+ All Categories
Home > Engineering > Of knights-and-drawbridges-nat-behaviour

Of knights-and-drawbridges-nat-behaviour

Date post: 23-Jul-2015
Category:

Engineering
Upload: auro-tripathy
View: 140 times
Download: 0 times
Download Report this document
Share this document with a friend
Popular Tags:
invitation letter packet
knight packet
special invitation packet
nats nat nat nat nat
tenant end
new drawbridge
correct fort
guard checks
12
Of Knights and Drawbridges Auro Tripathy [email protected] A halt-who-goes-there medieval story about the modern mystery of NAT Traversal
Transcript
Page 1: Of knights-and-drawbridges-nat-behaviour

Of Knights and Drawbridges

Auro Tripathy

[email protected]

A halt-who-goes-there medieval story about the modern mystery of NAT Traversal

Page 2: Of knights-and-drawbridges-nat-behaviour

2

Using an Analogy to explain NATs

NAT NAT NAT NAT +-+ +-+ +-+ +-+ +----+ | | | | | | | | +----+ |EP-a|---+ +...+ +---((Public Network))---+ +...+ +---|EP-b| +----+ | | | | | | | | +----+ +-+ +-+ +-+ +-+

EP = End Point NAT = Network Address Translation

Source : https://tools.ietf.org/html/draft-takeda-symmetric-nat-traversal-00

Page 3: Of knights-and-drawbridges-nat-behaviour

3

Imagine…

The fortress (your home) is a private network

The tenant is an end-point device (e.g. PC, network attached storage, wireless thermostat, wireless smoke-alarm, IoT device)

The NAT is the “moat”, to defend the fort.

A tenant can send out a packet by lowering the drawbridge

Until a tenant sends a packet out of the fort, the fort is locked-down; there are no drawbridges

Page 4: Of knights-and-drawbridges-nat-behaviour

4

Fortifying your defenses with a Moat

Lowering the drawbridge is an opportunity for unintended “knight” to come in The bridge must be defended against uninvited knights.

The rules of the drawbridge define the Moat Full-Cone NAT (least restrictive crossing) Restricted-Cone NAT Port-restricted cone NAT Symmetric NAT (most restrictive crossing)

Page 5: Of knights-and-drawbridges-nat-behaviour

5

Full-Cone NAT

When the tenant (end-point) in the fort sends a knight (packet) out, a drawbridge will be lowered with a guard to determine who can come-in using that drawbridge.

For an in-coming knight (packet), the guard checks: Are you, Sire, visiting the tenant who

created this drawbridge? If yes, go on in.

The guard does not check where the knight (packet) came from(could be any end-point). Whether the knight had an invitation

Page 6: Of knights-and-drawbridges-nat-behaviour

6

The Invitation Letter

The trick to traverse a NAT with UDP is to utilize the 'invitation letter” (packet).

The invitation packet is not necessarily a 'special' invitation packet. The first part of outgoing data transmission works as an invitation because it lowers a drawbridge assigns a guard for incoming knights.

Page 7: Of knights-and-drawbridges-nat-behaviour

7

Restricted-Cone NAT

A drawbridge will be lowered when a tenant(endpoint) in the fort sends an invitation letter (a packet) for the first time to another fort.

The guard on the drawbridge will check if the in-coming knight (packet) is visiting the tenant who lowered this drawbridge.

The guard also checks if the knight came from the fort that received the invitation letter from the tenant.

The guard does not check the invitation letter, just the fort name to which the invitation was sent.

Page 8: Of knights-and-drawbridges-nat-behaviour

8

Port-restricted-Cone NAT

A drawbridge will be lowered when a tenant(endpoint) in a fort sends an invitation letter (a packet) for the first time to a tenant in another fort.

The guard will check if each knight (packet) trying to enter (via the drawbridge) is visiting the tenant who lowered the drawbridge.

The guard checks if the knight came from the fort that received the invitation letter from the tenant.

The guard also checks if the knight has received the invitation letter from the tenant.

You came from the correct fort, do you have the

invitation?

Page 9: Of knights-and-drawbridges-nat-behaviour

9

Symmetric-Cone NAT

In the case of non-symmetric NATS, the same drawbridge will be used whenever the same tenant in a fort sends an invitation packet to a different destination.

In a symmetric NAT, a new drawbridge will be always lowered every time the tenant in the fort sends an “invitation” packet.

Fort

Moat

Drawbridge

Tenant

Each invitation has it own drawbridge

The drawbridge for a knight to enter from one fort is not the same for other knights to enter from other forts

Page 10: Of knights-and-drawbridges-nat-behaviour

10

Summary

NAT-Type Intended for Tenant who lowered the Drawbridge?

Invitation to Fort F2 and coming from Fort F2?

Has the Invitation Letter?

Coming-in on the same drawbridge that the invitation went out on?

FullCone

Yes,Go-on in

Not Checked Not Checked Not-Checked

Restricted Cone Yes and… Yes, go-on in Not Checked Not Checked

Port-Restricted Cone Yes and … Yes, and … Yes, go-on in Not Checked

SymmetricCone*

Yes Yes, and… Yes, and Yes, go-on in

F2

Page 11: Of knights-and-drawbridges-nat-behaviour

11

Applying the Analogy

In this analogy, a 'tenant' represents local UDP port.

Several tenants comprise a device. Each device has an IP address.

A fort protects multiple devices with a NAT (the moat)

A drawbridge is a mapping and a rule for incoming packets.

