Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leone From global measurements to local management NATalyser inhome NAT detection Miguel Ángel Díaz, Francisco Valera.

Published byEmory Harvey Modified over 7 years ago

Similar presentations

Presentation on theme: "Leone From global measurements to local management NATalyser inhome NAT detection Miguel Ángel Díaz, Francisco Valera."— Presentation transcript:

1 Leone From global measurements to local management NATalyser inhome NAT detection Miguel Ángel Díaz, Francisco Valera

2 METRIC OBJECTIVE  General picture October 2014 Leone - From global measurements to local management 2 EXTERNAL NETWORKS

3 METRIC OBJECTIVE  General picture October 2014 Leone - From global measurements to local management 3 EXTERNAL NETWORKS  What : evaluate NATs characteristics and 'behave' RFC compliance  The requirements are described in:  RFC 5382 for TCP  RFC 5508 for ICMP  RFC 4787 for UDP  Why: check possible problems for end user applications  Are ISPs aware of this?

4 Testbed October 2014 Leone - From global measurements to local management 4  NATalyser has been executed on various countries…

5 Testbed October 2014 Leone - From global measurements to local management 5  …and also with several router vendors

6 Requirements summary table October 2014 Leone - From global measurements to local management 6 UDPICMPTCP FullfilmentMAFILPPHPPADBMSIDFFOOSOOLFTMORRREEIEDUTEPEHEIPOMRIMIH 91-100%X XXXX XX X X X XXX 81-90% X 71-80% XX X X 61-70% X 51-60% < 51% X X XX X  How much are the requirements met by the tested NATs?

7 Remarkable results  Overall picture 8th October, 2013 Leone - From global measurements to local management 7 EXTERNAL NETWORKS UDP

8  11 tests in order to discover how is the NAT behavioring with UDP protocol ( RFC 4787) 1.Type of mapping 2.Type of filtering 3.If the nat preserves the port 4.If there’s port parity 5.If the nat supports hairpinning 6.If the nat has a deterministic behavior 7.If icmp errors breaks the mapping 8.If there’s support of don’t fragment flag 9.If the nat supports receiving out of order 10.If the mapping has a lifetime over 2 minutes 11.If the nat renew the mapping with outbounds packets NAT behavioral requirements for unicast UDP October 2014 Leone - From global measurements to local management 8

9  On the mapping test Remarkable results for UDP ENDPOINT INDEPENDENT56 ADDRESS DEPENDENT0 ADDRESS AND PORT DEPENDENT1 It’s the unique Thomson router on all the testbed

10  If the mapping is not Endpoint-independent  Could be problems with UNSAF (Unilateral Self-Address Fixing) methods, as it is said on the RFC 3424 Remarkable results for UDP October 2014 Leone - From global measurements to local management 10

11  On the filtering test Remarkable results for UDP APD: ADDRESS AND PORT DEPENDENT43 AD: ADDRESS DEPENDENT1 EP: ENDPOINT INDEPENDENT13 On the rest of them as they are more restrictive One out of the four NETGEAR that is from Telecom Italia, maybe due to a different model? The 13 probes of Telecom Italia that are from the vendor Technicolor has an Endpoint Independent filtering behavior Known problems with Endpoint- Independent filtering (RFC 4787)

12  Example of problems with the filtering (RFC 4787) Remarkable results for UDP October 2014 Leone - From global measurements to local management 12 EXTERNAL NETWORKS Imagine that this router has an open port X port The unauthorized packet could go through this open port if it has endpoint-independent filtering (with luck)

13  On the preserve port test Remarkable results for UDP Preserve Port43 Does not preserve port14 Technicolor does not preserve port

14  On the Don’t fragment flag test Remarkable results for UDP DONT FRAGMENT FLAG support46 Not11 The Hebrew university of Jerusalem (vendor NEC Access) and Biglobe Inc. has their routers on a “Don’t fragment” flag support behavior of No. Thomson Telecom and Cisco are only on this behavior No icmp may mean: 1.No need to fragment 2.A real unsupport for DF=1

