1 / 46

Network Address Translation

Network Address Translation. Dr. Danny Tsang Department of Electronic & Computer Engineering Hong Kong University of Science and Technology. Outline. What are Firewall and NAT? Problems created by Firewall and NAT? Solutions Traversal of NAT/Firewall. Goal

lali
Download Presentation

Network Address Translation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Address Translation Dr. Danny TsangDepartment of Electronic & Computer EngineeringHong Kong University of Science and Technology NAT

  2. Outline • What are Firewall and NAT? • Problems created by Firewall and NAT? • Solutions • Traversal of NAT/Firewall • Goal • Understand how firewall and NAT function • Be aware of problems created by Firewall and NAT • Master the NAT traversal techniques NAT

  3. public Internet administered network firewall firewall Firewalls isolates organization’s internal net from open Internet, protect the local network from being accessed by unauthorized sources NAT

  4. Firewalls: Why prevent denial of service attacks: • SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections. prevent illegal modification/access of internal data. • e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network (set of authenticated users/hosts) two types of firewalls: • application-level • packet-filtering NAT

  5. internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits Packet Filtering Should arriving packet be allowed in? Departing packet let out? NAT

  6. Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing UDP flows and telnet connections are blocked. Example 2: Block inbound TCP segments with ACK=0. Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Packet Filtering NAT

  7. ALG filters packets on application messages while firewall filters packets on IP/TCP/UDP fields. Example: allow select internal users to telnet outside. Application gateways gateway-to-remote host telnet session host-to-gateway telnet session application gateway router and filter 1. Require all telnet users to telnet through ALG. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router blocks all telnet connections not originating from ALG. NAT

  8. Default Behavior of Firewall • A firewall identifies networks as inside or outside • Packets can get from the inside to the outside • Packets from the outside that are associated with an inside originated connections are allowed back in • Packets originated from the outside are not allowed to the inside NAT

  9. IP spoofing: router can’t know if data “really” comes from claimed source if multiple app’s. need special treatment, each has own app. gateway. client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser filters often use all or nothing policy for UDP. tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks. Limitations of firewalls and gateways NAT

  10. NAT: Network Address Translation rest of Internet local network (e.g., home network) 10.0.0/24 10.0.0.1 10.0.0.4 10.0.0.2 138.76.29.7 10.0.0.3 Datagrams with source or destination in this network have 10.0.0/24 address for source, destination (as usual) All datagrams leaving local network have same single source NAT IP address: 138.76.29.7, different source port numbers NAT

  11. NAT: Network Address Translation • Motivation: local network uses just one IP address as far as outside word is concerned: • no need to be allocated range of addresses from ISP: - just one IP address is used for all devices • can change addresses of devices in local network without notifying outside world • can change ISP without changing addresses of devices in local network • devices inside local net not explicitly addressable, visible by outside world (a security plus). NAT

  12. NAT Traversal in VoIP • NATs map a private IP address space to externally visible (public) IP addresses • Conserve limited public IP addresses • Shield internal hosts from outside world • Useful for enterprises, cable modem networks, broadband access routers, internet cafes… • NATs interfere with peer-to-peer protocols such as SIP • SIP clients must identify the IP address and ports they will use to receive media streams (in payload of their signaling messages) • But they don’t know their externally visible addresses • “One of the SIP community’s biggest problems” NAT

  13. NAT: Network Address Translation Implementation: NAT router must: • outgoing datagrams:replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #) . . . remote clients/servers will respond using (NAT IP address, new port #) as destination addr. • remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair • incoming datagrams:replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table NAT

  14. 3 1 2 4 S: 10.0.0.1, 3345 D: 128.119.40.186, 80 S: 138.76.29.7, 5001 D: 128.119.40.186, 80 1: host 10.0.0.1 sends datagram to 128.119.40, 80 2: NAT router changes datagram source addr from 10.0.0.1, 3345 to 138.76.29.7, 5001, updates table S: 128.119.40.186, 80 D: 10.0.0.1, 3345 S: 128.119.40.186, 80 D: 138.76.29.7, 5001 NAT: Network Address Translation NAT translation table WAN side addr LAN side addr Bindings can only be initiated by outgoing traffic 138.76.29.7, 5001 10.0.0.1, 3345 …… …… 10.0.0.1 10.0.0.4 10.0.0.2 138.76.29.7 10.0.0.3 4: NAT router changes datagram dest addr from 138.76.29.7, 5001 to 10.0.0.1, 3345 3: Reply arrives dest. address: 138.76.29.7, 5001 NAT

