Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.

Similar presentations


Presentation on theme: "Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera."— Presentation transcript:

1 Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera

2 METRIC OBJECTIVE  Overall picture 8th October, 2013 Leone - From global measurements to local management 2 EXTERNAL NETWORKS

3 METRIC OBJECTIVE  Overall picture 8th October, 2013 Leone - From global measurements to local management 3 EXTERNAL NETWORKS  Each Internet provider may use a different NAT implementation attending to the mapping, the filtering of the packets, and many more parameters  We want to evaluate the different implementation of NATs in different providers  Guideline marked by  RFC 5382 for TCP  RFC 5508 for ICMP  RFC 4787 for UDP  UDP validator is implemented  TCP and ICMP validators are under developing  UDP validator is implemented  TCP and ICMP validators are under developing  Some tests are defined on RFC 5780 (Nat behavior discovery using STUN)

4 1.Type of mapping and filtering being used on the NAT 2.Use of the ports. Are they being overloaded? 3.IP address pool on the external realm 4.Does the NAT preserve port parity? 5.Persistence of the mapping 6.A NAT must support Hairpinning 7.Does the receipt of any ICMP packet terminate UDP mapping? 8.How does the NAT handle DF=1 packets? 9.Behavior on receipt of out-of-order fragments NAT behavioral requirements for unicast UDP June 2014 Leone - From global measurements to local management 4

5 NAT behavioral requirements for unicast UDP  Example of UDP test  A NAT must out-of-order packet receive June 2014 Leone - From global measurements to local management 5 UDP packet UC3M SERVER FRAG 1 FRAG 0 UDP packet Response?

6 1.The NAT must handle ICMP queries and their associated responses 2.Time on expire a determinante session mapping 3.Does NAT permit ICMP packets without any active mapping? 4.Does NAT permit ICMP Error packets from the private realm without any active mapping? 5.Support of hairpinning ICMP packets 6.Support of different sort of ICMP packets: 1.Destination Unrecheable 2.Time exceeded 3.Echo request/reply 4.Etc NAT behavioral requirements for ICMP June 2014 Leone - From global measurements to local management 6

7 NAT behavioral requirements for ICMP  Example of ICMP test  Behavior when there’s no mapping on the nat and a ICMP error packet is generated June 2014 Leone - From global measurements to local management 7 Initial ICMP packet Arrives? STUN SERVER Initial ICMP packet Error packet  Inside this packet, there’s another that is the one that doesn’t have any mapping on the NAT

8 NAT behavioral requirements for TCP 1.Type of mapping and filtering being used on the NAT 2.Use of the ports. Are they being overloaded? 3.Support of TCP connections initiated both internally as well as externally 4.Way of handling inbound SYN packets if they are not solicitated 5.Persistence of the mapping 6.A NAT must support Hairpinning for TCP packets 7.Does the receipt of any ICMP packet terminate TCP mapping? June 2014 Leone - From global measurements to local management 8

9 Initial Results  UDP tests have been executed in different probes June 2014 Leone - From global measurements to local management 9 Endpoint independent Address and port dependent

10 Initial Results  UDP tests have been executed in different computers June 2014 Leone - From global measurements to local management 10 Endpoint independent Address and port dependent Endpoint independent

11 Initial Results June 2014 Leone - From global measurements to local management 11  We had tested the recommendations from the RFC, not only mapping or filtering behavior

12 Future work 1.Finish recommenders for TCP and ICMP 2.Integrate upnp functionalities into the tests 3.Deploy tests in more computers 4.Migrate tests to Android platform Estimated date for TCP and ICMP to be ready for trials: End of this month June 2014 Leone - From global measurements to local management 12

13 Leone From global measurements to local management Developing the tests & how test functionalities Miguel Ángel Díaz, Francisco Valera June Maribor Meeting

14 NAT behavioral requirements for unicast UDP  A NAT must have an Endpoint- Independent Mapping behavior  Depending on the use of the NAT it must have Endpoint-Independent filtering or Address-Dependentn filtering behavior  Detect mapping and filtering behavior with STUN protocol June 2014 Leone - From global measurements to local management 14

