slide1
Download
Skip this Video
Download Presentation
Network Address Translation

Loading in 2 Seconds...

play fullscreen
1 / 46

Network Address Translation - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

Network Address Translation. Dr. Danny Tsang Department of Electronic & Computer Engineering Hong Kong University of Science and Technology. Outline. What are Firewall and NAT? Problems created by Firewall and NAT? Solutions Traversal of NAT/Firewall. Goal

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Network Address Translation' - lali


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Network Address Translation

Dr. Danny TsangDepartment of Electronic & Computer EngineeringHong Kong University of Science and Technology

NAT

outline
Outline
  • What are Firewall and NAT?
  • Problems created by Firewall and NAT?
  • Solutions
    • Traversal of

NAT/Firewall

  • Goal
    • Understand how firewall and NAT function
    • Be aware of problems created by Firewall and NAT
    • Master the NAT traversal techniques

NAT

firewalls

public

Internet

administered

network

firewall

firewall

Firewalls

isolates organization’s internal net from open Internet, protect the local network from being accessed by unauthorized sources

NAT

firewalls why
Firewalls: Why

prevent denial of service attacks:

  • SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections.

prevent illegal modification/access of internal data.

  • e.g., attacker replaces CIA’s homepage with something else

allow only authorized access to inside network (set of authenticated users/hosts)

two types of firewalls:

  • application-level
  • packet-filtering

NAT

packet filtering
internal network connected to Internet via router firewall

router filters packet-by-packet, decision to forward/drop packet based on:

source IP address, destination IP address

TCP/UDP source and destination port numbers

ICMP message type

TCP SYN and ACK bits

Packet Filtering

Should arriving packet be allowed in? Departing packet let out?

NAT

packet filtering1
Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23.

All incoming and outgoing UDP flows and telnet connections are blocked.

Example 2: Block inbound TCP segments with ACK=0.

Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.

Packet Filtering

NAT

application gateways
ALG filters packets on application messages while firewall filters packets on IP/TCP/UDP fields.

Example: allow select internal users to telnet outside.

Application gateways

gateway-to-remote

host telnet session

host-to-gateway

telnet session

application

gateway

router and filter

1. Require all telnet users to telnet through ALG.

2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections

3. Router blocks all telnet connections not originating from ALG.

NAT

default behavior of firewall
Default Behavior of Firewall
  • A firewall identifies networks as inside or outside
  • Packets can get from the inside to the outside
  • Packets from the outside that are associated with an inside originated connections are allowed back in
  • Packets originated from the outside are not allowed to the inside

NAT

limitations of firewalls and gateways
IP spoofing: router can’t know if data “really” comes from claimed source

if multiple app’s. need special treatment, each has own app. gateway.

client software must know how to contact gateway.

e.g., must set IP address of proxy in Web browser

filters often use all or nothing policy for UDP.

tradeoff: degree of communication with outside world, level of security

many highly protected sites still suffer from attacks.

Limitations of firewalls and gateways

NAT

nat network address translation
NAT: Network Address Translation

rest of

Internet

local network

(e.g., home network)

10.0.0/24

10.0.0.1

10.0.0.4

10.0.0.2

138.76.29.7

10.0.0.3

Datagrams with source or

destination in this network

have 10.0.0/24 address for

source, destination (as usual)

All datagrams leaving local

network have same single source NAT IP address: 138.76.29.7,

different source port numbers

NAT

nat network address translation1
NAT: Network Address Translation
  • Motivation: local network uses just one IP address as far as outside word is concerned:
    • no need to be allocated range of addresses from ISP: - just one IP address is used for all devices
    • can change addresses of devices in local network without notifying outside world
    • can change ISP without changing addresses of devices in local network
    • devices inside local net not explicitly addressable, visible by outside world (a security plus).