15  Example of problems with Dont fragment flag support (RFC 4787) Remarkable results for UDP October 2014 Leone - From global measurements to local management 15 EXTERNAL NETWORKS An application sends a packet with DF flag = 1 NAT with outgoing MTU lower than the size of the packet If the NAT does not send back a packet noticing the application that the sent packet was not delivered, the application could enter in a bucle sending always the same packet expecting a reply or thinking that the network is unreachable

16  All of them reported that the NAT has a outbound mapping lifetime renueval behavior of true Remarkable results for UDP

17  All of the probes report that their NATs dont have a mapping over lifetime > 2 minutes Remarkable results for UDP

18  Example of problems with the lifetime of the mapping (RFC 4787) Remarkable results for UDP October 2014 Leone - From global measurements to local management 18 EXTERNAL NETWORKS Imagine that we have a testbed with low processing rate So we send the data to an external server in order to get them analyzed If the server takes more time with the processing, it won’t be able to send the data back

19 Remarkable results  Overall picture 8th October, 2013 Leone - From global measurements to local management 19 EXTERNAL NETWORKS ICMP

20  7 tests to check the behavior of the NAT device using ICMP protocol 1.If the NAT handle ICMP queries and their associated responses 2.If the NAT support error packets from external realm when there is a mapping 3.If the NAT support error packets from internal realm when there is a mapping 4.Support of Destination Unrecheable packet error 5.Support of Time Excedeed packet error 6.Support for ping 7.Support of hairpinning ICMP error packets Remarkable results for ICMP October 2014 Leone - From global measurements to local management 20

21  On the reply/request test Remarkable results for ICMP REQUEST/REPLY19 NOT38 Telecom Italia has all of the routers with the icmp request filtered.It is the same for Biglobe and the Hebrew University Technicolor, Adb Italia, AVM, Cisco, NEC, Dial and Pirelly vendors have also the request/reply feature filtered Maybe Its because something in the middle of the communication has filtered the packet?

22  Example of problems with the reply / request Remarkable results for ICMP October 2014 Leone - From global measurements to local management 22 EXTERNAL NETWORKS Applications like ping may not work properly or may be filtered

23  Example of problems with the error hairpinning Remarkable results for ICMP October 2014 Leone - From global measurements to local management 23 EXTERNAL NETWORKS Sends a packet to the server through the public IP The server generates an error packet If the Nat doesn’t do the hairpinning, the original app won’t have any notification about the error

24  On the error packet hairpinning test Remarkable results for ICMP ERROR HAIRPINNING29 Not28 All Pirelly and ADB routers do error hairpining. Also Arcadyan, AVM, Cisco, Huawei and NEC do. It seems to be a very specific requirement and seems not to be implemented everywhere

25  On the time exceded error test Remarkable results for ICMP TIME EXCEDEED48 Not9 Arcadyan, Sagem and Huawei (this last has no representation on support)

26  Example of problems with the reply / request Remarkable results for ICMP October 2014 Leone - From global measurements to local management 26 EXTERNAL NETWORKS Applications like traceroute may not work properly at all

27 Remarkable results  Overall picture 8th October, 2013 Leone - From global measurements to local management 27 EXTERNAL NETWORKS TCP

28  5 tests to check the behavior of the NAT device using TCP protocol 1.If the mapping has endpoint-independent behavior 2.If the Nat is overloading ports 3.If the mapping resists icmp packets 4.If the Nat performs the requirement to the multiple initiation 5.If the Nat supports hairpinning Remarkable results for TCP October 2014 Leone - From global measurements to local management 28 TCP

29  On the mapping test Remarkable results for TCP 29 ENDPOINT INDEPENDENT43 Not14 Technicolor vendor is not doing Endpoint independent mapping Thomson (BT) is not implementing it either

30  Problems with the TCP mapping (RFC 5382) Remarkable results for TCP October 2014 Leone - From global measurements to local management 30 EXTERNAL NETWORKS Online gaming may not work properly if the NAT is too much restrictive

