Transcript PowerPoint format

The Dynamic Port Reservation
Protocol
Andrew Reitz ([email protected])
Advisor: Robin Kravets
([email protected])
May 9, 2002
Andrew Reitz ([email protected])
The Internet Today
• Much to the chagrin of the technical
community, the Internet is still based on
IPv4.
• Technologies like Network Address
Translation have gained prominence,
lengthening the life of IPv4.
• Rate of adoption for IPv6 is slow.
May 9, 2002
Andrew Reitz ([email protected])
Network Address Translation
• Allows one valid public IP address to be
shared by many machines, via a gateway
that dynamically modifies source and
destination IP address and port numbers of
packets that traverse it.
– Breaks the one-to-one IP address to Internet
host model.
– Establishes the notion of public versus private
hosts.
May 9, 2002
Andrew Reitz ([email protected])
The Benefits of NAT
• In general, NAT works well for the most
prevalent Internet applications:
– Web, E-mail, FTP (passive mode), streaming
audio/video, etc.
• Security is increased, because unsolicited
in-bound connections are not permitted to
private hosts, and because the presence of
private hosts is occluded.
May 9, 2002
Andrew Reitz ([email protected])
The “Problem” With NAT
• In the last several years, there has been a
large growth in applications that demand
unsolicited in-bound connectivity:
– All peer-to-peer applications (file sharing,
instant messaging, personal video conferencing,
multiplayer games, etc.).
– Security protocols, like IPsec.
• Prominence from “Napster Bubble”.
May 9, 2002
Andrew Reitz ([email protected])
Potential Solutions
• This problem has been “solved”, in various
ways, by several other people/groups:
– Dan Kegel published a “UDP Hack”
– The IETF is working on “Realm-Specific IP”
– Eugene Ng (CMU) created the “Address
Virtualization Enabling Service” (AVES).
May 9, 2002
Andrew Reitz ([email protected])
Dan Kegel’s UDP Hack
• Relies upon UDP’s connectionless nature,
and NAT gateway’s ability to preserve port
numbers.
• Private hosts learn of each other’s public IP
address and port via 3rd party.
• Each host begins sending UDP datagrams to
each other’s public IP, forging enough state
in each NAT gateway for connection.
May 9, 2002
Andrew Reitz ([email protected])
May 9, 2002
Andrew Reitz ([email protected])
Pros and Cons of UDP Hack
• Pros:
– Minimal set of changes to existing Internet
infrastructure.
– Can be added by application developers on an
as-needed basis.
• Cons:
– Fails when NAT gateway must translate ports.
– Only works with UDP.
May 9, 2002
Andrew Reitz ([email protected])
Realm-Specific IP
• A new IETF draft, which aims to restore
complete connectivity to private hosts.
• An RSIP-enabled host can obtain a lease on
a public IP address from an RSIP-enabled
gateway.
• Host builds “public” packets, passes to
gateway via tunnel, which injects the
packets into the network.
May 9, 2002
Andrew Reitz ([email protected])
May 9, 2002
Andrew Reitz ([email protected])
Pros and Cons of RSIP
• Pros:
– Restores complete connectivity for private
hosts: even IPsec works.
• Cons:
– Requires extensive infrastructure modifications:
private host IP stack, NAT gateway, application
modification.
– Public IP address pool weakens NAT address
conservation gains.
May 9, 2002
Andrew Reitz ([email protected])
AVES
• Connectivity for NAT-friendly applications.
• Private hosts are enumerated in DNS.
• DNS server works in conjunction with
waypoint server, to establish a private to
public address mapping.
• Waypoint server tunnels traffic bound for
private host to NAT gateway.
May 9, 2002
Andrew Reitz ([email protected])
May 9, 2002
Andrew Reitz ([email protected])
Pros and Cons of AVES
• Pros:
– Transparent to existing hosts.
– Supports public servers behind NAT.
• Cons:
– DNS maintenance adds complexity.
– Public IP pool exhaustion is DoS.
– Ingress filtering at edge router requires all
traffic to be forwarded through waypoint.
May 9, 2002
Andrew Reitz ([email protected])
Room For A Better Method
• The ideal solution makes it easy to support
the widespread of applications (P2P).
• Must support TCP and UDP.
• In order to be deployable, cannot modify
host IP stack or Internet routers.
• Shouldn’t require extra infrastructure, such
as proxies that don’t scale or can fail.
May 9, 2002
Andrew Reitz ([email protected])
Enter DPRP
• Aim is to make the port forwarding
functionality of most NAT gateways more
accessible.
• Develop protocol, so that applications can
signal NAT gateway to reserve port.
• Apply DHCP techniques for managing
reserved ports.
May 9, 2002
Andrew Reitz ([email protected])
More Explanation
• DPRP allows end-users to reserve specific
TCP or UDP ports on the NAT gateway.
• Unsolicited in-bound packets to reserved
port are redirected to private host.
• Port reservation takes form of lease.
• Address/Port can be advertised through
“normal” channels (URL, P2P registry, etc).
May 9, 2002
Andrew Reitz ([email protected])
May 9, 2002
Andrew Reitz ([email protected])
Sample Implementation
• Client and server were written in Java.
• GUI client allows end-users to reserve ports
for legacy applications (web servers, etc).
• Java Napster client, XNap, was modified to
include DPRP client functionality.
• Java DPRP server interacted with NAT
gateway via iptables commands.
May 9, 2002
Andrew Reitz ([email protected])
Security Implications
• DPRP doesn’t poke any new holes in NAT
gateway, it simply moves port forwarding
from administrator to user control.
• Only as secure as applications.
• Adminstrator has controls over DPRP use.
• DPRP-enabled worms could pose problems.
May 9, 2002
Andrew Reitz ([email protected])
Microsoft Stole My Idea
• It appears as if a new technology called
Universal Plug ‘n Play incorporates all of
these ideas.
• UPnP is a network service discovery
platform.
• Network elements can query each other, in
order to disseminate capabilities.
May 9, 2002
Andrew Reitz ([email protected])
“UPnP NAT Traversal Solution”
• A subset of UPnP, that purports to provide
the following services:
–
–
–
–
Discovery of public IP address.
Enumeration of existing port mappings.
Addition and removal of port mappings.
Assignment of lease times to port mappings.
• Goes the “last mile”, and takes care of the
transparency problems that DPRP had.
May 9, 2002
Andrew Reitz ([email protected])
Conclusion
• DPRP accomplished initial goals, in terms
of application support (TCP & UDP) and
deployability.
• Further technical analysis of UPnP needed.
• Will IPv6 ever see mass-acceptance?
May 9, 2002
Andrew Reitz ([email protected])