p2p and nat how to traverse nat davide carboni © 2005-2006
TRANSCRIPT
![Page 1: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/1.jpg)
P2P and NAT
How to traverse NATDavide Carboni © 2005-2006
![Page 2: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/2.jpg)
LicenseAttribution-ShareAlike 2.5 You are free:to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a licence identical to this one.For any reuse or distribution, you must make clear to others the licence terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above.This is a human-readable summary of the Legal Code (the full licence). Disclaimer
![Page 3: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/3.jpg)
The problem
The large deployment of NAT builds a barrier to the development of peer-to-peer networks.
Host behind a NAT/Firewall are only authorized to initiate outgoing traffic through a limited set of ports (UDP/TCP)
Host behind a NAT/Firewall are never authorized to receive incoming TCP or UDP traffic initiated by a foreign host
![Page 4: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/4.jpg)
Firewall
A Firewall is a system that filters TCP/IP UDP/IP packet according to rules
It can be a software running in the user machine or in a network router
Rules
![Page 5: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/5.jpg)
Firewall
Rules
router
(Global IP addresses)
![Page 6: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/6.jpg)
NAT
the process of network address translation (NAT, also known as network masquerading or IP-masquerading) involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall.
![Page 7: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/7.jpg)
Why NAT is so popular
IPv4 address shortage standard feature in routers for home
and small-office Internet connections can enhance the reliability of local
systems by stopping worms and enhance privacy by discouraging scans
![Page 8: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/8.jpg)
Simple NAT
NAT
(Private IP addresses)
(Public IP addresses)
Main Internet
(Public IP addresses)
![Page 9: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/9.jpg)
Multiple NAT
ISPNAT
(Private IP addresses)
(Public IP addresses)
Main Internet
ISP network
HomeNAT
Home network
10.0.0.12
192.168.2.12
192.168.2.99
156.148.70.32
![Page 10: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/10.jpg)
NAT Mappings
(192.168.2.2)
(1.1.1.4)
(1.1.1.5)
192.168.2.2:4445 <-> 1.1.1.5:10100
S=192.168.2.2:4445D=1.1.1.4:7777
datagram S=1.1.1.5:10100D=1.1.1.4:7777
datagramA
![Page 11: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/11.jpg)
Traversing a NAT that does not collaborate
![Page 12: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/12.jpg)
Relaying
NAT
Main Internet
Local network
NAT
Local network
10.0.0.12
192.168.2.99
Relay S
host A
host B
12
![Page 13: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/13.jpg)
Connection reversal
NAT
Main Internet
Local network
1.1.1.4
192.168.2.99
rendezvous S
host A
host B
1
2
3
![Page 14: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/14.jpg)
NAT policies Full cone NAT is NAT where all requests from the same internal IP
address and port are mapped to the same public IP address and port. Once a mapping is created, all incoming traffic to the public address is routed to the internal host without checking the address of the remote host.
A restricted cone NAT: like full cone all requests from the same internal IP address and port are mapped to the same public IP address and port. Unlike a full cone NAT, a remote host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.
A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.
A symmetric NAT is a NAT where all requests from the same internal IP address and port to a specific destination IP address and port are mapped to the same external source IP address and port. If the same internal host sends a packet with the same source address and port to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host
![Page 15: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/15.jpg)
UDP Hole Punching
Hole punching is a tecnique to allow traffic from/to a host behind a firewall/NAT without the collaboration of the NAT itself
The simplest way is to use UDP packets
![Page 16: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/16.jpg)
Full cone
Host A Host CFull cone
Host B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,D=1.1.1.5:7777)