  15. NAT: Pros • Use of a single registered IP address for an entire network • Independence of ISP IP addresses • Transparent to end systems in some cases (increased security) • Delays need for IPv4 replacement • 16-bit port-number field: 60,000 simultaneous connections with a single WAN-side address! • Mask the true internal IP addresses of the internal network NAT

  16. NAT: Cons • Violates end-to-end argument • NAT possibility must be taken into account by app designers, e.g, P2P application • Increases local support burden and complexity NAT

  17. Outline • What are Firewall and NAT? • Problems created by Firewall and NAT? • Solutions • Traverse of NAT/Firewall NAT

  18. NAT & Firewall Problem • NAT & Firewall are employed to prevent hackers or unauthorized persons to access to the internal network • Voice and video over IP are not NAT & Firewall friendly • Provide secure two-way communication connection cross the NAT & Firewall • Firewall Problem • NAT Problem NAT

  19. Firewall Problem for VoIP A Internet B 4.INVITE 1. INVITE 3.Media 2.OK 5. Media (A) 5.Media (B) 1. User A is able to call User B since the firewall allows inside to outside sessions 2. User B is able to respond back to User A at the VoIP signaling layer 3. PROBLEM: Media traffic sent by User B from outside will be blocked since it uses a different socket than the VoIP signaling 4. PROBLEM: If User B tries to initiate a call to User A, it will be blocked by firewall 5. PROBLEM: If symmetric RTP is not used, the RTP fails to get back inside from B (S-RTP = the UA uses the same socket/port for sending and receiving the RTP) NAT

  20. NAT Problem for VoIP Internet 202.123.211.25 1. INVITE 2. OK 10.0.0.1 ? 3. Media 1. User A sends an invite to User B, NAT translate the layer 3 address, but not the layer 5 (SIP,SDP) addresses 2. User B receives the invite and responds back to the NAT address 3. PROBLEM: User B tries to send RTP to User A with IP:Port (c= 10.0.0.1 :m= 8000), but this fails since it can not route to User A • Notes: VoIP devices on the Internet • cannot make calls to private address (where to send them?) • do no know the type of NAT being used (cone, symmetric and so on), so they do not • know about what kinds of bindings to use • do not know if the bindings are still open NAT

  21. Sip trace Internal IP address 001INVITE sip:12125551212@211.123.66.222 SIP/2.0 002 Via: SIP/2.0/UDP 211.123.66.223:5060;branch=a71b6d57-507c77f2 003Via: SIP/2.0/UDP 10.0.0.1:5060;received=202.123.211.25;rport=12345 004 From: <sip:2125551000@211.123.66.223>;tag=108bcd14 005To: sip: 12125551212@211.123.66.222 006 Contact: sip: 2125551000@10.0.0.1 007Call-ID: 4c88fd1e-62bb-4abf-b620-a75659435b76@10.3.19.6 008 CSeq: 703141 INVITE 009 Content-Length: 138 010Content-Type: application/sdp 011User-Agent: HearMe SoftPHONE 012 013 v=0 014o=deltathree 0 0 IN IP4 10.0.0.1 015 s=deltathree 016c=IN IP4 10.0.0.1 017t=0 0 018m=audio 8000 RTP/AVP 4 019a=ptime:90 020a=x-ssrc:00aea3c0 SIP Signaling External IP address seen by SIP proxy from outside SDP Signaling Internal IP address for RTP stream NAT

  22. Symmetric RTP • Classical RTP is unidirectional (i.e.two RTP sessions, one in each direction) • Endpoints use UDP port symmetry to establish bi-directional traffic • Sending and receiving ports for the RTPand RTCP traffic should be the same on the endpoint behind the NAT/Firewall • Connection oriented • Usage • require that endpoints use UDP port symmetry to establish bi-directional traffic NAT

  23. Solution to NAT Traversal Let clients be aware of their external IP:PORT • Ask the NAT • Universal Plug and Play (UPnP) • Ask someone outside the NAT • Simple Traversal of UDP Through NATs (STUN) • Traversal Using Relay NAT (TURN) • Interactive Connectivity Establishment (ICE) • Make NAT & Firewall SIP friendly • Application Layer Gateway NAT

  24. Universal Plug and Play (UPnP) • Proposed by Microsoft • Client talks with NAT gateway and askabout IP and ports • Will NOT work with cascading NAT NAT