NAT

nat traversal in voip
NAT Traversal in VoIP
  • NATs map a private IP address space to externally visible (public) IP addresses
    • Conserve limited public IP addresses
    • Shield internal hosts from outside world
  • Useful for enterprises, cable modem networks, broadband access routers, internet cafes…
  • NATs interfere with peer-to-peer protocols such as SIP
    • SIP clients must identify the IP address and ports they will use to receive media streams (in payload of their signaling messages)
    • But they don’t know their externally visible addresses
  • “One of the SIP community’s biggest problems”

NAT

nat network address translation2
NAT: Network Address Translation

Implementation: NAT router must:

  • outgoing datagrams:replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)

. . . remote clients/servers will respond using (NAT IP address, new port #) as destination addr.

  • remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
  • incoming datagrams:replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table

NAT

nat network address translation3

3

1

2

4

S: 10.0.0.1, 3345

D: 128.119.40.186, 80

S: 138.76.29.7, 5001

D: 128.119.40.186, 80

1: host 10.0.0.1

sends datagram to

128.119.40, 80

2: NAT router

changes datagram

source addr from

10.0.0.1, 3345 to

138.76.29.7, 5001,

updates table

S: 128.119.40.186, 80

D: 10.0.0.1, 3345

S: 128.119.40.186, 80

D: 138.76.29.7, 5001

NAT: Network Address Translation

NAT translation table

WAN side addr LAN side addr

Bindings can only

be initiated by

outgoing traffic

138.76.29.7, 5001 10.0.0.1, 3345

…… ……

10.0.0.1

10.0.0.4

10.0.0.2

138.76.29.7

10.0.0.3

4: NAT router

changes datagram

dest addr from

138.76.29.7, 5001 to 10.0.0.1, 3345

3: Reply arrives

dest. address:

138.76.29.7, 5001

NAT

nat pros
NAT: Pros
  • Use of a single registered IP address for an entire network
  • Independence of ISP IP addresses
  • Transparent to end systems in some cases (increased security)
  • Delays need for IPv4 replacement
    • 16-bit port-number field: 60,000 simultaneous connections with a single WAN-side address!
  • Mask the true internal IP addresses of the internal network

NAT

nat cons
NAT: Cons
  • Violates end-to-end argument
    • NAT possibility must be taken into account by app designers, e.g, P2P application
  • Increases local support burden and complexity

NAT

outline1
Outline
  • What are Firewall and NAT?
  • Problems created by Firewall and NAT?
  • Solutions
    • Traverse of NAT/Firewall

NAT

nat firewall problem
NAT & Firewall Problem
  • NAT & Firewall are employed to prevent hackers or unauthorized persons to access to the internal network
  • Voice and video over IP are not NAT & Firewall friendly
  • Provide secure two-way communication connection cross the NAT & Firewall
    • Firewall Problem
    • NAT Problem

NAT

firewall problem for voip
Firewall Problem for VoIP

A

Internet

B

4.INVITE

1. INVITE

3.Media

2.OK

5. Media

(A)

5.Media

(B)

1. User A is able to call User B since the firewall allows inside to outside sessions

2. User B is able to respond back to User A at the VoIP signaling layer

3. PROBLEM: Media traffic sent by User B from outside will be blocked since it

uses a different socket than the VoIP signaling

4. PROBLEM: If User B tries to initiate a call to User A, it will be blocked by

firewall

5. PROBLEM: If symmetric RTP is not used, the RTP fails to get back inside

from B

(S-RTP = the UA uses the same socket/port for sending and receiving the RTP)

NAT

nat problem for voip
NAT Problem for VoIP

Internet

202.123.211.25

1. INVITE

2. OK

10.0.0.1

?