31  On the hairpinning test Remarkable results for TCP 31 From Telecom Italia and Netgear vendor

32 Majority by vendorUDPICMPTCP FullfilmentMAFILPPHPPADBMSIDFFOOSOOLFTMORRREEIEDUTEPEHEIPOMRIMIH TechnicolorXXXXXXXX-X-X-X XX---XXX- ADB Broadband ItaliaX--XXXXX-X-X-X XX-XXXXX- Arcadyan Technology Corp.X--XXXXX-X-XXX X-XXXXXX- AVM GmbHX--XXXXX-X-X-X XX-XXXXX- Cisco-Linksys, LLCX--XXXX--X-X-X XX-XXXXX- Huawei Technologies Co., LtdX--XXXXX-X-XXX X-XXXXXX- Industrie Dial Face S.p.A.X--XXXXX-X-X-X XX-=XXXX- NEC AccessTechnica, Ltd.X--XXXX--X-X-X XX-XXXXX- NETGEARX--XXXX=-X-X-X XX--XXXX- Pirelli Tyre S.p.AX--XXXXX-X-X-X XX-XXXXX- SAGEM COMMUNICATIONX--XXXXX-X-XXX XXX-XXXX- Thomson Telecom Belgium--XXXXX--X-XXX XXX--XXX- UnKnownX--XXXX=-X-X=X XX=-XXXX- > 50% on fulfillment by vendor Those that best meet the RFCs

33 Majority by vendorUDPICMPTCP FullfilmentMAFILPPHPPADBMSIDFFOOSOOLFTMORRREEIEDUTEPEHEIPOMRIMIH TechnicolorXXXXXXXX-X-X-X XX---XXX- ADB Broadband ItaliaX--XXXXX-X-X-X XX-XXXXX- Arcadyan Technology Corp.X--XXXXX-X-XXX X-XXXXXX- AVM GmbHX--XXXXX-X-X-X XX-XXXXX- Cisco-Linksys, LLCX--XXXX--X-X-X XX-XXXXX- Huawei Technologies Co., LtdX--XXXXX-X-XXX X-XXXXXX- Industrie Dial Face S.p.A.X--XXXXX-X-X-X XX-=XXXX- NEC AccessTechnica, Ltd.X--XXXX--X-X-X XX-XXXXX- NETGEARX--XXXX=-X-X-X XX--XXXX- Pirelli Tyre S.p.AX--XXXXX-X-X-X XX-XXXXX- SAGEM COMMUNICATIONX--XXXXX-X-XXX XXX-XXXX- Thomson Telecom Belgium--XXXXX--X-XXX XXX--XXX- UnKnownX--XXXX=-X-X=X XX=-XXXX- > 50% on fulfillment by vendor Those that worst meet the RFCs

34 > 50% on fulfillment by ISP Majority by ISPUDPICMPTCP FullfilmentMAFILPPHPPADBMSIDFFOOSOOLFTMORRREEIEDUTEPEHEIPOMRIMIH Bt Public Internet ServiceX-XXXXXX-X-XXX XXX-XXXXX Telecom Italia S.p.a.X-XXXXXX-X-X-X XX-XXXXXX Biglobe Inc.X-XXXXX--X-X-X XX-XXXXXX The Hebrew University Of JerusalemX-XXXXX--X-X-X XX--XXXXX 34 October 2014 Leone - From global measurements to local management

35 Conclusions October 2014 Leone - From global measurements to local management 35  NATalyser has been executed on Sam’s testbed with some interesting results  In the future NATalyser will be improved  Support for more platforms  Java applet  Windows  Android  Use it with different NAT environment  Residential environments  Public open networks  Public registration network

Download ppt "Leone From global measurements to local management NATalyser inhome NAT detection Miguel Ángel Díaz, Francisco Valera."

Similar presentations

CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings
STUN Date: 2011-05-25 Speaker: Hui-Hsiung Chung 1.

STUN Date: Speaker: Hui-Hsiung Chung 1.
Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.

Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)

CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
 As defined in RFC 826 ARP consists of the following messages ■ ARP Request ■ ARP Reply.

 As defined in RFC 826 ARP consists of the following messages ■ ARP Request ■ ARP Reply.
© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5.

© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5.
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
ICMP & ICMPv6 Referenced on RFC’s 792 and 2463 respectively. Frank Azevedo.

ICMP & ICMPv6 Referenced on RFC’s 792 and 2463 respectively. Frank Azevedo.
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September 1981. The purpose.

Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Network Layer4-1 NAT: Network Address Translation 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 138.76.29.7 local network (e.g., home network) 10.0.0/24 rest of.

Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.

Similar presentations

Ads by Google