  25. Universal Plug and Play (UPnP) 1. What is my IP:Port assigned 40.50.60.70 2. 40.50.60.70:9001 Source 10.0.0.1:8000 Will NOT work with cascading NAT for security issue NAT

  26. Solution to NAT/Firewall Traversal Let clients be aware of their external IP:PORT • Ask the NAT • Universal Plug and Play (UPnP) • Ask someone outside the NAT • Simple Traversal of UDP Through NATs (STUN) • Traversal Using Relay NAT (TURN) • Interactive Connectivity Establishment (ICE) • Make NAT & Firewall SIP friendly • Application Layer Gateway NAT

  27. STUN • Simple Traversal of UDP Through NATs • Types of NATs • Full Cone • (Address) Restricted Cone • Port Restricted Cone • Symmetric • Not suitable for Symmetric NAT Increasing security NAT

  28. Types of NATs: Full Cone 143.89.47.012:7868 NAT translation table LAN side addrWAN side addr 10.0.0.1,8000 40.50.60.70,9000 …… …… Client C Client A 40.50.60.70 166.111.25.36:7865 10.0.0.4 10.0.0.1:8000 Client B 45.36.245.57:6988 All the incoming traffic can get through from the pinhole to client A if they know the IP : Port mapping Client D NAT

  29. Types of NATs: (Address) Restricted Cone NAT translation table LAN side addrWAN side addr Traffic from B with different source ports can get through 143.89.47.012:7868 10.0.0.1,8000 40.50.60.70,9000 …… …… Client C 166.111.25.36:7865 Client A 40.50.60.70 166.111.25.36:7865 10.0.0.4 166.111.25.36:2134 10.0.0.1:8000 Client B 45.36.245.57:6988 Filter traffic only by IP : block incoming traffic from other IP (client C and D) address. Incoming traffic from same authorized IP but different ports will be accepted Client D NAT

  30. Types of NATs: Port Restricted Cone NAT translation table LAN side addrWAN side addr 143.89.47.012:7868 10.0.0.1, 8000 40.50.60.70, 9000 …… …… Client C Client A 40.50.60.70 166.111.25.36:7865 166.111.25.36:7865 10.0.0.4 10.0.0.1:8000 Client B 166.111.25.36:2134 45.36.245.57:6988 Filter by both IP and Port: set up one to many mapping Client D NAT

  31. Types of NATs: Port Restricted Cone (con’t) NAT translation table LAN side addrWAN side addr Only one entry is set up in the table for 10.0.0.1:8000 to different clients outside 143.89.47.012:7868 10.0.0.1, 8000 40.50.60.70, 9000 …… …… Client C Client A 40.50.60.70 166.111.25.36:7865 166.111.25.36:7865 10.0.0.4 10.0.0.1:8000 Client B 166.111.25.36:2134 45.36.245.57:6988 Filter by both IP and Port: set up only one entry for multiple remote clients Client D NAT

  32. Types of NATs: Symmetric NAT translation table LAN side addrWAN side addr 143.89.47.012:7868 10.0.0.1, 8000 40.50.60.70, 9000 10.0.0.1, 8000 40.50.60.70, 9001 Client C 40.50.60.70:9000 Client A 40.50.60.70 166.111.25.36:7865 10.0.0.4 40.50.60.70:9001 Client B 10.0.0.1:8000 45.36.245.57:6988 Filter by both IP and Port, NAT assign a mapping for each source-destination pair Client D NAT

  33. STUN • This works IF: • The client send and receive RTP on thesame port (why ?) • SIP request must be sent immediately. Aftera while the mapping might change • In the case of Address Restricted Cone or PortRestricted Cone it must send out data to theother end first • External Query • Ask a server on the Internet what I “look” like • Compared the returned answer (external address) with my own address (local internal address) • Put my “real address” in signaling to allow media traffic in NAT

  34. STUN Solution 3. Incoming media get through with the informed IP:Port 1. Send query to STUN server to ask IP:Port assigned by NAT 2. Put assigned IP:Port in SDP Useless for symmetric NAT since holes punctured by STUN can not be used by others Symmetric NAT case NAT translation table LAN side addrWAN side addr Assigned for STUN by NAT 10.0.0.1, 800040.50.60.70, 9000 10.0.0.1, 800040.50.60.70, 9001 Assigned for RTP by NAT, RTP is only authorized to get through using 9001 but not 9000 due to the NAT/Firewall combination NAT