3. Media

1. User A sends an invite to User B, NAT translate the layer 3 address, but

not the layer 5 (SIP,SDP) addresses

2. User B receives the invite and responds back to the NAT address

3. PROBLEM: User B tries to send RTP to User A with IP:Port

(c= 10.0.0.1 :m= 8000), but this fails since it can not route to User A

  • Notes: VoIP devices on the Internet
  • cannot make calls to private address (where to send them?)
  • do no know the type of NAT being used (cone, symmetric and so on), so they do not
  • know about what kinds of bindings to use
  • do not know if the bindings are still open

NAT

slide21

Sip trace

Internal IP address

001INVITE sip:[email protected] SIP/2.0

002 Via: SIP/2.0/UDP 211.123.66.223:5060;branch=a71b6d57-507c77f2

003Via: SIP/2.0/UDP 10.0.0.1:5060;received=202.123.211.25;rport=12345

004 From: <sip:[email protected]>;tag=108bcd14

005To: sip: [email protected]

006 Contact: sip: [email protected]

007Call-ID: [email protected]

008 CSeq: 703141 INVITE

009 Content-Length: 138

010Content-Type: application/sdp

011User-Agent: HearMe SoftPHONE

012

013 v=0

014o=deltathree 0 0 IN IP4 10.0.0.1

015 s=deltathree

016c=IN IP4 10.0.0.1

017t=0 0

018m=audio 8000 RTP/AVP 4

019a=ptime:90

020a=x-ssrc:00aea3c0

SIP

Signaling

External IP address

seen by SIP proxy

from outside

SDP

Signaling

Internal IP address for RTP stream

NAT

symmetric rtp
Symmetric RTP
  • Classical RTP is unidirectional (i.e.two RTP sessions, one in each direction)
  • Endpoints use UDP port symmetry to establish bi-directional traffic
    • Sending and receiving ports for the RTPand RTCP traffic should be the same on the endpoint behind the NAT/Firewall
  • Connection oriented
  • Usage
    • require that endpoints use UDP port symmetry to establish bi-directional traffic

NAT

solution to nat traversal
Solution to NAT Traversal

Let clients be aware of their external IP:PORT

  • Ask the NAT
    • Universal Plug and Play (UPnP)
  • Ask someone outside the NAT
    • Simple Traversal of UDP Through NATs (STUN)
    • Traversal Using Relay NAT (TURN)
    • Interactive Connectivity Establishment (ICE)
  • Make NAT & Firewall SIP friendly
    • Application Layer Gateway

NAT

universal plug and play upnp
Universal Plug and Play (UPnP)
  • Proposed by Microsoft
  • Client talks with NAT gateway and askabout IP and ports
  • Will NOT work with cascading NAT

NAT

universal plug and play upnp1
Universal Plug and Play (UPnP)

1. What is my IP:Port assigned

40.50.60.70

2. 40.50.60.70:9001

Source

10.0.0.1:8000

Will NOT work with

cascading NAT for

security issue

NAT

solution to nat firewall traversal
Solution to NAT/Firewall Traversal

Let clients be aware of their external

IP:PORT

  • Ask the NAT
    • Universal Plug and Play (UPnP)
  • Ask someone outside the NAT
    • Simple Traversal of UDP Through NATs (STUN)
    • Traversal Using Relay NAT (TURN)
    • Interactive Connectivity Establishment (ICE)
  • Make NAT & Firewall SIP friendly
    • Application Layer Gateway

NAT

slide27
STUN
  • Simple Traversal of UDP Through NATs
  • Types of NATs
    • Full Cone
    • (Address) Restricted Cone
    • Port Restricted Cone
    • Symmetric
  • Not suitable for Symmetric NAT

Increasing

security

NAT

types of nats full cone
Types of NATs: Full Cone

143.89.47.012:7868

NAT translation table

LAN side addrWAN side addr

10.0.0.1,8000 40.50.60.70,9000

…… ……

Client C

Client A

40.50.60.70

166.111.25.36:7865

10.0.0.4

10.0.0.1:8000

Client B

45.36.245.57:6988

All the incoming traffic can get through from the pinhole to client A if they know the IP : Port mapping

Client D

NAT

types of nats address restricted cone
Types of NATs: (Address) Restricted Cone

NAT translation table

LAN side addrWAN side addr

Traffic from B with different source ports

can get through

143.89.47.012:7868

10.0.0.1,8000 40.50.60.70,9000

…… ……

Client C

166.111.25.36:7865

Client A

40.50.60.70

166.111.25.36:7865

10.0.0.4

166.111.25.36:2134

10.0.0.1:8000

Client B

45.36.245.57:6988

Filter traffic only by IP : block incoming traffic from other IP (client C and D) address. Incoming traffic from same authorized IP but different ports will be accepted

