Presentation is loading. Please wait.

Presentation is loading. Please wait.

NAT/Firewall Traversal April 2009. NAT revisited – “port-translating NAT”

Published byPaul Chesterman Modified over 9 years ago

Similar presentations

Presentation on theme: "NAT/Firewall Traversal April 2009. NAT revisited – “port-translating NAT”"— Presentation transcript:

1 NAT/Firewall Traversal April 2009

2 NAT revisited – “port-translating NAT”

3 NAT’s effect on applications NAT affects P2P applications where each peer may need to be contacted. VoIP is one such application: each user needs to have an address for other users to “call” him/her. –E.g. in SIP’s case, the addresses in the INVITE message sent by UA are all private addresses! Cannot be used by target UA to reply. The problem is complicated by different types of NAT STUN is a protocol/algorithm to differentiate different NATs or firewalls

4 RFC 3489 STUN = Simple Traversal of UDP datagram protocol through NATs Simple protocol that lets application discover if it is behind firewalls and NAT boxes if so, what kind of firewall/NAT boxes And external port/address assigned by the NAT Useful for interactive multimedia application when each peer needs its contact information known, e.g. Skype

5 NAT and STUN Node with private address X NAT box Stun client Application at address Y port P Stun server request response NAT box has public address Z Maps “X at port R” to “Z at port Q” May do filtering so not all nodes knowing Z/Q can talk to X State: X/R = Z/Q

6 Types of NATs Full cone NAT – no filtering at NAT Restricted cone NAT – NAT with filtering: only previously contacted node can talk to X Port-restricted NAT – NAT with filtering: only previously contacted port number can be used to talk to X Symmetric NAT – most restrictive filtering: when X talks to different external appls Y/P and Z/Q, they result in different external address/port for X

7 Symmetric NAT discovery

8 Full cone NAT discovery

9 Restricted cone NAT discovery

10 Port-restricted cone NAT discovery

11 Firewalls Node with private address X Firewall Stun client Application at address Y port P Stun server request response Some firewall may block all UDP Some firewall may allow UDP response if sent from Y/P where an earlier UDP request was sent to (“symmetric firewall”)

12 Different cases detectable using STUN Node has public address Node behind firewall that blocks UDP Node behind symmetric firewall Full cone NAT Symmetric NAT Restricted NAT or port-restricted NAT

13 STUN Request and Response The STUN response from the server may include: MAPPED-ADDRESS- In Binding Responses. It contains the IP address and port of client. CHANGED-ADDRESS- In Binding Responses. It contains the alternate IP address and port of the server. SOURCE-ADDRESS- In Binding Response. It contains the IP address and port of server. The STUN request can contain a flag to request the STUN server to use alternative address and port to send STUN response CHANGE-REQUEST- In Binding Request. It contains flags for the alternate IP address and port of server.

14 Flow chart for NAT discovering process

15 How to find STUN servers Application specific way –E.g. Skype probably relies on public Super Nodes to serve as STUN servers –Super Nodes are found in Host Cache, initially populated by the well-known login server Using SRV records in DNS –The application/service provider populates SRV record for STUN servers –This is similar to how SIP proxy servers are found

16 “Hole Punching” – RFC5128 Alice (with private address) wants to call Bob Bob is also behind NAT box (with private address) Alice talks to public (STUN) server, so server knows Alice’s external address/port Bob also talks to public server, so server knows about Bob too Public server tells Alice about Bob, and Bob about Alice Bob sends packet to Alice (creating a “hole” in his NAT) AliceBob server1 2 34

17 Direct connection Now when Alice sends a packet back to Bob, Bob’s NAT does not filter it, assuming it is return packet from earlier request Alice’s NAT also allows Bob’s future packets to return This assumes Alice’s NAT will use the same external address/port (for server) to talk to Bob. This does not work if NATs are Symmetric NATs AliceBob server1 2 34

18 Brute force methods If both NATs are symmetric, may still be able to guess the address/port of the hole, by port scanning! –Such techniques are very ad hoc Last resort: use a relay (all stream data go through a third party) –Performance is worse off –Need someone to be relay

19 Reference For more detailed description, read an article about NAT in The Internet Protocol Journal, Vol 7, Num 3, September 2004. http://www.cisco.com/warp/public/759/ipj_7-3.pdf Also at: http://personal.ie.cuhk.edu.hk/~dmchiu/nat_stun_article.pdf Read about UDP hole punching from Wikipedia. IETF RFC 5128

Download ppt "NAT/Firewall Traversal April 2009. NAT revisited – “port-translating NAT”"

Similar presentations

SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
A New Method for Symmetric NAT Traversal in UDP and TCP

A New Method for Symmetric NAT Traversal in UDP and TCP
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
P2P and NAT How to traverse NAT Davide Carboni © 2005-2006.

P2P and NAT How to traverse NAT Davide Carboni ©
Network Address Translation (NAT) 12.10.2009 Prof. Sasu Tarkoma.

Network Address Translation (NAT) Prof. Sasu Tarkoma.
1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings
STUN Date: 2011-05-25 Speaker: Hui-Hsiung Chung 1.

STUN Date: Speaker: Hui-Hsiung Chung 1.
SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)

SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.

Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.
1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University.

1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University.
Network Address Translation (NAT) 8.10.2007 Adj. Prof. Sasu Tarkoma.

Network Address Translation (NAT) Adj. Prof. Sasu Tarkoma.
CSE 222a Final Project - UCSD Spring 2007 p2p DNS addressing Presented By- Anup Tapadia Alexander Loukissas Justin Wu.

CSE 222a Final Project - UCSD Spring 2007 p2p DNS addressing Presented By- Anup Tapadia Alexander Loukissas Justin Wu.
NAT1 Network Address Translation Dr. Danny Tsang Department of Electronic & Computer Engineering Hong Kong University of Science and Technology.

NAT1 Network Address Translation Dr. Danny Tsang Department of Electronic & Computer Engineering Hong Kong University of Science and Technology.
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
Skype & Network Management Taken from class reference : An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol Salman A. Baset and Henning Schulzrinne.

Skype & Network Management Taken from class reference : An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol Salman A. Baset and Henning Schulzrinne.
Voice over IP Skype.

Voice over IP Skype.
1 An Analysis of the Skype Peer-to- Peer Internet Telephony Protocol Speaker : zcchen.

1 An Analysis of the Skype Peer-to- Peer Internet Telephony Protocol Speaker : zcchen.
 Motivation: local network uses just one IP address as far as outside world is concerned :  range of addresses not needed from ISP: just one IP address.

 Motivation: local network uses just one IP address as far as outside world is concerned :  range of addresses not needed from ISP: just one IP address.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

Similar presentations

Ads by Google