  35. STUN (Cont’) • With the information sent by STUN, client can determine • If it is on the open Internet • If it is behind a firewall that blocks UDP • If it is behind a NAT and what type of NAT it is behind • Will NOT work for symmetric NAT • Typical in Large Enterprise NAT

  36. TURN • Solve ‘Symmetric’ NAT case by allowing Media Flows Through TURN Server directly • Not the case with STUN servers • Increase voice latency • Increase probability of packet loss • Few SIP clients support TURN today (complex and not-yet a standard) • No free TURN server available (only commercial) • Skype seems to support TURN NAT

  37. TURN Solution Media makes use of the hole punctured by TURN directly NAT translation table LAN side addr WAN side addr 10.0.0.1, 800040.50.60.70, 9000 … … Assigned for both TURN and SIP by NAT NAT

  38. Interactive Connectivity Establishment • Learns about the network topology in which the clients exist and the various sets of network addresses by which these devices can communicate • Framework to unify the various NAT traversal techniques • STUN, TURN and Realm Specific IP (RSIP) • Benefits from the collective functionality of each while avoiding any one protocol's drawback NAT

  39. TURN,STUN Servers Initiator Responder Client A Client B 1. Gather address The more The happier 2. Initiate Messages (INVITE) 3. Gather address (200 OK) 4. Accept Messages Highest Preference Address Is Used 5. Address-fixing 6. Address-fixing 7. Media 8. Media NAT

  40. ICE • ICE Properties • Always will find a means for communicating if one physically exists • Always finds the communications path with fewest relays • Always finds the communication path cheapest for the service provider • Does not require any knowledge of topology, NAT types, or anything • Can guarantee that the phone won’t ring unless audio works when you pickup NAT

  41. Solution to NAT Traversal Let clients be aware of their external IP:PORT • Ask the NAT • Universal Plug and Play (UPnP) • Ask someone outside the NAT • Simple Traversal of UDP Through NATs (STUN) • Traversal Using Relay NAT (TURN) • Interactive Connectivity Establishment (ICE) • Make NAT & Firewall SIP aware • Application Layer Gateway NAT

  42. Application Layer Gateway • Make Firewall/NAT SIP aware • Analyze the address information inside the packet payload and dynamically open or close holes for media communications • Needed to be updated for each new application which restricts it for large corporate networks • No commercial SIP ALGs today NAT

  43. Application Layer Gateway Solution Understanding the signaling messages and their relationship with resulting media flows ---- Media Friendly NAT

  44. Solution to NAT Traversal Let clients be aware of their external IP:PORT • Ask the NAT • Universal Plug and Play (UPnP) • Ask someone outside the NAT • Simple Traversal of UDP Through NATs (STUN) • Traversal Using Relay NAT (TURN) • Interactive Connectivity Establishment (ICE) • Make NAT & Firewall SIP aware • Application Layer Gateway NAT

  45. Summary • Problem address • Provide “secure” “two-way” communication connection cross the NAT & Firewall • Traverse techniques mainly used • Universal Plug and Play (UPnP) • Simple Traversal of UDP Through NATs (STUN) • Traversal Using Relay NAT (TURN) • Interactive Connectivity Establishment (ICE) • Application Layer Gateway NAT

  46. T. Dierks and C. Allen, “The TLS protocol version 1.0,” , United States, 1999. S. Blake-Wilson, M. Nystrom, D. Hopwood, J. Mikkelsen, and T. Wright, “Transport layer security (TLS) extensions,” , United States, 2003. J. Rosenberg, J. Weinberger, C. Huitema, and R. Mahy, “STUN: Simple traversal of user datagram protocol (UDP) through network address translators (NATs),” , United States, 2003. J. Rosenberg, R. Mahy, and C. Huitema, “TURN: traversal using relay NAT,” July 2004, Internet draft, Work in progress, Internet Engineering Task Force. J. Rosenberg, “Interactive connectivity establishment (ICE): A methodology for network address translator (NAT) traversal for multimedia session establishment protocols,” 2005, work in Progress RFC draft. [Online]. Available: http://ietfreport.isoc.org/ids/draft-ietf-mmusic-ice-05.txt Cisco white paper: VoIP Traversal of NAT and Firewall T. Chapuran, “Voice over IP: Architectures, applications and challenges,” 2002, telcordia Technologies. [Online]. Available: http://www.umiacs.umd.edu/docs/voip tc.ppt Reference NAT

More Related