Client D

NAT

types of nats port restricted cone
Types of NATs: Port Restricted Cone

NAT translation table

LAN side addrWAN side addr

143.89.47.012:7868

10.0.0.1, 8000 40.50.60.70, 9000

…… ……

Client C

Client A

40.50.60.70

166.111.25.36:7865

166.111.25.36:7865

10.0.0.4

10.0.0.1:8000

Client B

166.111.25.36:2134

45.36.245.57:6988

Filter by both IP and Port:

set up one to many mapping

Client D

NAT

types of nats port restricted cone con t
Types of NATs: Port Restricted Cone (con’t)

NAT translation table

LAN side addrWAN side addr

Only one entry is

set up in the table

for 10.0.0.1:8000

to different clients outside

143.89.47.012:7868

10.0.0.1, 8000 40.50.60.70, 9000

…… ……

Client C

Client A

40.50.60.70

166.111.25.36:7865

166.111.25.36:7865

10.0.0.4

10.0.0.1:8000

Client B

166.111.25.36:2134

45.36.245.57:6988

Filter by both IP and Port:

set up only one entry for

multiple remote clients

Client D

NAT

types of nats symmetric
Types of NATs: Symmetric

NAT translation table

LAN side addrWAN side addr

143.89.47.012:7868

10.0.0.1, 8000 40.50.60.70, 9000

10.0.0.1, 8000 40.50.60.70, 9001

Client C

40.50.60.70:9000

Client A

40.50.60.70

166.111.25.36:7865

10.0.0.4

40.50.60.70:9001

Client B

10.0.0.1:8000

45.36.245.57:6988

Filter by both IP and Port,

NAT assign a mapping for

each source-destination pair

Client D

NAT

slide33
STUN
  • This works IF:
    • The client send and receive RTP on thesame port (why ?)
    • SIP request must be sent immediately. Aftera while the mapping might change
    • In the case of Address Restricted Cone or PortRestricted Cone it must send out data to theother end first
  • External Query
    • Ask a server on the Internet what I “look” like
    • Compared the returned answer (external address) with my own address (local internal address)
    • Put my “real address” in signaling to allow media traffic in

NAT

stun solution
STUN Solution

3. Incoming media get through with the informed IP:Port

1. Send query to STUN server to ask IP:Port assigned by NAT

2. Put assigned IP:Port in SDP

Useless for symmetric NAT

since holes punctured by STUN

can not be used by others

Symmetric NAT case

NAT translation table

LAN side addrWAN side addr

Assigned for STUN by NAT

10.0.0.1, 800040.50.60.70, 9000

10.0.0.1, 800040.50.60.70, 9001

Assigned for RTP by NAT,

RTP is only authorized to get through using 9001 but not 9000 due to the NAT/Firewall combination

NAT

stun cont
STUN (Cont’)
  • With the information sent by STUN, client can determine
    • If it is on the open Internet
    • If it is behind a firewall that blocks UDP
    • If it is behind a NAT and what type of NAT it is behind
  • Will NOT work for symmetric NAT
    • Typical in Large Enterprise

NAT

slide36
TURN
  • Solve ‘Symmetric’ NAT case by allowing Media Flows Through TURN Server directly
    • Not the case with STUN servers
    • Increase voice latency
    • Increase probability of packet loss
  • Few SIP clients support TURN today (complex and not-yet a standard)
  • No free TURN server available (only commercial)
  • Skype seems to support TURN