Packet(S=1.1.1.5:4321,D=1.1.1.4:10100)
Packet(S=1.1.1.5:4321,D=192.168.2.2:4445)
Packet(S=1.1.1.6:1234,D=1.1.1.4:10100)
Packet(S=1.1.1.6:1234,D=192.168.2.2:4445)
![Page 17: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/17.jpg)
Full cone mapping and policy
Mapping 192.168.2.2:4445 <-> 1.1.1.4:10100
Policy ALLOW ALL TO 1.1.1.4:10100
![Page 18: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/18.jpg)
Holes in Full Cone
NAT
rendezvous
host A
host B
1
2
3
4
5
![Page 19: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/19.jpg)
Restricted cone
Host A Host CRestricted
coneHost B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,D=1.1.1.5:7777)
Packet(S=1.1.1.5:4321,D=1.1.1.4:10100)
Packet(S=1.1.1.5:4321,D=192.168.2.2:4445)
Packet(S=1.1.1.6:1234,D=1.1.1.4:10100)
X
Packet(S=192.168.2.2:4445,D=1.1.1.6:7777)
Packet(S=1.1.1.4:10100,D=1.1.1.6:7777)
Packet(S=1.1.1.6:4321,D=1.1.1.4:10100)
Packet(S=1.1.1.6:4321,D=192.168.2.2:4445)
![Page 20: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/20.jpg)
Restricted cone mapping and policy Mapping
192.168.2.2:4445 <-> 1.1.1.4:10100
Policy ALLOW 1.1.1.5 TO 1.1.1.4:10100 ALLOW 1.1.1.6 TO 1.1.1.4:10100
![Page 21: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/21.jpg)
Holes in Restricted Cone
NAT
rendezvous
host A
host B
1
2
35
4 6
![Page 22: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/22.jpg)
Port restricted cone
Host A Host CPort - restr
coneHost B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,D=1.1.1.5:7777)
Packet(S=1.1.1.5:4321,D=1.1.1.4:10100)
Packet(S=1.1.1.5:7777,D=192.168.2.2:4445)
X
Packet(S=1.1.1.5:7777,D=1.1.1.4:10100)
![Page 23: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/23.jpg)
Port restricted cone mapping and policy Mapping
192.168.2.2:4445 <-> 1.1.1.4:10100
Policy ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10100
![Page 24: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/24.jpg)
Holes in Restricted Cone
NAT
rendezvous
host A
host B
1
2
35
4 6
![Page 25: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/25.jpg)
Symmetric NAT
Host A Host Csymmetric Host B
(192.168.2.2) (1.1.1.4)(192.168.2.1) (1.1.1.5) (1.1.1.6)
Packet(S=192.168.2.2:4445,D=1.1.1.5:7777)
Packet(S=1.1.1.4:10100,D=1.1.1.5:7777)
Packet(S=1.1.1.5:7777,D=192.168.2.2:4445)
Packet(S=1.1.1.5:7777,D=1.1.1.4:10100)
Packet(S=192.168.2.2:4445,D=1.1.1.6:7777)
Packet(S=1.1.1.4:10179,D=1.1.1.6:7777)
Packet(S=1.1.1.6:7777,D=192.168.2.2:4445)
Packet(S=1.1.1.6:7777,D=1.1.1.4:10179)
Packet(S=1.1.1.6:7777,D=1.1.1.4:10100)
X
![Page 26: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/26.jpg)
Symmetric mapping and policy Mapping
192.168.2.2:4445 <-> 1.1.1.4:10100 192.168.2.2:4445 <-> 1.1.1.4:10179
Policy ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10179
![Page 27: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/27.jpg)
Holes in Symmetric NATs
The only way to traverse this NAT is by Connection Reversal or Relaying.
![Page 28: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/28.jpg)
STUN protocol (to simplify hole punching) protocol to discover the presence and
types of NAT and firewalls between them and the public Internet
STUN allows applications to determine the public IP addresses allocated to them by the NAT
![Page 29: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/29.jpg)
STUN protocol
STUN is specified in RFC 3489 and defines the operations and the message format needed to understand the type of NAT
![Page 30: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/30.jpg)
TURN protocol
TURN is a protocol for UDP/TCP relaying behind a NAT
Unlike STUN there is no hole punching and data are bounced to a public server called the TURN server.
TURN is the last resource. For instance behind a symmetric NAT
![Page 31: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/31.jpg)
Role in TURN
A TURN client is an entity that generates TURN requests
A TURN Server is an entity that receives TURN requests, and sends TURN responses.
The server is a data relay, receiving data on the address it provides to clients, and forwarding them to the clients
![Page 32: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/32.jpg)
TCP Hole Punching
TCP connections between hosts behind NATs is slightly more complex than for UDP
Berkeley sockets allows a TCP socket to initiate an outgoing or to listen for incoming connections but not both.
