Leone From global measurements to local management NATalyser inhome NAT detection Miguel Ángel Díaz, Francisco Valera

METRIC OBJECTIVE  General picture October 2014 Leone - From global measurements to local management 2 EXTERNAL NETWORKS

METRIC OBJECTIVE  General picture October 2014 Leone - From global measurements to local management 3 EXTERNAL NETWORKS  What : evaluate NATs characteristics and 'behave' RFC compliance  The requirements are described in:  RFC 5382 for TCP  RFC 5508 for ICMP  RFC 4787 for UDP  Why: check possible problems for end user applications  Are ISPs aware of this?

Testbed October 2014 Leone - From global measurements to local management 4  NATalyser has been executed on various countries…

Testbed October 2014 Leone - From global measurements to local management 5  …and also with several router vendors

Requirements summary table October 2014 Leone - From global measurements to local management 6 UDPICMPTCP FullfilmentMAFILPPHPPADBMSIDFFOOSOOLFTMORRREEIEDUTEPEHEIPOMRIMIH %X XXXX XX X X X XXX 81-90% X 71-80% XX X X 61-70% X 51-60% < 51% X X XX X  How much are the requirements met by the tested NATs?

Remarkable results  Overall picture 8th October, 2013 Leone - From global measurements to local management 7 EXTERNAL NETWORKS UDP

 11 tests in order to discover how is the NAT behavioring with UDP protocol ( RFC 4787) 1.Type of mapping 2.Type of filtering 3.If the nat preserves the port 4.If there’s port parity 5.If the nat supports hairpinning 6.If the nat has a deterministic behavior 7.If icmp errors breaks the mapping 8.If there’s support of don’t fragment flag 9.If the nat supports receiving out of order 10.If the mapping has a lifetime over 2 minutes 11.If the nat renew the mapping with outbounds packets NAT behavioral requirements for unicast UDP October 2014 Leone - From global measurements to local management 8

 On the mapping test Remarkable results for UDP ENDPOINT INDEPENDENT56 ADDRESS DEPENDENT0 ADDRESS AND PORT DEPENDENT1 It’s the unique Thomson router on all the testbed

 If the mapping is not Endpoint-independent  Could be problems with UNSAF (Unilateral Self-Address Fixing) methods, as it is said on the RFC 3424 Remarkable results for UDP October 2014 Leone - From global measurements to local management 10

 On the filtering test Remarkable results for UDP APD: ADDRESS AND PORT DEPENDENT43 AD: ADDRESS DEPENDENT1 EP: ENDPOINT INDEPENDENT13 On the rest of them as they are more restrictive One out of the four NETGEAR that is from Telecom Italia, maybe due to a different model? The 13 probes of Telecom Italia that are from the vendor Technicolor has an Endpoint Independent filtering behavior Known problems with Endpoint- Independent filtering (RFC 4787)

 Example of problems with the filtering (RFC 4787) Remarkable results for UDP October 2014 Leone - From global measurements to local management 12 EXTERNAL NETWORKS Imagine that this router has an open port X port The unauthorized packet could go through this open port if it has endpoint-independent filtering (with luck)

 On the preserve port test Remarkable results for UDP Preserve Port43 Does not preserve port14 Technicolor does not preserve port

 On the Don’t fragment flag test Remarkable results for UDP DONT FRAGMENT FLAG support46 Not11 The Hebrew university of Jerusalem (vendor NEC Access) and Biglobe Inc. has their routers on a “Don’t fragment” flag support behavior of No. Thomson Telecom and Cisco are only on this behavior No icmp may mean: 1.No need to fragment 2.A real unsupport for DF=1

 Example of problems with Dont fragment flag support (RFC 4787) Remarkable results for UDP October 2014 Leone - From global measurements to local management 15 EXTERNAL NETWORKS An application sends a packet with DF flag = 1 NAT with outgoing MTU lower than the size of the packet If the NAT does not send back a packet noticing the application that the sent packet was not delivered, the application could enter in a bucle sending always the same packet expecting a reply or thinking that the network is unreachable

 All of them reported that the NAT has a outbound mapping lifetime renueval behavior of true Remarkable results for UDP

 All of the probes report that their NATs dont have a mapping over lifetime > 2 minutes Remarkable results for UDP

 Example of problems with the lifetime of the mapping (RFC 4787) Remarkable results for UDP October 2014 Leone - From global measurements to local management 18 EXTERNAL NETWORKS Imagine that we have a testbed with low processing rate So we send the data to an external server in order to get them analyzed If the server takes more time with the processing, it won’t be able to send the data back

Remarkable results  Overall picture 8th October, 2013 Leone - From global measurements to local management 19 EXTERNAL NETWORKS ICMP

 7 tests to check the behavior of the NAT device using ICMP protocol 1.If the NAT handle ICMP queries and their associated responses 2.If the NAT support error packets from external realm when there is a mapping 3.If the NAT support error packets from internal realm when there is a mapping 4.Support of Destination Unrecheable packet error 5.Support of Time Excedeed packet error 6.Support for ping 7.Support of hairpinning ICMP error packets Remarkable results for ICMP October 2014 Leone - From global measurements to local management 20

 On the reply/request test Remarkable results for ICMP REQUEST/REPLY19 NOT38 Telecom Italia has all of the routers with the icmp request filtered.It is the same for Biglobe and the Hebrew University Technicolor, Adb Italia, AVM, Cisco, NEC, Dial and Pirelly vendors have also the request/reply feature filtered Maybe Its because something in the middle of the communication has filtered the packet?

 Example of problems with the reply / request Remarkable results for ICMP October 2014 Leone - From global measurements to local management 22 EXTERNAL NETWORKS Applications like ping may not work properly or may be filtered

 Example of problems with the error hairpinning Remarkable results for ICMP October 2014 Leone - From global measurements to local management 23 EXTERNAL NETWORKS Sends a packet to the server through the public IP The server generates an error packet If the Nat doesn’t do the hairpinning, the original app won’t have any notification about the error

 On the error packet hairpinning test Remarkable results for ICMP ERROR HAIRPINNING29 Not28 All Pirelly and ADB routers do error hairpining. Also Arcadyan, AVM, Cisco, Huawei and NEC do. It seems to be a very specific requirement and seems not to be implemented everywhere

 On the time exceded error test Remarkable results for ICMP TIME EXCEDEED48 Not9 Arcadyan, Sagem and Huawei (this last has no representation on support)

 Example of problems with the reply / request Remarkable results for ICMP October 2014 Leone - From global measurements to local management 26 EXTERNAL NETWORKS Applications like traceroute may not work properly at all

Remarkable results  Overall picture 8th October, 2013 Leone - From global measurements to local management 27 EXTERNAL NETWORKS TCP

 5 tests to check the behavior of the NAT device using TCP protocol 1.If the mapping has endpoint-independent behavior 2.If the Nat is overloading ports 3.If the mapping resists icmp packets 4.If the Nat performs the requirement to the multiple initiation 5.If the Nat supports hairpinning Remarkable results for TCP October 2014 Leone - From global measurements to local management 28 TCP

 On the mapping test Remarkable results for TCP 29 ENDPOINT INDEPENDENT43 Not14 Technicolor vendor is not doing Endpoint independent mapping Thomson (BT) is not implementing it either

 Problems with the TCP mapping (RFC 5382) Remarkable results for TCP October 2014 Leone - From global measurements to local management 30 EXTERNAL NETWORKS Online gaming may not work properly if the NAT is too much restrictive

 On the hairpinning test Remarkable results for TCP 31 From Telecom Italia and Netgear vendor

Majority by vendorUDPICMPTCP FullfilmentMAFILPPHPPADBMSIDFFOOSOOLFTMORRREEIEDUTEPEHEIPOMRIMIH TechnicolorXXXXXXXX-X-X-X XX---XXX- ADB Broadband ItaliaX--XXXXX-X-X-X XX-XXXXX- Arcadyan Technology Corp.X--XXXXX-X-XXX X-XXXXXX- AVM GmbHX--XXXXX-X-X-X XX-XXXXX- Cisco-Linksys, LLCX--XXXX--X-X-X XX-XXXXX- Huawei Technologies Co., LtdX--XXXXX-X-XXX X-XXXXXX- Industrie Dial Face S.p.A.X--XXXXX-X-X-X XX-=XXXX- NEC AccessTechnica, Ltd.X--XXXX--X-X-X XX-XXXXX- NETGEARX--XXXX=-X-X-X XX--XXXX- Pirelli Tyre S.p.AX--XXXXX-X-X-X XX-XXXXX- SAGEM COMMUNICATIONX--XXXXX-X-XXX XXX-XXXX- Thomson Telecom Belgium--XXXXX--X-XXX XXX--XXX- UnKnownX--XXXX=-X-X=X XX=-XXXX- > 50% on fulfillment by vendor Those that best meet the RFCs

Majority by vendorUDPICMPTCP FullfilmentMAFILPPHPPADBMSIDFFOOSOOLFTMORRREEIEDUTEPEHEIPOMRIMIH TechnicolorXXXXXXXX-X-X-X XX---XXX- ADB Broadband ItaliaX--XXXXX-X-X-X XX-XXXXX- Arcadyan Technology Corp.X--XXXXX-X-XXX X-XXXXXX- AVM GmbHX--XXXXX-X-X-X XX-XXXXX- Cisco-Linksys, LLCX--XXXX--X-X-X XX-XXXXX- Huawei Technologies Co., LtdX--XXXXX-X-XXX X-XXXXXX- Industrie Dial Face S.p.A.X--XXXXX-X-X-X XX-=XXXX- NEC AccessTechnica, Ltd.X--XXXX--X-X-X XX-XXXXX- NETGEARX--XXXX=-X-X-X XX--XXXX- Pirelli Tyre S.p.AX--XXXXX-X-X-X XX-XXXXX- SAGEM COMMUNICATIONX--XXXXX-X-XXX XXX-XXXX- Thomson Telecom Belgium--XXXXX--X-XXX XXX--XXX- UnKnownX--XXXX=-X-X=X XX=-XXXX- > 50% on fulfillment by vendor Those that worst meet the RFCs

> 50% on fulfillment by ISP Majority by ISPUDPICMPTCP FullfilmentMAFILPPHPPADBMSIDFFOOSOOLFTMORRREEIEDUTEPEHEIPOMRIMIH Bt Public Internet ServiceX-XXXXXX-X-XXX XXX-XXXXX Telecom Italia S.p.a.X-XXXXXX-X-X-X XX-XXXXXX Biglobe Inc.X-XXXXX--X-X-X XX-XXXXXX The Hebrew University Of JerusalemX-XXXXX--X-X-X XX--XXXXX 34 October 2014 Leone - From global measurements to local management

Conclusions October 2014 Leone - From global measurements to local management 35  NATalyser has been executed on Sam’s testbed with some interesting results  In the future NATalyser will be improved  Support for more platforms  Java applet  Windows  Android  Use it with different NAT environment  Residential environments  Public open networks  Public registration network