IPv4+4Address extension with NATs

Zoltán Turányi

András Valkó

Andrew Campbell(Rita)

Problem: IPv4 address shortage

IPv6• There for 6+ years• No deployment• Complicated transition• Little incentives

NAT• Deployed• Breaks end-to-end• Breaks apps• Single point of failure• Not scalable

• Even more deployed

Why are NATs so popular?

• Very easy– No need to replace routers– No need to get more addresses

• Provide address isolation– Easy address planning independent of outside– Provider change does not result in renumbering– Some even think it is security

IPv4+4

• Use existing multiple address realms

NAT

NAT

A

BX

X

A.X

B.Xlevel 1 part

level 2 part

IPv4+4

• Use existing multiple address realms

NAT

NAT

9.8.7.6

5.4.3.210.0.0.1

10.0.0.1

9.8.7.6.10.0.0.1

5.4.3.2.10.0.0.1

IPv4+4 packetversion hdrlen DS byte total length

identification fragment offsetflags

TTL protocol header checksum

source address

destination address

source address 2

destination address 2

protocol 2 spos dpos header checksum 2

transport header + payload

233

• covers addresses, len & protocol• end-to-end

IPv4+4 routing

RGW

RGW

A

BX

Y

A.X B.Y

X B

A YX B

A Y

A B

X Y

A B

X Y

A Y

X B

• packet routable based on IP header

• private addresses not visible in public realm

• private realm’s addresses not visible in another private realm

IPv4+4 routing

RGW

RGW

A

BX

C

A.X C.0

X C

A 0

X C

A 0

A C

X 0

4.3.2.1.0.0.0.0

IPv4+4 routing

RGW

RGW

A

B

Y

C

C.0 B.Y

C B

0 Y

C B

0 Y

C Y

0 B

ICMP translation

R

R ARGW

RGW

A

BX

Y

R.0 A.X

X B

A YA B

X Y

ICMP translation

R

RGW

RGW

A

BX

Y

X B

A YA B

X Y

R A

A Y

X B

B.R A.X

ICMP – a problemversion hdrlen DS byte total length

identification fragment offsetflags

TTL protocol header checksum

source address

destination address

source port destination port

sequence number (TCP)/length+checksum (UDP)

ICMP – a problemversion hdrlen DS byte total length

identification fragment offsetflags

TTL protocol header checksum

source address

destination address

source address 2

destination address 2

protocol 2 spos dpos header checksum 2

source port destination port

sequence number (TCP)/length+checksum (UDP)

ICMP – a problemversion hdrlen DS byte total length

identification fragment offsetflags

TTL protocol header checksum

source address

destination address

source address 2

destination address 2

protocol 2 spos dpos header checksum 2

source port destination port

sequence number (TCP)/length+checksum (UDP)

Summary - RGWs

Legacy NAT

• Packet out: swap source

• Packet in: swap destination

• Add 4+4 header to ICMP messages

Stateless, cheap processing

Summary – End hosts

• Generate & understand 4+4 header

• Decide if peer is in the same realm or not

• Obtain 4+4 addresses of peers– DNS– Configuration

• Application support needed

Implementation

• Linux kernel module• Translates IPv4+4 packets and addresses

– 128.59.67.131.192.168.0.2 1.0.0.2

• Mappings are dynamically created– Incoming packet– DNS request

• Packet headers inside ICMP errors• DNS messages also affected

Implementation• Linux kernel module – no kernel patch

• Load/unload any time

KERNEL Module

Applicationsuserland

kernel space

Implementation• Linux kernel module – no kernel patch

• Uses netfilter hooks– Can examine and modify packet– Say a verdict: accept, drop, steal, queue

Applications

Input device Output device

PRE_ROUTING POST_ROUTING

LOCAL_INPUT LOCAL_OUTPUT

FORWARD

Applications

Input device Output device

PRE_ROUTING POST_ROUTING

LOCAL_IN LOCAL_OUT

FORWARD

LOCAL_OUTIf an ICMP error that carry a peer id inside => translateIf destination is a peer id => translate

LOCAL_INIf an ICMP error that carry a 4+4 packet => translateIf v4+4 and addressed to us => translateIf a DNS packet => QUEUE

daemon

QUEUE ACCEPT

Applications

Input device Output device

PRE_ROUTING POST_ROUTING

LOCAL_INPUT LOCAL_OUTPUT

FORWARD

FORWARDING ICMP error carrying 4+4 packet => add IPv4+4 header 4+4 packet => swap source address

PRE_ROUTINGICMP error carrying 4+4 packet => add IPv4+4 header 4+4 packet => swap destination address

DNS

• Each 4+4 address is stored as two “A” RR

• Name prepending is used as with SRV RRs

Hostname: pleione.comet.columbia.edu.

Records: l1.pleione.comet.columbia.edu 128.59.67.131

l2.pleione.comet.columbia.edu 192.168.0.2

IPv4+4 address: 128.59.67.131.192.168.0.2

DNS

Kernel

App

Module

Daemon

Who is a.b.com?

a.b.com doesn’t exist.Who is l1.a.b.com?Who is l2.a.b.com?

l1.a.b.com is 2.3.4.5l2.a.b.com is 6.7.8.9

Mapping: 2.3.4.5.6.7.8.9 1.0.0.2a.b.com is 1.0.0.2

Testbed

aphroditetaygeta

128.59.67.141 128.59.67.131

pleione

192.168.0.2

192.168.0.1

DNS serverWEB serveripv44.comet.columbia.edu

WEB serverpleione.ipv44.comet.columbia.edu

pc11

195.228.209.132

Budapest, Hungary

Comet LabNew York

aphroditetaygeta

128.59.67.141 128.59.67.131

pleione

192.168.0.2

192.168.0.1

aphroditetaygeta

128.59.67.141 128.59.67.131

pleione

192.168.0.2

192.168.0.1

aphroditetaygeta

128.59.67.141 128.59.67.131

pleione

192.168.0.2

192.168.0.1

aphroditetaygeta

128.59.67.141 128.59.67.131

pleione

192.168.0.2

192.168.0.1

aphroditetaygeta

128.59.67.141 128.59.67.131

pleione

192.168.0.2

192.168.0.1

Experiments

• Applications/protocols– icmp, ssh, scp, telnet, ping, http– arp, snmp, dhcp, routing protocols– ftp, irc

• Network management/configuration– dns, firewall, routing

Performance

• Pentium III, 1 GHz machine• Unloaded• Measured the forwarding time

Applications

Input device Output device

PRE_ROUTING

LOCAL_INPUT LOCAL_OUTPUT

FORWARD POST_ROUTING

0

1

2

3

4

5

6

7

8

9

10

IP/4+4forwarding

NAT-in NAT-out ICMP-in ICMP-out

tim

e [m

icro

sec]

big pktNATNAT overhead4+44+4 overheadforwarding

Performance