250 likes | 1.11k Views
A New Method for Symmetric NAT Traversal in UDP and TCP. Yuan Wei & Daisuke Yamada & Suguru Yoshida & Shigeki Goto Waseda University {wei,daisk,yoshida,goto}@goto.info.waseda.ac.jp. Agenda. Network Address Translator (NAT) Existing problems in NAT traversal New method Experiment
E N D
A New Method for Symmetric NAT Traversal in UDP and TCP Yuan Wei & Daisuke Yamada & Suguru Yoshida & Shigeki Goto Waseda University {wei,daisk,yoshida,goto}@goto.info.waseda.ac.jp Wei Yuan
Agenda • Network Address Translator (NAT) • Existing problems in NAT traversal • New method • Experiment • Conclusion Wei Yuan
NAT (Network Address Translator) • Translate private IP addresses to a global IP address • NAT includes Network Address Port Translation, (NAPT) enable multiple hosts on a private network to access the Internet using a single public IP address Wei Yuan
FullConeNAT (Easy) One-to-one 2008/8/4 4 Wei Yuan Wei Yuan
Restricted ConeNAT Another IP address 5 Wei Yuan Wei Yuan
Port Restricted ConeNAT another port number 6 Wei Yuan Wei Yuan
Symmetric NAT (Difficult) Unique mapping Another client 7 Wei Yuan Wei Yuan
P2Pand NAT (Problem) P2P networks are based on global IP address Users cannot connect P2P network behind NAT devices NATtraversal becomes an active area of research 8 Wei Yuan Wei Yuan
Existing Methods • No NAT traversal techniques can be successfully applied symmetric NATs • TCP NAT traversal is difficult • Unique security filtering functions on NATs Wei Yuan
New Method • UDP NAT traversal : • Applicable to symmetric NATs • TCP NAT traversal : • Applicable to simple NATs Wei Yuan
How to Traverse Symmetric NAT • Simulate normal UDP communications • IP address and port number must correspond to NAT. • Do not use a spoof packet from another IP address • Establish direct communication between two end points • Predict port numbers of NATs Wei Yuan
Phase I F1: S1 gets the information of a port number translated by NAT a. F2: Send it back to the echo client. F3: S2 analyzes the port number of NAT a and records it. Wei Yuan
Phase II F4: S1 gets the information of a port number translated by NAT b. F5: Send it back to the echo client. F6: S2 analyzes the port number of NAT b and records it. Wei Yuan
Phase III Wei Yuan
For example F1: port number = 700 F3: port number = 701 Next port number is 702 Wei Yuan
F7: Predict a port number for hole punching Phase III F8: Send a large number of packets with a small TTL value F9: Predict a port number for hole punching F10: Send a large number of packets F11: P2P connection established Wei Yuan
New Method: UDP Multi Hole Punching • Normal UDP communications • Existing method uses another extra IP address • Precise port number prediction • Observe port translate algorithm: increment, decrement, leap • Control port numbers • control random port algorithm • Binding port numbers • Utilize many port numbers • High success rate of hole punching Wei Yuan
TCP Hole Punching • SPI (Stateful Packet Inspection) • a type of function for filtering of TCP packets • A valid sequence of packets should follow the 3-way handshake. • [SYN] - out • [SYN, ACK] - in • [ACK] - out Wei Yuan
How to deal with SPI • Divide 3-way handshake section and hole punching section • Hole punching section is similar to “Simple Traversal of UDP Through NATs and TCP too” (STUNT) • 3-way handshake section • Send sequence number info to server. • Use low TTL ( =1 ) to establish • Packet does not reach at NATs • Set SO_REUSEADDR option of setsockopt()to combine (re-bind) two section Wei Yuan
Experiment • Use WinStun to determine the type of NATs • Use Wireshark to capture packets • Evaluate Skype for NAT traversal • Test the performance of the new method for UDP NAT traversal • Realize TCP NAT traversal Wei Yuan
Results • 9 routers tested (3 routers were Symmetric NAT) • The success ratio of the P2P communication about Skype was 46% • Skype does not use UDP hole punching when the voice quality was good. • The success ratio of the P2P communication about our new method was 97% • The combination of Buffalo and NEC had an 80% success rate on average. The other combinations were 100% successful. • Succeeded in port prediction and control of port numbers • Succeeded in establishing TCP connections for five NAT products out of six Wei Yuan
Control of port numbers Random Incremental Wei Yuan
Conclusion • Succeed in port prediction • Succeed in control of port numbers • Skype is 46%. Our new method outperforms it with a success rate of 97% • succeed in establishing TCP connections for five NAT products out of six Wei Yuan
END Wei Yuan