![Page 33: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/33.jpg)
TCP Hole punching
we need to use a single local TCP port to listen for incoming TCP connections and to initiate multiple outgoing TCP connections concurrently
to bind multiple sockets to the same local endpoint BSD systems have introduced a SO_REUSEADDR and SO_REUSEPORT
![Page 34: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/34.jpg)
TCP Hole punching
NAT
Main Internet
Local network
NATLocal network
10.0.0.12
192.168.2.99
rendezvous S
host A
host B
1.1.1.41.1.1.5
1.1.1.6
![Page 35: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/35.jpg)
TCP Hole punching
NAT
Main Internet
Local network
NAT
Local network
rendezvous S
host A
host B1.1.1.4:1234
1.1.1.5:4444
1.1.1.6
![Page 36: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/36.jpg)
STUNT
Simple Traversal of UDP Through NATs and TCP too (STUNT), which extends STUN to include TCP functionality
A JAVA implementation of STUNT is available
See http://nutss.gforge.cis.cornell.edu/stunt.php
![Page 37: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/37.jpg)
Traversing a NAT that collaborates
![Page 38: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/38.jpg)
Socks
SOCKS is a client server protocol that allows a client behind a firewall to use a server in the public Internet to relay traffic
Two operations: CONNECT and BIND It is widely adopted, for instance Mozilla
can be configured to use SOCKS Two versions. SOCKS4 and SOCKS5
![Page 39: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/39.jpg)
SOCKS CONNECT
NAT
Socks proxy
host A
server S
1. CONNECT
2. connect()
![Page 40: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/40.jpg)
SOCKS BIND
NAT
Socks proxy
host A listening on 4445
server S
1. BIND (localport=4445, S)
3. connect(33102)
2. Ok. Port=33102
![Page 41: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/41.jpg)
SOCKS and Java
SocketAddress addr = new InetSocketAddress("socks.mydomain.com", 1080);
Proxy proxy = new Proxy(Proxy.Type.SOCKS, addr);
URL url = new URL("ftp://ftp.gnu.org/README");
URLConnection conn = url.openConnection(proxy);
![Page 42: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/42.jpg)
SOCKS4 and SOCKS5
SOCKS4 doesn't support authentication while SOCKS5 has the built-in mechanism to support a variety of authentications methods.
SOCKS4 doesn't support UDP proxy while SOCKS5 does.
SOCKS4 clients require full support of DNS while SOCKS5 clients can rely on SOCKS5 server to perform the DNS lookup.
![Page 43: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/43.jpg)
UPnP NAT Traversal
Internet Gateway Device (IGD) protocol[1] is defined by UPnP
It is implemented in some internet routers. It allows applications to automatically
configure NAT routing. IGD makes it easy to do the following:
Learn the public (external) IP address Enumerate existing port mappings Add and remove port mappings Assign lease times to mappings
![Page 44: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/44.jpg)
UPnP API provided by COMIStaticPortMapping::get_ExternalIPAddress()IStaticPortMapping::get_ExternalPort()IStaticPortMapping::get_InternalPort() IStaticPortMapping::get_Protocol() IStaticPortMapping::get_InternalClient()IStaticPortMapping::get_Enabled()IStaticPortMapping::get_Description()
![Page 45: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/45.jpg)
UPnP Port Forward
![Page 46: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/46.jpg)
Issues with UPnP
Oppents to IGD see a significant security risk
UPnP allows any program, even malicious programs, to create a port mapping through the router.
with UPnP, the port mapping can be created even without any knowledge of the administrative password to the router
![Page 47: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/47.jpg)
References
Peer-to-Peer Communication Across NAT http://www.brynosaurus.com/pub/net/p2pnat/
STUN Protocol RFC. http://www.ietf.org/rfc/rfc3489.txt
TCP NAT traversal. http://nutss.gforge.cis.cornell.edu//stunt.php
Traversal Using Relay NAT (TURN) IETF RFC
![Page 48: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/48.jpg)
References (2)
SOCKS5 IETF RFC http://www.ietf.org/rfc/rfc1928.txt
SOCKS4 http://archive.socks.permeo.com/protocol/socks4.protocol
Java Networking and Proxies http://java.sun.com/j2se/1.5.0/docs/guide/net/proxies.html
Using UPnP for Programmatic Port Forwardings and NAT Traversalhttp://www.codeproject.com/internet/PortForward.asp
![Page 49: P2P and NAT How to traverse NAT Davide Carboni © 2005-2006](https://reader036.vdocument.in/reader036/viewer/2022062320/56649cba5503460f949817ff/html5/thumbnails/49.jpg)
LicenseAttribution-ShareAlike 2.5 You are free:to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a licence identical to this one.For any reuse or distribution, you must make clear to others the licence terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above.This is a human-readable summary of the Legal Code (the full licence). Disclaimer