15 NAT behavioral requirements for unicast UDP  A NAT must have an Endpoint- Independent Mapping behavior June 2014 Leone - From global measurements to local management 15 IP:X X = Y ? IP:Y iptables -t nat -A POSTROUTING -o eth0 –p udp –dport j SNAT --to IPpublicaNAT:64000  Para endpoint independent

16 NAT behavioral requirements for unicast UDP  A NAT must not have a port assignment behavoir of port overloading  If NAT preserves port, two applications cannot use the same port to communicate with the same destination June 2014 Leone - From global measurements to local management 16 STUN SERVER IP:X X = Y ? IP:Y

17 NAT behavioral requirements for unicast UDP  A NAT must not have a port assignment behavoir of port overloading  If NAT preserves port, two applications cannot use the same port to communicate with the same destination June 2014 Leone - From global measurements to local management 17 STUN SERVER IP:X X = Y ? IP:Y iptables -t nat -A POSTROUTING -o eth0 –p udp –dport j SNAT --to IPpublicaNAT  Para que no modifique el puerto de salida

18 NAT behavioral requirements for unicast UDP  If the NAT that have an IP address pooling, it’s recommended to have Paired behavior  Detect if the NAT implements IP Pooling on the external realm June 2014 Leone - From global measurements to local management 18 STUN SERVER Always the same mapped IP?

19 NAT behavioral requirements for unicast UDP  If the NAT that have an IP address pooling, it’s recommended to have Paired behavior  Detect if the NAT implements IP Pooling on the external realm June 2014 Leone - From global measurements to local management 19 STUN SERVER Always the same mapped IP? 1, ¿asignar 4 direcciones IP? 2, iptables -t nat -A POSTROUTING -o eth0 –p udp –dport j SNAT --to IPpublicaNAT1-IPpublicaNAT4

20 NAT behavioral requirements for unicast UDP  It’s recommended that a NAT have a port parity preservation behavior of yes  Detect if the NAT preserves port parity June 2014 Leone - From global measurements to local management 20 STUN SERVER Different source ports Preserve port parity?

21 NAT behavioral requirements for unicast UDP  A NAT UDP mapping timer must not expire in less than two minutes for applications that dont use range port June 2014 Leone - From global measurements to local management 21 Binding request : X Binding request : Y Response to Y or to X? STUN SERVER 1, Bind de dos sockets a dos puertos conocidos iptables -t nat -A POSTROUTING -o eth1 –p udp –dport Y -j DNAT --to IPprivadaNODO:X

22 NAT behavioral requirements for unicast UDP  A NAT must support Hairpinning. External IP behavior June 2014 Leone - From global measurements to local management 22 Binding request : X Binding request to mapped address: Y Response? STUN SERVER

23 NAT behavioral requirements for unicast UDP  A NAT must support Hairpinning June 2014 Leone - From global measurements to local management 23 Binding request : X Binding request to mapped address: Y Response? STUN SERVER 1, iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 –sport X -j SNAT --to IPpublicaNAT: , iptables -t nat -A POSTROUTING -o eth0 –p udp –d IPpublicaNAT –dport j SNAT --to IPpublicaNAT: , iptables -t nat -A POSTROUTING -o eth0 –p udp –d IPpublicaNAT –dport j DNAT --to IPprivadaNodo:Y

24 NAT behavioral requirements for unicast UDP  Receipt of any sort of ICMP message must not terminate the NAT mapping. Mirar desde donde son los icmp June 2014 Leone - From global measurements to local management 24 Binding request : X Same mapping? Binding request : X ICMP request STUN SERVER

25 NAT behavioral requirements for unicast UDP  Receipt of any sort of ICMP message must not terminate the NAT mapping June 2014 Leone - From global measurements to local management 25 Binding request : X Same mapping? Binding request : X ICMP request STUN SERVER iptables -t nat -A POSTROUTING -o eth0 –p udp –dport j SNAT --to IPpublicaNAT:64000  Para que sea siempre el mismo

