characterization and measurement of tcp traversal through nats
TRANSCRIPT
Characterization andMeasurement of TCP
Traversal Through NATs andFirewalls
Saikat Guha, Paul Francis
Cornell University
IMC 2005
Saikat Guha TCP Traversal Through NATs
P2P connectivity through NATs
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
New inbound flows cannot be routedSaikat Guha TCP Traversal Through NATs
P2P connectivity through NATs
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
??
New inbound flows cannot be routedSaikat Guha TCP Traversal Through NATs
P2P connectivity through NATs
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
I am Dan I am Bob
Basic solution for UDPSaikat Guha TCP Traversal Through NATs
P2P connectivity through NATs
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
Bob is 2.1.1.1:2 Dan is 1.1.1.1:1
Basic solution for UDPSaikat Guha TCP Traversal Through NATs
P2P connectivity through NATs
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
??
Basic solution for UDPSaikat Guha TCP Traversal Through NATs
P2P connectivity through NATs
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
Basic solution for UDPSaikat Guha TCP Traversal Through NATs
P2P connectivity through NATs
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
Basic solution for UDPSaikat Guha TCP Traversal Through NATs
P2P connectivity through NATs
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
??SYN
TCP establishment more complexSaikat Guha TCP Traversal Through NATs
P2P connectivity through NATs
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
SYNACK
TCP establishment more complexSaikat Guha TCP Traversal Through NATs
Context for this work
’92
’93-’96
’97-’01
NAT Invented
UDP traversal solved and standardized [Kegel]
NAT traversal presumed impossible
’93-’03 TCP traversal presumed impossible
’04 TCP traversal ’solved’ (2 approaches) [Guha]
’05 2 more approaches [Ford, Biggadike]
TCP traversal standardized
Approaches evaluated [Guha]’05
’06
Saikat Guha TCP Traversal Through NATs
Context for this work
’92
’93-’96
’97-’01
NAT Invented
UDP traversal solved and standardized [Kegel]
NAT traversal presumed impossible
’93-’03 TCP traversal presumed impossible
’04 TCP traversal ’solved’ (2 approaches) [Guha]
’05 2 more approaches [Ford, Biggadike]
TCP traversal standardized
Approaches evaluated [Guha]’05
’06
’04 TCP traversal ’solved’ (2 approaches) [Guha]
2 more approaches [Ford, Biggadike]’05
4 approaches
Many trade-offs- NAT sensitivity- Ease of Implementation- Ease of Deployment
Saikat Guha TCP Traversal Through NATs
Context for this work
’92
’93-’96
’97-’01
NAT Invented
UDP traversal solved and standardized [Kegel]
NAT traversal presumed impossible
’93-’03 TCP traversal presumed impossible
’04 TCP traversal ’solved’ (2 approaches) [Guha]
’05 2 more approaches [Ford, Biggadike]
TCP traversal standardized
Approaches evaluated [Guha]’05
’06
Approaches evaluated [Guha]’05
Contributions:
- Characterization
- Measurements
- Guidelines
- Standardization
Saikat Guha TCP Traversal Through NATs
“Take away” Results
I TCP can be established between
NAT’ed peers
I Works an estimated 85%–90% of the
time todayI 100% for certain popular, well-behaved
NATsI All NATs could standardize to this
Saikat Guha TCP Traversal Through NATs
P2P TCP Establishment
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
Bob is 2.1.1.1:2 Dan is 1.1.1.1:1
Use Rendezvous ServiceSaikat Guha TCP Traversal Through NATs
P2P TCP Establishment
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
??SYN
Use Rendezvous ServiceSaikat Guha TCP Traversal Through NATs
P2P TCP Establishment
timeDan BobNAT NAT
SYN ??
Punch hole using connect/close/bind/listenSaikat Guha TCP Traversal Through NATs
P2P TCP Establishment
timeDan BobNAT NAT
SYN ??close()bind()listen()
Punch hole using connect/close/bind/listenSaikat Guha TCP Traversal Through NATs
P2P TCP Establishment
timeDan BobNAT NAT
SYN ??close()bind()listen()
SYN
Accept incoming connectionSaikat Guha TCP Traversal Through NATs
P2P TCP Establishment
timeDan BobNAT NAT
SYN ??close()bind()listen()
SYN
SYNACK
ACK
Accept incoming connectionSaikat Guha TCP Traversal Through NATs
P2P TCP Establishment
timeDan BobNAT NAT
SYN ??
SYN
RST
??
What if: NAT returns RST, closes holeSaikat Guha TCP Traversal Through NATs
P2P TCP Establishment
timeDan BobNAT NAT
SYN ??
SYN
RST
What if: NAT rejects SYN through holeSaikat Guha TCP Traversal Through NATs
P2P TCP Establishment
timeDan BobNAT NAT
SYN (low TTL)
SYN (low TTL)
Variation: low-TTL SYNSaikat Guha TCP Traversal Through NATs
P2P TCP Establishment
timeDan BobNAT NAT
SYN (low TTL)
SYN (low TTL)
SYNACK
ACK
SYNACK
Variation: low-TTL SYN, spoof SYNACKSaikat Guha TCP Traversal Through NATs
P2P TCP Establishment
timeDan BobNAT NAT
SYN (low TTL)
SYN (low TTL)
SYNACKSYNACK
ACK
Variation: low-TTL SYN, RAW SYNACKSaikat Guha TCP Traversal Through NATs
P2P TCP Establishment
timeDan BobNAT NAT
SYN (low TTL)
SYN (low TTL)
SYNACKSYNACK
ACK
What if: NAT blocks outgoing SYNACKSaikat Guha TCP Traversal Through NATs
Recap
I 4 approachesI 16 variants (mix and match)
I Many trade-offsI Some sensitive to NATs behaviorI Some hard to implementI Some hard to deploy
I Measurement study to determine how
well each works in practice
Saikat Guha TCP Traversal Through NATs
Methodology
I Implemented all approachesI Lessons learned in the paper
I Cause of failure for 16 brands of NATsI Linksys, DLink, Netgear, Belkin, . . .