NAT

turn solution
TURN Solution

Media makes use of the hole

punctured by TURN directly

NAT translation table

LAN side addr WAN side addr

10.0.0.1, 800040.50.60.70, 9000

… …

Assigned for both TURN and SIP by NAT

NAT

i nteractive c onnectivity e stablishment
Interactive Connectivity Establishment
  • Learns about the network topology in which the clients exist and the various sets of network addresses by which these devices can communicate
  • Framework to unify the various NAT traversal techniques
    • STUN, TURN and Realm Specific IP (RSIP)
  • Benefits from the collective functionality of each while avoiding any one protocol\'s drawback

NAT

slide39

TURN,STUN Servers

Initiator

Responder

Client A

Client B

1. Gather address

The more

The happier

2. Initiate Messages

(INVITE)

3. Gather address

(200 OK)

4. Accept Messages

Highest Preference Address Is Used

5. Address-fixing

6. Address-fixing

7. Media

8. Media

NAT

slide40
ICE
  • ICE Properties
    • Always will find a means for communicating if one physically exists
    • Always finds the communications path with fewest relays
    • Always finds the communication path cheapest for the service provider
    • Does not require any knowledge of topology, NAT types, or anything
    • Can guarantee that the phone won’t ring unless audio works when you pickup

NAT

solution to nat traversal1
Solution to NAT Traversal

Let clients be aware of their external

IP:PORT

  • Ask the NAT
    • Universal Plug and Play (UPnP)
  • Ask someone outside the NAT
    • Simple Traversal of UDP Through NATs (STUN)
    • Traversal Using Relay NAT (TURN)
    • Interactive Connectivity Establishment (ICE)
  • Make NAT & Firewall SIP aware
    • Application Layer Gateway

NAT

application layer gateway
Application Layer Gateway
  • Make Firewall/NAT SIP aware
  • Analyze the address information inside the packet payload and dynamically open or close holes for media communications
  • Needed to be updated for each new application which restricts it for large corporate networks
  • No commercial SIP ALGs today

NAT

application layer gateway solution
Application Layer Gateway Solution

Understanding the signaling

messages and their relationship

with resulting media flows

---- Media Friendly

NAT

solution to nat traversal2
Solution to NAT Traversal

Let clients be aware of their external

IP:PORT

  • Ask the NAT
    • Universal Plug and Play (UPnP)
  • Ask someone outside the NAT
    • Simple Traversal of UDP Through NATs (STUN)
    • Traversal Using Relay NAT (TURN)
    • Interactive Connectivity Establishment (ICE)
  • Make NAT & Firewall SIP aware
    • Application Layer Gateway

NAT

summary
Summary
  • Problem address
    • Provide “secure” “two-way” communication connection cross the NAT & Firewall
  • Traverse techniques mainly used
    • Universal Plug and Play (UPnP)
    • Simple Traversal of UDP Through NATs (STUN)
    • Traversal Using Relay NAT (TURN)
    • Interactive Connectivity Establishment (ICE)
    • Application Layer Gateway

NAT

reference
T. Dierks and C. Allen, “The TLS protocol version 1.0,” , United States, 1999.

S. Blake-Wilson, M. Nystrom, D. Hopwood, J. Mikkelsen, and T. Wright, “Transport layer security (TLS) extensions,” , United States, 2003.

J. Rosenberg, J. Weinberger, C. Huitema, and R. Mahy, “STUN: Simple traversal of user datagram protocol (UDP) through network address translators (NATs),” , United States, 2003.

J. Rosenberg, R. Mahy, and C. Huitema, “TURN: traversal using relay NAT,” July 2004, Internet draft, Work in progress, Internet Engineering Task Force.

J. Rosenberg, “Interactive connectivity establishment (ICE): A methodology for network address translator (NAT) traversal for multimedia session establishment protocols,” 2005, work in Progress RFC draft. [Online]. Available: http://ietfreport.isoc.org/ids/draft-ietf-mmusic-ice-05.txt

Cisco white paper: VoIP Traversal of NAT and Firewall

T. Chapuran, “Voice over IP: Architectures, applications and challenges,” 2002, telcordia Technologies. [Online]. Available: http://www.umiacs.umd.edu/docs/voip tc.ppt

Reference

NAT

ad