26 NAT behavioral requirements for unicast UDP  If the packet received on an internal IP address has DF=1, the NAT must send back an ICMP message “Fragmentation needed and DF set” to the host June 2014 Leone - From global measurements to local management 26 UDP packet with DF = 1 Response? Wireshark

27 NAT behavioral requirements for unicast UDP  A NAT must support receiving in-order and out-of-order fragments, sot it must have received out of order behavior June 2014 Leone - From global measurements to local management 27 UDP packet Response? UC3M SERVER FRAG 1 FRAG 0 UDP packet Wireshark

28 NAT behavioral requirements for ICMP  Same process as the UDP RFC  Nat device must permit ICMP queries and their associated responses June 2014 Leone - From global measurements to local management 28 ICMP request ICMP response Internet ICMP request ICMP response Does the ping get the response?

29 NAT behavioral requirements for ICMP  An ICMP session timer must not expire in less than 60 seconds June 2014 Leone - From global measurements to local management 29 UC3M LEONE SERVER ICMP packet Sleep 60 ICMP packet

30 NAT behavioral requirements for ICMP  If the NAT has an active mapping for the embedded payload of an incoming error packet, it must change the transport headers, leaving the error code unchanged June 2014 Leone - From global measurements to local management 30 UC3M LEONE SERVER UDP packet ICMP error packet  Do we get the error packet?  Code and type == 3 ?  Do we get the error packet?  Code and type == 3 ?

31 NAT behavioral requirements for ICMP  If the NAT has an active mapping for the embedded payload of an outgoing error packet, it must change the transport headers, leaving the error code unchanged June 2014 Leone - From global measurements to local management 31 UC3M LEONE SERVER UDP packet ICMP error packet UDP packet with the result

32 NAT behavioral requirements for ICMP  All NAT devices must support the traversal of hairpinned ICMP error messages June 2014 Leone - From global measurements to local management 32 STUN SERVER UDP packet ICMP error packet  Mapped IP and port

33 NAT behavioral requirements for ICMP  A NAT must support Destination unreachable, Time exceeded and echo request/reply packets June 2014 Leone - From global measurements to local management 33 STUN SERVER UDP packet TTL = 3 Time exceeded error packet  Tested on previous tests  Tested doing ping

34 NAT behavioral requirements for TCP  A NAT must have an “Endpoint-Independent Mapping” behavior June 2014 Leone - From global measurements to local management 34 STUN SERVER  Connect to STUN server from port X  Connect to alternative STUN server address If the mapping in these two cases is the same, then it has a an “Endpoint-Independent Mapping” behavior

35 NAT behavioral requirements for TCP  A NAT must not have a “Port assigment behavior of “Port overloading”” June 2014 Leone - From global measurements to local management 35 STUN SERVER If there’s any port being reused, the NAT fails this requirement

36 NAT behavioral requirements for TCP  A NAT must support “hairpinning” June 2014 Leone - From global measurements to local management 36 STUN SERVER Binding request to mapped address: Y

37 NAT behavioral requirements for TCP  Receipt of any sort of ICMP message must not terminate the NAT mapping June 2014 Leone - From global measurements to local management 37 Binding request : X Same mapping? Binding request : X ICMP request STUN SERVER

38 NAT behavioral requirements for TCP  A NAT must not respond to an unsolicited inbound SYN packet for at least 6 seconds after the pakcet is received. If during this interval the NAT receives and translates an outbound SYN for the connection the NAT must silently drop the original unsolicited SYN  A NAT must handle the TCP simultaneous-open mode of connection initiation June 2014 Leone - From global measurements to local management 38

39 NAT behavioral requirements for TCP June 2014 Leone - From global measurements to local management 39 If there’s no reset nor ICMP error, and the SYN packet arrived to the server  OK Initial UDP packet STUN SERVER SYN packet RESET? SYN packet ICMP unreachable? UDP packet containing the result Initial UDP packet


Download ppt "Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera."

Similar presentations


Ads by Google