Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz.

Published byFelix Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "1 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz."— Presentation transcript:

1 1 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy NATBLASTER: Establishing TCP Connections Between Hosts Behind NATs Andrew Biggadike, Daniel Ferullo, Geoffrey Wilson, Adrian Perrig Information Networking Institute Carnegie Mellon University [ACM SIGCOMM Asia Workshop, 2005, Beijing, China]

2 2 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Agenda n Background n Problem Statement n Related Work n Environment & Assumptions n Our Techniques n Implementation n Results

3 3 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Network Address Translation NATs help solve depleting address space problems  Use private internal address spaces  Translates internal ports to unique external ports But, NATs break network transparency  Host behind NAT cannot act as server in TCP connection (without extraneous configuration)  NATs drop packets from external network for which a mapping does not exist

4 4 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Problem Statement n Enable direct TCP connection between hosts behind NATs n There exists a third party not behind NAT both can connect to n Realistic for a P2P protocol NAT AB X Goal NAT

5 5 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy TCP 3-Way Handshake SYN ClientServer SYN+ACKACK

6 6 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy TCP 3-Way Handshake w/ NAT SYN ClientServer SYN+ACKACK NAT

7 7 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy TCP 3-Way Handshake w/ NAT SYN ClientServer NAT

8 8 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Motivation P2P protocols are increasingly being used  Workspace sharing (Groove)  File sharing (BitTorrent, KaZaA)  Instant Messaging & File Transfers  Network Gaming P2P protocols use direct connections  Peers required to receive unsolicited connection requests from external peers  More difficult to statically pre-configure NAT when using P2P

9 9 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Related Solutions Port Forwarding ability in NATs Gnutella / PUSH Proxy  Only one peer is behind a NAT  The role of server is transferred to the peer not behind a NAT UDP Hole Punching  Allows for direct UDP connections between peers if both are behind NATs Walfish, et al.  Suggests an indirection service that could proxy connections between two peers Ford, et al.  Extend hole-punching to allow TCP connections using a TCP Hole Punching technique MIDCOMM  IETF working group dedicated to this problem

10 10 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Related Solutions (cont.) NUTSS  Independently developed and similar to our work  Spoofing is needed in NUTSS, Natblaster does not require spoofing Our Approach  Utilize a third-party only to establish direct TCP connection  Direct TCP connection: more efficient, more secure, more general

11 11 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Assumptions The two hosts learn of each other through P2P application layer protocol Hosts can observe ISNs chosen by TCP stack Internal hosts won’t see ICMP TTL Exceeded messages  We send packets with low TTL values  Many NATs don’t forward these errors to internal hosts > Can use host firewall if they do NATs keep mappings despite ICMP TTL Exceeded message  All NATs we saw provide this property NATs are at least 2 hops apart – Low TTL

12 12 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Techniques Overview Pre-Connection Diagnostics n Determine the environment n Determine NAT behavior Connection Setup Phase – Create the TCP connection

13 13 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Pre-Connection Diagnostics Determine if Loose Source Routing (LSR) is available from A to B through X and from B to A through X. Determine predictability of N A and N B  Each peer opens two TCP connections with X from sequential p, p+1.  If X sees sequential source ports, the NAT is predictable  If not, the NAT is random (i.e., unpredictable)

14 14 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Two Environment Classes Loose Source Routing  Predictable, Predictable (case 1)  Random, Predictable (case 3)  Random, Random (case 5) No Loose Source Routing  Predictable, Predictable (case 2)  Random, Predictable (case 4)  Random, Random (case 6)

15 15 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy SYN AB X SYN+ACK ACK ISN QISN P Case 2: 2 Predictable NATs NAT

16 16 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Case 4: Random, 1 Predictable NAT SYN AB Done SYN+ACK SYN SYN+ACK Blue X NAT

17 17 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Case 4 (cont.) SYN AB X SYN+ACK ACK ISN QISN P NAT

18 18 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Exploiting Birthday Paradox Goal: B has a 95% chance of guessing the correct external port after generating T SYN+ACKs Naïve approach: A sends 1 SYN, B sends T SYN+ACKS T ≈ 64,511*95% = 61,285 Our approach: A sends T SYNs, B sends T SYN+ACKS T = 439: 99.3% reduction of search space! O(√ N ) trials instead of O(N)

19 19 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Implementation Implementation was in C on Linux Workstations using libpcap and libnet  The peers require root privileges for libpcap and libnet  Does not need root privileges if kernel module is used  The 3 rd party can run with normal user privileges Case 2 and 4 were implemented Low TTL Value Determination was not implemented  Known values were hard-coded

20 20 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Natblaster API http://natblaster.sourceforge.net int natblaster_connect ( server_ip, /* IP of the 3rd party server */ server_port, /* Port the server is listening on */ local_ip, /* Local IP address bound to, also used by the server to resolve whom the buddy wants to connect to */ local_port, /* Local port to return a connection on */ buddy_external_ip, /* External IP of the buddy */ buddy_internal_ip, /* Internal IP address of the buddy (used to uniquely identify the buddy on the 3 rd party server) */ buddy_internal_port, /* Internal port the buddy will connect on (used to uniquely identify the buddy on the 3 rd party server) */ device /* Device to forge/sniff packets on (optional)*/ ) natblaster_server ( listen_port/* Port to listen for Natblaster requests on */ )

21 21 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy More Details in Paper Detailed description of Cases 1 – 6 Other interesting issues … Birthday paradox mathematical derivation

22 22 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Results Tested using commercial NATs  Approximately 11 hops between peers Case 2 implementation reliably opens connections Case 4 implementation opens connections with expected probability Birthday paradox reduces search space from O(N) to O( √ N) 439 instead of 61,285 trials!

23 23 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz School of Public Policy Thank You! Source Code available at http://natblaster.sourceforge.ne t

Download ppt "1 The INI is a cooperative endeavor of:Electrical and Computer EngineeringSchool of Computer Science Graduate School of Industrial AdministrationHeinz."

Similar presentations

A New Method for Symmetric NAT Traversal in UDP and TCP

A New Method for Symmetric NAT Traversal in UDP and TCP
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.

CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CCNA – Network Fundamentals

CCNA – Network Fundamentals
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.

IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
NAT/Firewall Traversal April 2009. NAT revisited – “port-translating NAT”

NAT/Firewall Traversal April NAT revisited – “port-translating NAT”
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.

Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.

Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.
ECCP A Formally-Verified Migration Protocol For Mobile, Multi-Homed Hosts Matvey Arye Joint work with: Erik Nordström, Robert Kiefer Jennifer Rexford, Michael.

ECCP A Formally-Verified Migration Protocol For Mobile, Multi-Homed Hosts Matvey Arye Joint work with: Erik Nordström, Robert Kiefer Jennifer Rexford, Michael.
PROS & CONS of Proxy Firewall

PROS & CONS of Proxy Firewall

Similar presentations

Ads by Google