1 / 9

P2P TCP behavior through NAT’s

This article discusses the challenges of P2P TCP behavior through NAT's and presents three possible solutions, including port prediction, allowing incoming SYN's, and port reservation.

cmehta
Download Presentation

P2P TCP behavior through NAT’s

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. P2P TCP behavior through NAT’s Nagendra Modadugu nagendra@cs.stanford.edu

  2. The Problem • Two peers, both behind NAT’s • Possibly multiply NAT’ed • Server available for assistance • E.g iChat, Yahoo! chat, Net Meeting, BitTorrent, KaZaa S NAT_A NAT_B B A

  3. Port 3210 Port 5476 ISN 0xAD.. ISN 0xF5.. Port 5476 Port 3210 SYN (ISN:0xAD..;Port:3210) Forged SYN/ACK Forged SYN/ACK ACK ACK SYN (ISN:0xF5..;Port:5476) Solution 1: No changes to NAT A & B send ISN’s to S S “determines” external port numbers A & B send SYN’s towards each other S generates forged SYN/ACK’s Control Channel S NAT_A NAT_B A B

  4. Pros and Cons of Solution 1 Pros • Works without changing NAT’s • Cons • Port # prediction may fail • Egress/ingress filtering may block forged packets • How portable is SO_REUSEPORT?

  5. Port 3211 Port 5477 Port 5477 Port 3211 SYN (Port:3211) SYN(Port:5477) SYN/ACK ACK Solution 2: No forged packets A & B send ISN’s to S S “determines” external port numbers A & B send SYN’s towards each other Control Channel S NAT_A NAT_B A B

  6. Pros and Cons of Solution 2 • Pros • No changes needed to NAT devices • Cons • Port # prediction may fail • Requires NAT’s to allow incoming SYN’s • How portable is SO_REUSEPORT?

  7. Reserve request: Port 3733, Auth info: Incoming Seq # 0xD2.. Port 3733 rsrvd Auth info: Seq # 0xD2.. ACK SYN (Seq:0xD2..;Port 3733) SYN/ACK Solution 3: Port Reservation S NAT_A NAT_B A B

  8. Pros and Cons of Port Reservation • Pros • No port number guessing--works reliably • Works even if NAT’s only on one side are upgraded • Client code simpler • Port reservation can be implemented as an ALG • Cons • Need to define and deploy a new protocol for implementing port reservation • ALL the NATs on one side must be upgraded

  9. Summary • Evaluated 3 possible solutions • Two require no changes to NAT devices • Port reservation will take time to adopt • Deployment on client through an application proxy • No need to change application software • Recommendations: • Port-restricted cone NAT’s are the way to go • Allow (address and port restricted) incoming SYN’s

More Related