Page 12: Of knights-and-drawbridges-nat-behaviour

12

References

https://tools.ietf.org/html/draft-takeda-symmetric-nat-traversal-00


Recommended
Nat Doc 008, Ed1 - Nat Asm (Nov2010)

Nat Doc 008, Ed1 - Nat Asm (Nov2010)

Documents

Nat Data Link Performance Update and NAT Documents... · 1 NAT DATA LINK PERFORMANCE REPORT FOR 2018 – AS ENDORSED AT NAT IMG/54 1 NAT PBCS Monitoring Rpt 2018_part1.docx NAT DATA

Nat Data Link Performance Update and NAT Documents... · 1 NAT DATA LINK PERFORMANCE REPORT FOR 2018 – AS ENDORSED AT NAT IMG/54 1 NAT PBCS Monitoring Rpt 2018_part1.docx NAT DATA

Documents

Relic Knights

Relic Knights

Documents

2010.pdfNIWFA 2010 Christmas Cobra Fencing Open women rs saber Unrated Sunday, December 05, cl ub Hunter college Hunter College 2010 - 9:00 AM Div NAT NAT NAT NAT NAT NAT NAT NAT NAT

2010.pdfNIWFA 2010 Christmas Cobra Fencing Open women rs saber Unrated Sunday, December 05, cl ub Hunter college Hunter College 2010 - 9:00 AM Div NAT NAT NAT NAT NAT NAT NAT NAT NAT

Documents

Middle ages. Knights Knights were used to protect the castle and the village. Squires are people training to be knights. The knights are what we would.

Middle ages. Knights Knights were used to protect the castle and the village. Squires are people training to be knights. The knights are what we would.

Documents

NAT SPG Handbook and NAT Documents/NAT... · 2019-07-31 · NAT IMG text (NAT IMG47 Summary of Discussions, paragraphs 3.7 and 3.8), (approved by NAT SPG by correspondence, silence

NAT SPG Handbook and NAT Documents/NAT... · 2019-07-31 · NAT IMG text (NAT IMG47 Summary of Discussions, paragraphs 3.7 and 3.8), (approved by NAT SPG by correspondence, silence

Documents

Network Address Translation (NAT) - Cisco · NetworkAddressTranslation(NAT) ThefollowingtopicsexplainNetworkAddressTranslation(NAT)andhowtoconfigureit. •WhyUseNAT?,onpage1 •NATBasics,onpage2

Network Address Translation (NAT) - Cisco · NetworkAddressTranslation(NAT) ThefollowingtopicsexplainNetworkAddressTranslation(NAT)andhowtoconfigureit. •WhyUseNAT?,onpage1 •NATBasics,onpage2

Documents

1 Chapter 7: NAT in Internet and Intranet Designs Designs That Include NAT Essential NAT Design Concepts Data Protection in NAT Designs NAT Design Optimization.

1 Chapter 7: NAT in Internet and Intranet Designs Designs That Include NAT Essential NAT Design Concepts Data Protection in NAT Designs NAT Design Optimization.

Documents

Moats and Drawbridges: An Isolation Primitive for Recon gurable

Moats and Drawbridges: An Isolation Primitive for Recon gurable

Documents

Knights Tale

Knights Tale

Entertainment & Humor

Aramco ExPats€¦ · Kennecott Copper Lee Rubber Liggett & Wrers Montgomery Ward Motorola Nash Kelvinator Nat. Biscuit Nat. Cash Register Nat. Dai Nat. Stei{ Nat Sugar NY tentral

Aramco ExPats€¦ · Kennecott Copper Lee Rubber Liggett & Wrers Montgomery Ward Motorola Nash Kelvinator Nat. Biscuit Nat. Cash Register Nat. Dai Nat. Stei{ Nat Sugar NY tentral

Documents

Knights Navigator Knights of Columbus Council 12942 St ...uknight.org/Councils/KoC-Newsletter - August 2019.pdf · Knights Navigator Knights of Columbus Council 12942 St. Brendan

Knights Navigator Knights of Columbus Council 12942 St ...uknight.org/Councils/KoC-Newsletter - August 2019.pdf · Knights Navigator Knights of Columbus Council 12942 St. Brendan

Documents

Welcome Knights

Welcome Knights

Documents

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Documents

The Knights Templar VThe Knights Templar Vthechristianmysteries.com/wp-content/uploads/2015/03/Talk-5.pdf · The Knights Templar VThe Knights Templar V ... Mystics’ Conception of

The Knights Templar VThe Knights Templar Vthechristianmysteries.com/wp-content/uploads/2015/03/Talk-5.pdf · The Knights Templar VThe Knights Templar V ... Mystics’ Conception of

Documents

BAUGI SUNSTONE - EnergieKer · 30,2x30,2 . 12”x12” Decori - decors - decors - Dekore BAUGI NAT. 12,04 FREYA NAT. 12,04 ALOF NAT. 12,04 LOKI NAT. 12,04 GROA NAT. 12,04 NORNE NAT.

BAUGI SUNSTONE - EnergieKer · 30,2x30,2 . 12”x12” Decori - decors - decors - Dekore BAUGI NAT. 12,04 FREYA NAT. 12,04 ALOF NAT. 12,04 LOKI NAT. 12,04 GROA NAT. 12,04 NORNE NAT.

Documents

Whispering Knights

Whispering Knights

Documents

THE KNIGHTS

THE KNIGHTS

Documents