I 32 axis of classification
I Classified (∼100) NATs in the wildI Extrapolated for world-wide behavior
I Brand share market analysis
Saikat Guha TCP Traversal Through NATs
NAT Axes of ClassificationNAT Binding:Type Delta HairpinOverloading Max Flows Predictable
Preservation:Port Number Low HighDynamic Parity Sequential
Packet Mangling:TCP Data ICMP Data TCP SequenceIP TTL
Filters:←−−
SYN←−−
SYN (known IP) Estd.←−−
SYN−−→
SYN←−−
SYN−−→
SYN←−−
RST←−−
SYN−−→
SYN←−−−−−
ICMP11←−−
SYN−−→
SYN←−−−−
ICMP2←−−
SYN−−→
SYN←−−−−−−
SYNACK−−→
SYN←−−
RST←−−−−−−
SYNACK−−→
SYN←−−−−−
ICMP11←−−−−−−
SYNACK−−→
SYN←−−−−
ICMP2←−−−−−−
SYNACK−−→
SYN−−−−−−→
SYNACK
Timers:SYN-SENT Established Timed-WaitRST
Saikat Guha TCP Traversal Through NATs
NAT Axes of ClassificationNAT Binding:Type Delta HairpinOverloading Max Flows Predictable
Preservation:Port Number Low HighDynamic Parity Sequential
Packet Mangling:TCP Data ICMP Data TCP SequenceIP TTL
Filters:←−−
SYN←−−
SYN (known IP) Estd.←−−
SYN−−→
SYN←−−
SYN−−→
SYN←−−
RST←−−
SYN−−→
SYN←−−−−−
ICMP11←−−
SYN−−→
SYN←−−−−
ICMP2←−−
SYN−−→
SYN←−−−−−−
SYNACK−−→
SYN←−−
RST←−−−−−−
SYNACK−−→
SYN←−−−−−
ICMP11←−−−−−−
SYNACK−−→
SYN←−−−−
ICMP2←−−−−−−
SYNACK−−→
SYN−−−−−−→
SYNACK
Timers:SYN-SENT Established Timed-WaitRST
Saikat Guha TCP Traversal Through NATs
Port Prediction
10.1.1.1 10.1.1.110.1.1.2
1.1.1.1 2.1.1.1
DanBob
SYNI am Dan Dan is 1.1.1.1:1
SamePort?
Problem: What port did SYN come from?Saikat Guha TCP Traversal Through NATs
Port Prediction
Dan
NAT
Port: 1037
Port: 6501
Classification
NB:Independent
Saikat Guha TCP Traversal Through NATs
Port Prediction
Dan
NAT
Port: 1037
Port: 6501
Classification
NB:Independent
Saikat Guha TCP Traversal Through NATs
Port Prediction
Dan
NAT
Port: 1037
Port: 6501
predicted: 6501to Bob
Classification
NB:Independent
Saikat Guha TCP Traversal Through NATs
Port Prediction
Dan
NAT
Port: 1037
Port: 6501650265036504
Classification
NB:Delta
Saikat Guha TCP Traversal Through NATs
Port Prediction
Dan
NAT
Port: 1037
Port: 65016502650365046505
to Bobpredicted: 6505
Classification
NB:Delta
Saikat Guha TCP Traversal Through NATs
Port Prediction
Dan
NAT
Port: 1037
Port: 65016502650365046505
wrongly predicted: 6505to Bob
6506
Rob Classification
NB:Delta
Saikat Guha TCP Traversal Through NATs
Port Prediction
Dan
NAT
Port: 1024
Port: 9516636452898172
Classification
NB:Random
Saikat Guha TCP Traversal Through NATs
Projected Success
low-TTL No port pred. Port pred. No Race Race Cond.
STUNTSpoof
STUNTPlain
NATBlaster P2PNAT
Suc
cess
Rat
e (%
)
0
10
20
30
40
50
60
70
80
90
100
TCP traversal succeeds 85%-90% (estd.)Saikat Guha TCP Traversal Through NATs
Projected Success
STUNTSpoof
STUNTPlain
NATBlaster P2PNAT
Suc
cess
Rat
e (%
)
0
10
20
30
40
50
60
70
80
90
100
1. STUNT Spoof – Hard to deploy
2. STUNT Plain – Best Option
3. NATBlaster – Fails on WinXP SP2
4. P2PNAT – Fails on WinXP and earlierSaikat Guha TCP Traversal Through NATs
Software
I NAT Traversal LibraryI JAVA implementation availableI Encrypted tunnel application
I NAT Classification softwareI Windows, Linux versions available
Saikat Guha TCP Traversal Through NATs
Future Work
I Wide-scale testingI Implement in bittorrent, swarmcast, . . .
I Standardize NAT TCP BehaviorI IETF BEHAVE Working GroupI I-D: draft-hoffman-behave
Saikat Guha TCP Traversal Through NATs
Related Issues
IPv6 . . .
I Transition will require v4–v6 NATs
Firewalls . . .
I Will persist even with IPv6
Universal Plug-and-Play (UPnP) . . .
I Off by default
Saikat Guha TCP Traversal Through NATs
Summary
I TCP NAT Traversal works!I 85%-90% today, 100% soon
I For P2P developers:I Application guidelinesI TCP traversal library
I For NAT vendors:I Standards documentI NAT checking software
http://nutss.net/stunt
Saikat Guha TCP Traversal Through NATs