1 / 24

The Dynamic Port Reservation Protocol

The Dynamic Port Reservation Protocol. Andrew Reitz (ajr9@po.cwru.edu) Advisor: Robin Kravets (rhk@cs.uiuc.edu). The Internet Today. Much to the chagrin of the technical community, the Internet is still based on IPv4.

cindy
Download Presentation

The Dynamic Port Reservation Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Dynamic Port Reservation Protocol Andrew Reitz (ajr9@po.cwru.edu) Advisor: Robin Kravets (rhk@cs.uiuc.edu) Andrew Reitz (ajr9@po.cwru.edu)

  2. The Internet Today • Much to the chagrin of the technical community, the Internet is still based on IPv4. • Technologies like Network Address Translation have gained prominence, lengthening the life of IPv4. • Rate of adoption for IPv6 is slow. Andrew Reitz (ajr9@po.cwru.edu)

  3. Network Address Translation • Allows one valid public IP address to be shared by many machines, via a gateway that dynamically modifies source and destination IP address and port numbers of packets that traverse it. • Breaks the one-to-one IP address to Internet host model. • Establishes the notion of public versus private hosts. Andrew Reitz (ajr9@po.cwru.edu)

  4. The Benefits of NAT • In general, NAT works well for the most prevalent Internet applications: • Web, E-mail, FTP (passive mode), streaming audio/video, etc. • Security is increased, because unsolicited in-bound connections are not permitted to private hosts, and because the presence of private hosts is occluded. Andrew Reitz (ajr9@po.cwru.edu)

  5. The “Problem” With NAT • In the last several years, there has been a large growth in applications that demand unsolicited in-bound connectivity: • All peer-to-peer applications (file sharing, instant messaging, personal video conferencing, multiplayer games, etc.). • Security protocols, like IPsec. • Prominence from “Napster Bubble”. Andrew Reitz (ajr9@po.cwru.edu)

  6. Potential Solutions • This problem has been “solved”, in various ways, by several other people/groups: • Dan Kegel published a “UDP Hack” • The IETF is working on “Realm-Specific IP” • Eugene Ng (CMU) created the “Address Virtualization Enabling Service” (AVES). Andrew Reitz (ajr9@po.cwru.edu)

  7. Dan Kegel’s UDP Hack • Relies upon UDP’s connectionless nature, and NAT gateway’s ability to preserve port numbers. • Private hosts learn of each other’s public IP address and port via 3rd party. • Each host begins sending UDP datagrams to each other’s public IP, forging enough state in each NAT gateway for connection. Andrew Reitz (ajr9@po.cwru.edu)

  8. Andrew Reitz (ajr9@po.cwru.edu)

  9. Pros and Cons of UDP Hack • Pros: • Minimal set of changes to existing Internet infrastructure. • Can be added by application developers on an as-needed basis. • Cons: • Fails when NAT gateway must translate ports. • Only works with UDP. Andrew Reitz (ajr9@po.cwru.edu)

  10. Realm-Specific IP • A new IETF draft, which aims to restore complete connectivity to private hosts. • An RSIP-enabled host can obtain a lease on a public IP address from an RSIP-enabled gateway. • Host builds “public” packets, passes to gateway via tunnel, which injects the packets into the network. Andrew Reitz (ajr9@po.cwru.edu)

  11. Andrew Reitz (ajr9@po.cwru.edu)

  12. Pros and Cons of RSIP • Pros: • Restores complete connectivity for private hosts: even IPsec works. • Cons: • Requires extensive infrastructure modifications: private host IP stack, NAT gateway, application modification. • Public IP address pool weakens NAT address conservation gains. Andrew Reitz (ajr9@po.cwru.edu)

  13. AVES • Connectivity for NAT-friendly applications. • Private hosts are enumerated in DNS. • DNS server works in conjunction with waypoint server, to establish a private to public address mapping. • Waypoint server tunnels traffic bound for private host to NAT gateway. Andrew Reitz (ajr9@po.cwru.edu)

  14. Andrew Reitz (ajr9@po.cwru.edu)

  15. Pros and Cons of AVES • Pros: • Transparent to existing hosts. • Supports public servers behind NAT. • Cons: • DNS maintenance adds complexity. • Public IP pool exhaustion is DoS. • Ingress filtering at edge router requires all traffic to be forwarded through waypoint. Andrew Reitz (ajr9@po.cwru.edu)

  16. Room For A Better Method • The ideal solution makes it easy to support the widespread of applications (P2P). • Must support TCP and UDP. • In order to be deployable, cannot modify host IP stack or Internet routers. • Shouldn’t require extra infrastructure, such as proxies that don’t scale or can fail. Andrew Reitz (ajr9@po.cwru.edu)

  17. Enter DPRP • Aim is to make the port forwarding functionality of most NAT gateways more accessible. • Develop protocol, so that applications can signal NAT gateway to reserve port. • Apply DHCP techniques for managing reserved ports. Andrew Reitz (ajr9@po.cwru.edu)

  18. More Explanation • DPRP allows end-users to reserve specific TCP or UDP ports on the NAT gateway. • Unsolicited in-bound packets to reserved port are redirected to private host. • Port reservation takes form of lease. • Address/Port can be advertised through “normal” channels (URL, P2P registry, etc). Andrew Reitz (ajr9@po.cwru.edu)

  19. Andrew Reitz (ajr9@po.cwru.edu)

  20. Sample Implementation • Client and server were written in Java. • GUI client allows end-users to reserve ports for legacy applications (web servers, etc). • Java Napster client, XNap, was modified to include DPRP client functionality. • Java DPRP server interacted with NAT gateway via iptables commands. Andrew Reitz (ajr9@po.cwru.edu)

  21. Security Implications • DPRP doesn’t poke any new holes in NAT gateway, it simply moves port forwarding from administrator to user control. • Only as secure as applications. • Adminstrator has controls over DPRP use. • DPRP-enabled worms could pose problems. Andrew Reitz (ajr9@po.cwru.edu)

  22. Microsoft Stole My Idea • It appears as if a new technology called Universal Plug ‘n Play incorporates all of these ideas. • UPnP is a network service discovery platform. • Network elements can query each other, in order to disseminate capabilities. Andrew Reitz (ajr9@po.cwru.edu)

  23. “UPnP NAT Traversal Solution” • A subset of UPnP, that purports to provide the following services: • Discovery of public IP address. • Enumeration of existing port mappings. • Addition and removal of port mappings. • Assignment of lease times to port mappings. • Goes the “last mile”, and takes care of the transparency problems that DPRP had. Andrew Reitz (ajr9@po.cwru.edu)

  24. Conclusion • DPRP accomplished initial goals, in terms of application support (TCP & UDP) and deployability. • Further technical analysis of UPnP needed. • Will IPv6 ever see mass-acceptance? Andrew Reitz (ajr9@po.cwru.edu)

More Related