90 likes | 101 Views
This article discusses the challenges of P2P TCP behavior through NAT's and presents three possible solutions, including port prediction, allowing incoming SYN's, and port reservation.
E N D
P2P TCP behavior through NAT’s Nagendra Modadugu nagendra@cs.stanford.edu
The Problem • Two peers, both behind NAT’s • Possibly multiply NAT’ed • Server available for assistance • E.g iChat, Yahoo! chat, Net Meeting, BitTorrent, KaZaa S NAT_A NAT_B B A
Port 3210 Port 5476 ISN 0xAD.. ISN 0xF5.. Port 5476 Port 3210 SYN (ISN:0xAD..;Port:3210) Forged SYN/ACK Forged SYN/ACK ACK ACK SYN (ISN:0xF5..;Port:5476) Solution 1: No changes to NAT A & B send ISN’s to S S “determines” external port numbers A & B send SYN’s towards each other S generates forged SYN/ACK’s Control Channel S NAT_A NAT_B A B
Pros and Cons of Solution 1 Pros • Works without changing NAT’s • Cons • Port # prediction may fail • Egress/ingress filtering may block forged packets • How portable is SO_REUSEPORT?
Port 3211 Port 5477 Port 5477 Port 3211 SYN (Port:3211) SYN(Port:5477) SYN/ACK ACK Solution 2: No forged packets A & B send ISN’s to S S “determines” external port numbers A & B send SYN’s towards each other Control Channel S NAT_A NAT_B A B
Pros and Cons of Solution 2 • Pros • No changes needed to NAT devices • Cons • Port # prediction may fail • Requires NAT’s to allow incoming SYN’s • How portable is SO_REUSEPORT?
Reserve request: Port 3733, Auth info: Incoming Seq # 0xD2.. Port 3733 rsrvd Auth info: Seq # 0xD2.. ACK SYN (Seq:0xD2..;Port 3733) SYN/ACK Solution 3: Port Reservation S NAT_A NAT_B A B
Pros and Cons of Port Reservation • Pros • No port number guessing--works reliably • Works even if NAT’s only on one side are upgraded • Client code simpler • Port reservation can be implemented as an ALG • Cons • Need to define and deploy a new protocol for implementing port reservation • ALL the NATs on one side must be upgraded
Summary • Evaluated 3 possible solutions • Two require no changes to NAT devices • Port reservation will take time to adopt • Deployment on client through an application proxy • No need to change application software • Recommendations: • Port-restricted cone NAT’s are the way to go • Allow (address and port restricted) incoming SYN’s