AGfor sponsoring parts of my netfilter workFree Software Foundationfor the GNU Projectfor the GNU General Public License
The slides of this presentation are available at http://www.gnumonks.org/
Further ReadingThe netfilter homepage http://www.netfilter.org/