Symmetric NAT

Download Report

Transcript Symmetric NAT 

A New Method for Symmetric NAT
Traversal in UDP and TCP
Speaker :Kai-Sheng Yang
Advisor :Dr. Kai-Wei Ke
2016/10/5
Outline

Network Address Translator (NAT)

Existing traversal methods

New method

Experiment

Conclusion

Reference
1
Network Address Translator (NAT)

Translate private IP addresses to a global IP
address.
Enable multiple hosts
on a private network to
access the Internet
using a single public IP
address.
2
Network Address Translator (NAT)

Full Cone NAT (1 to 1)

Restricted Cone NAT

Port Restricted Cone NAT

Symmetric NAT
3
Network Address Translator (NAT) Cont.

Full Cone NAT (1 to 1)
4
Network Address Translator (NAT) Cont.

Restricted Cone NAT
5
Network Address Translator (NAT) Cont.

Port Restricted Cone NAT
6
Network Address Translator (NAT) Cont.

Symmetric NAT
Unique mapping
7
P2P and NAT (Problem)

P2P networks are based on global IP address.

Users cannot connect P2P network behind NAT
devices.
8
Existing Traversal Methods

UPnP (Universal Plug and Play), ICE (Interactive
Connectivity Establishment), ALG (Application
Layer gateway), TURN (Traversal Using
Relay NAT) …

STUN (Simple Traversal of UDP through NAT)
9
Simple Traversal of UDP through NAT (STUN)
No NAT traversal techniques can be
successfully applied symmetric NATs.
10
New Method
 UDP
NAT traversal :
- Applicable to symmetric NATs.
- Based on “Port Prediction”.
11
How to Traverse Symmetric NAT

Simulate normal UDP communications
- IP address and port number must correspond to NAT.
1.Establish direct communication between two end points.
2.Predict port numbers of NATs .
12
Phase 1
F1: S1 gets the
information of a
port# translated
by NAT a.
F2: Send it back to the echo client.
F3: S2 analyzes the port# of NAT
a and records it.
13
Phase 2
F5: Send it back to
the echo client.
F4: S1 gets the
information of a
port# translated
by NAT b.
F6: S2 analyzes the port# of NAT b and records it.
14
Phase 3
Port Prediction

If NAT a uses port#700 in F1 and port#701 in F3,
We can predict that the punching mode of NAT a is
incremental and that the predicted port next number
is 702 and the punching mode is Incremental.

If NAT b uses port#5000 in F4 and port#5001 in F6,
We can predict that the punching mode of NAT b is
incremental and that the predicted port next number
is 5002 and the punching mode is Incremental.
15
Phase 3 (cont’)
192.168.0.2
133.9.81.186
133.9.81.62
192.168.0.1
F7: Predict a NATa’s port# for hole punching.
(i.e. #702)
F8:
Send a large number
of packets with a low
TTL value.
Mapping Table of NAT b
192.168.0.1:xx use port5002 for 133.9.81.186:702
…
16
Phase 3 (cont’)
192.168.0.2
133.9.81.186
F10:
Echo client sends a
large number of packets
to the echo server.
If one of the source
port# of the echo client
matches the destination
port# mapped by NAT b,
--> traverse successfully.
133.9.81.62
192.168.0.1
F9: Predict a NATb’s port# for hole punching.
(i.e. #5002)
Mapping Table of NAT a
192.168.0.2:yy use port702 for 133.9.81.62:5002
…
F11: P2P connection established.
17
Phase 3 (cont’)
18
New Method: UDP Multi Hole Punching Features

Normal UDP communications
- Existing method uses another extra IP address.

Precise port number prediction
- Observe port translate algorithm: increment,
decrement, leap
19
New Method: UDP Multi Hole Punching –
Features (Cont.)

Control port numbers
- Control random port algorithm.
- Binding port numbers.

Utilize many port numbers
- High success rate of hole punching.
20
Experiment

Use WinStun to determine the type of NATs.

Use Wireshark to capture packets.

Test the performance of the new method for UDP NAT
traversal.
21
133.9.81.66
133.9.81.63
22
Results

9 routers tested (3 routers were Symmetric NAT).

The success ratio of the P2P communication about our
new method was 97%.

Succeeded in port prediction and control of port
numbers.
23
24
Results (Cont.)

Control of port numbers
Random
Increment
25
Conclusion

Succeed in port prediction.

Succeed in control of port numbers.

The new method get a success rate of 97%.

The high success rate can justify the overhead cost in the
proposed method.
26
References

Wei, Y., Yamada, D., Yoshida, S., Goto, S.: A New
Method for Symmetric NAT Traversal in UDP and
TCP. Network 4, 8 (2008)

http://www.cs.nccu.edu.tw/~lien/Writing/NGN/f
irewall.htm

https://tools.ietf.org/html/rfc4787
27
Thanks.
28