Transcript nat
NAT (NAPT/PAT), STUN, and ICE
`Structure of ice II, viewed along the hexagonal c-axis.
Hydrogen bonds between the water molecules are shown as
dashed lines. Lengths are in angstroms.'' (Hobbs, 1970, p. 69,
reproduced from Hamilton et al., 1969). Ice II exists only at
pressures greater than 2000 atmospheres.
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved.
NAT and NAPT/PAT
• NAT = Network Address Translation
• NAPT = Network Address and Port Translation, PAT=Port
Address Translation
• Reserved & Publicly non-routable address space
– Class A: 10.x.x.x
– Class C: 192.168.x.x
– Even smaller: 172.16.x.x to 172.31.x.x
• NAT – 1:1 mapping between private & public ip addresses
private
10.1.13.1
public
132.197.8.27
`
10.1.13.2
132.197.8.28
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved.
NAPT/PAT
•
N:1 (private to public). Uses ports to provide further granularity for routing
on the private side.
•
Helps with the problem of ip address exhaust (IPV4).
•
Many different flavors: Full Cone, Half Cone or Strict, Symmetric, etc.
•
NAPT BREAKS PROTOCOLS THAT BURY THE IP ADDRESS INSIDE OF
THE APPLICATION LAYER (e.g., all the VoIP Signaling Protocols: SIP,
H323, MGCP as well as RTP).
•
STUN (and other) client protocols (TURN, etc.) used to discover the private
to public mappings, and to overcome the problem created by NAPT. Take a
look at new STUN (RFC 5389)
– Note: traditional STUN doesn’t work with symmetrical (or bi-directional) NAT,
which is what most high class firewalls use. (I’m not sure what’s implemented in
your voip clients – would be interesting to know). I’m told that TURN solves this,
and perhaps has been incorporated into 5389.
•
Session Border Controllers (server side) also can be used to fix the
problems created by NAPT.
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved.
Full Cone: Very Popular on Broadband routers
• Each private IP:Port is mapped to a single public IP:Port on the public side
of the router, regardless of destination IP address.
Source: private
Source: public
Destination: public
sip.google.com
10.1.13.1:5060
132.197.8.28:10668
`
sip.microsoft.com
• For TCP connections, the mapping is typically session state-full (stays up
until timeout or ended)
• For UDP connections, the “pinhole” is opened for a short time (seconds).
Typically, the response from the destination must go BACK to the same
ip:port as the source to get through.
• In the SIP world, registration by the client to the server is often used to
keep the pinhole open to the destination sip server.
• What’s a potential problem with this.
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved.
Problem with full cone NAPT?
• The foreign ip address is never checked by the NAT
router (since the same public IP:port is used to map to a
given host - private IP:port – for all foreign ip addresses).
• “Bad guys” can send scan the ports of a given public ip
address and send malicious packets to hosts behind the
NAPT.
• This problem is corrected using “strict” NAPT – in which
the router checks the foreign ip address before
forwarding the packet to a host behind the NAPT.
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved.
Strict NAPT: Corrects Full Cone vulnerability
• For each private IP:Port and destination IP:Port there
is a separate public IP:port on the public side of the
NAPT router
Source: private
Source: public
132.197.8.28:10668
10.1.13.1:5060
Destination: public
sip.google.com
132.197.8.28:10670
`
10.1.13.1:5060
132.197.8.28:10678
sip.microsoft.com
132.197.8.28:10680
`
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved.
Routing Tables
• Full Cone: For each host ip:port there is one public
ip:port regardless of destination ip:port.
Source private
10.1.1.1:5060
Source public
132.197.8.27:10566
Destination public
64.233.167.99:5060
207.46.197.32:5060
• Strict (partial cone): For each host ip:port &
destination ip address:port, there is one public ip:port.
Source private
Source public
Destination public
10.1.1.1:5060
132.197.8.27:10566
64.233.167.99:5060
10.1.1.1:5060
132.197.8.27:12268
207.46.197.32:5060
10.1.1.1:5062
132.197.8.27:12372
64.233.167.99:5062
10.1.1.2:5060
132.197.8.27:12384
64.233.167.99:5060
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved.
STUN: Simple Traversal of UDP Networks
• USED to “discover” the public address:port
mapping from the private side of the network.
• STUN client STUN server in the network,
which echo’s information back.
• Asks different questions (scans ip address and
ports) to answer the question – what type of NAT
is running on your broadband router, and how to
modify the private ip address’ and ports to make
the protocol(s) work!
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved.
Example of a STUN Session
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved.
STUN Debug (continued)
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved.
STUN Decision Tree (see Wikipedia)
http://en.wikipedia.org/wiki/File:STUN_Algorithm3.svg
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved.