CS 5565Network Architecture and

Protocols

Godmar Back

Announcements

• Required Reading: – DCCP by Koehler et al, SIGCOMM 2006

CS 5565 Spring 2012

Network Address Translation

TCP Hole Punching & Simultaneous Open

CS 5565 Spring 2012

NAT: Network Address Translation

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.4

138.76.29.7

local network(e.g., home network)

10.0.0/24

rest ofInternet

Datagrams with source or destination in this networkhave 10.0.0/24 address for

source, destination (as usual)

All datagrams leaving localnetwork have same single source

NAT IP address: 138.76.29.7,different source port numbers

CS 5565 Spring 2012

NAT: Network Address Translation

• Motivation: local network uses just one IP address as far as outside word is concerned:– no need to be allocated range of addresses from ISP:

- just one IP address is used for all devices– can change addresses of devices in local network

without notifying outside world– can change ISP without changing addresses of

devices in local network– devices inside local net not explicitly addressable,

visible by outside world (a huge security plus).

CS 5565 Spring 2012

NAT: Network Address TranslationImplementation: NAT router must:

– outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)

. . . remote clients/servers will respond using (NAT IP address, new port #) as destination addr.

– remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair

– incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table

CS 5565 Spring 2012

NAT: Network Address Translation

192.168.5.62

192.168.5.63

192.168.5.64

S: 192.168.5.62, 3345D: 128.119.40.186, 80 1

192.168.5.1

128.173.41.81

1: host 192.168.5.62sends datagram to 128.119.40.186, 80

NAT translation tableWAN side addr LAN side addr

128.173.41.81, 5001 192.168.5.62, 3345…… ……

S: 128.119.40.186, 80 D: 192.168.5.62, 3345

4

S: 128.173.41.81, 5001D: 128.119.40.186, 80

2

2: NAT routerchanges datagramsource addr from192.168.5.62, 3345 to128.173.41.81, 5001,updates table

S: 128.119.40.186, 80 D: 128.173.41.81, 5001

3

3: Reply arrives dest. address: 128.173.41.81, 5001

4: NAT routerchanges datagramdest addr from 128.173.41.81, 5001 to 192.168.5.62, 3345

Managing NAT table

• NAT Gateway (usually) adds entries for datagrams traveling private to public automatically– Allows UDP/TCP clients to transparently sendto/connect

to outside servers• Removal of entries

– UDP: timeout due to inactivity– TCP: timeout + TCP connection teardown

• Other direction requires configuration so NAT Gateway knows where to forward incoming datagram even if no private host previously punched a hole by initiating UDP traffic/TCP connection

CS 5565 Spring 2012

CS 5565 Spring 2012

NAT Disadvantages

• 16-bit port-number field: – Only 60,000 simultaneous connections with a single

LAN-side address!

• NAT is controversial:– routers should only process up to layer 3– violates end-to-end argument

• NAT possibility must be taken into account by app designers, eg, P2P applications

– address shortage should instead be solved by IPv6– really annoying if you time out on rlogin.cs.vt.edu

NAT Challenges

• Considering that most Internet hosts are behind NAT these days – how should applications be written to deal with that?

• No problem as long as server has public IP and client knows where to connect (HTTP, XMPP, SMTP, POP)

• What about P2P applications?– Could relay through server, but that would defeat purpose of P2P– Instead, a technique called “hole punching” is widely used (e.g.,

in Skype)– Discussed in [Ford/Srisuresh/Kegel 2005]

• UDP hole punching is widely used, but TCP hole punching is possible as well

CS 5565 Spring 2012

NAT Relaying• All traffic goes

through S• Source: [

Ford/Srisuresh/Kegel 2005]

CS 5565 Spring 2012

UDP Hole Punching

• Rendezvous server only directs punches, traffic goes P2P

• Details in [Ford/Srisuresh/Kegel 2005]CS 5565 Spring 2012

CS 5565 Spring 2012

Aside: TCP Hole Punching

• External server S records & provides private & public IP• both behind-NAT hosts must punch holes with outgoing

SYN – allows TCP connection

CS 5565 Spring 2012

Simultaneous Open (cont’d)

• Vint Cerf, 1987:

• Not invented for hole punching in NAT – coincidental use

Distributed systems with symmetric processes that automatically seek to link to each other (no master/slave relationship) would use the simul-OPEN style. It was designed into TCP for that purpose; I do not know, however, whether any actual applications have made use of this feature.

CS 5565 Spring 2012

Simultaneous Open

(a) TCP connection establishment in the normal case.(b) Call collision – one connection is established (“client-client” connection)

CS 5565 Spring 2012

TCP ConnectionFSM

The heavy solid line is the normal path for a client.

The heavy dashed line is the normal path for a server.

The light lines are unusual events.

Each transition is labeled by the event causing it and the action resulting from it, separated by a slash.

CS 5565 Spring 2012

TCP HolePunching

• Must bind multiple sockets to same port (SO_REUSEADDR)

• Manage to identify which scenario has occurred

• Must handle case where both clients are behind the same NAT!