Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | imogen-hensley |
View: | 220 times |
Download: | 0 times |
CS 5565Network Architecture and
Protocols
Godmar Back
Announcements
• Required Reading: – DCCP by Koehler et al, SIGCOMM 2006
CS 5565 Spring 2012
Network Address Translation
TCP Hole Punching & Simultaneous Open
CS 5565 Spring 2012
NAT: Network Address Translation
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
138.76.29.7
local network(e.g., home network)
10.0.0/24
rest ofInternet
Datagrams with source or destination in this networkhave 10.0.0/24 address for
source, destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address: 138.76.29.7,different source port numbers
CS 5565 Spring 2012
NAT: Network Address Translation
• Motivation: local network uses just one IP address as far as outside word is concerned:– no need to be allocated range of addresses from ISP:
- just one IP address is used for all devices– can change addresses of devices in local network
without notifying outside world– can change ISP without changing addresses of
devices in local network– devices inside local net not explicitly addressable,
visible by outside world (a huge security plus).
CS 5565 Spring 2012
NAT: Network Address TranslationImplementation: NAT router must:
– outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)
. . . remote clients/servers will respond using (NAT IP address, new port #) as destination addr.
– remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
– incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table
CS 5565 Spring 2012
NAT: Network Address Translation
192.168.5.62
192.168.5.63
192.168.5.64
S: 192.168.5.62, 3345D: 128.119.40.186, 80 1
192.168.5.1
128.173.41.81
1: host 192.168.5.62sends datagram to 128.119.40.186, 80
NAT translation tableWAN side addr LAN side addr
128.173.41.81, 5001 192.168.5.62, 3345…… ……
S: 128.119.40.186, 80 D: 192.168.5.62, 3345
4
S: 128.173.41.81, 5001D: 128.119.40.186, 80
2
2: NAT routerchanges datagramsource addr from192.168.5.62, 3345 to128.173.41.81, 5001,updates table
S: 128.119.40.186, 80 D: 128.173.41.81, 5001
3
3: Reply arrives dest. address: 128.173.41.81, 5001
4: NAT routerchanges datagramdest addr from 128.173.41.81, 5001 to 192.168.5.62, 3345
Managing NAT table
• NAT Gateway (usually) adds entries for datagrams traveling private to public automatically– Allows UDP/TCP clients to transparently sendto/connect
to outside servers• Removal of entries
– UDP: timeout due to inactivity– TCP: timeout + TCP connection teardown
• Other direction requires configuration so NAT Gateway knows where to forward incoming datagram even if no private host previously punched a hole by initiating UDP traffic/TCP connection
CS 5565 Spring 2012
CS 5565 Spring 2012
NAT Disadvantages
• 16-bit port-number field: – Only 60,000 simultaneous connections with a single
LAN-side address!
• NAT is controversial:– routers should only process up to layer 3– violates end-to-end argument
• NAT possibility must be taken into account by app designers, eg, P2P applications
– address shortage should instead be solved by IPv6– really annoying if you time out on rlogin.cs.vt.edu
NAT Challenges
• Considering that most Internet hosts are behind NAT these days – how should applications be written to deal with that?
• No problem as long as server has public IP and client knows where to connect (HTTP, XMPP, SMTP, POP)
• What about P2P applications?– Could relay through server, but that would defeat purpose of P2P– Instead, a technique called “hole punching” is widely used (e.g.,
in Skype)– Discussed in [Ford/Srisuresh/Kegel 2005]
• UDP hole punching is widely used, but TCP hole punching is possible as well
CS 5565 Spring 2012
NAT Relaying• All traffic goes
through S• Source: [
Ford/Srisuresh/Kegel 2005]
CS 5565 Spring 2012
UDP Hole Punching
• Rendezvous server only directs punches, traffic goes P2P
• Details in [Ford/Srisuresh/Kegel 2005]CS 5565 Spring 2012
CS 5565 Spring 2012
Aside: TCP Hole Punching
• External server S records & provides private & public IP• both behind-NAT hosts must punch holes with outgoing
SYN – allows TCP connection
CS 5565 Spring 2012
Simultaneous Open (cont’d)
• Vint Cerf, 1987:
• Not invented for hole punching in NAT – coincidental use
Distributed systems with symmetric processes that automatically seek to link to each other (no master/slave relationship) would use the simul-OPEN style. It was designed into TCP for that purpose; I do not know, however, whether any actual applications have made use of this feature.
CS 5565 Spring 2012
Simultaneous Open
(a) TCP connection establishment in the normal case.(b) Call collision – one connection is established (“client-client” connection)
CS 5565 Spring 2012
TCP ConnectionFSM
The heavy solid line is the normal path for a client.
The heavy dashed line is the normal path for a server.
The light lines are unusual events.
Each transition is labeled by the event causing it and the action resulting from it, separated by a slash.
CS 5565 Spring 2012
TCP HolePunching
• Must bind multiple sockets to same port (SO_REUSEADDR)
• Manage to identify which scenario has occurred
• Must handle case where both clients are behind the same NAT!