Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.

Slides:



Advertisements
Similar presentations
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Advertisements

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Firewalls and Network Address Translation (NAT) Chapter 7.
CSC458 Programming Assignment II: NAT Nov 7, 2014.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
STUN Date: Speaker: Hui-Hsiung Chung 1.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.
Internet Control Message Protocol (ICMP)
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
Chapter 5 The Network Layer.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
1 CMPT 471 Networking II ICMP © Janice Regan, 2012.
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.
Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
03/07/2005IETF 62, Minneapolis NAT requirements for TCP (BEHAVE WG) draft-sivakumar-behave-nat-tcp-req-00.txt S.Sivakumar, K.Biswas, B.Ford.
© Jörg Liebeherr (modified by M. Veeraraghavan) 1 ICMP: A helper protocol to IP The Internet Control Message Protocol (ICMP) is the protocol used for error.
1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.
 network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet.
Private Network Addresses IP addresses in a private network can be assigned arbitrarily. – Not registered and not guaranteed to be globally unique Generally,
Internet Protocols. Address Resolution IP Addresses are not recognized by hardware. If we know the IP address of a host, how do we find out the hardware.
Protocol Headers 0x0800 Internet Protocol, Version 4 (IPv4) 0x0806 Address Resolution Protocol (ARP) 0x8100 IEEE 802.1Q-tagged frame 0x86DD Internet Protocol,
Transport Layer3-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
1 An Error Reporting Mechanism (ICMP). 2 IP Semantics IP is best-effort Datagrams can be –Lost –Delayed –Duplicated –Delivered out of order –Corrupted.
1 Chapter 23 Internetworking Part 3 (Control Messages, Error Handling, ICMP)
Network Address Translation External/ Internal/. OVERLOADING In Overloading, each computer on the private network is translated to the same IP address;
1 Network Address Translation (NAT) and Dynamic Host Configuration Protocol (DHCP) Relates to Lab 7. Module about private networks and NAT.
1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
ICMPv6 Error Message Types Informational Message Types.
NAT/Firewall Behavioral Requirements draft-audet-nat-behave-00 François Audet - Cullen Jennings -
Introduction to Linux Firewall
1 Network Address Translation. 2 Network Address Translation (NAT) Extension of original addressing scheme Motivated by exhaustion of IP address space.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
Leone From global measurements to local management NATalyser inhome NAT detection Miguel Ángel Díaz, Francisco Valera.
Leone From global measurements to local management NATalyser inhome NAT detection Miguel Ángel Díaz, Francisco Valera.
Network Layer IP Address.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
Internet Control Message Protocol (ICMP)
CSC458 Programming Assignment II: NAT
Internet Control Message Protocol (ICMP)
Network Address Translation (NAT)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol
COMPUTER NETWORKS CS610 Lecture-33 Hammad Khalid Khan.
Network Address Translation (NAT)
8 Network Layer Part V Computer Networks Tutun Juhana
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Advanced Computer Networks
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Request for Comments(RFC) 3489
Network Address Translation (NAT)
Presentation transcript:

Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera

METRIC OBJECTIVE  Overall picture 8th October, 2013 Leone - From global measurements to local management 2 EXTERNAL NETWORKS

METRIC OBJECTIVE  Overall picture 8th October, 2013 Leone - From global measurements to local management 3 EXTERNAL NETWORKS  Each Internet provider may use a different NAT implementation attending to the mapping, the filtering of the packets, and many more parameters  We want to evaluate the different implementation of NATs in different providers  Guideline marked by  RFC 5382 for TCP  RFC 5508 for ICMP  RFC 4787 for UDP  UDP validator is implemented  TCP and ICMP validators are under developing  UDP validator is implemented  TCP and ICMP validators are under developing  Some tests are defined on RFC 5780 (Nat behavior discovery using STUN)

1.Type of mapping and filtering being used on the NAT 2.Use of the ports. Are they being overloaded? 3.IP address pool on the external realm 4.Does the NAT preserve port parity? 5.Persistence of the mapping 6.A NAT must support Hairpinning 7.Does the receipt of any ICMP packet terminate UDP mapping? 8.How does the NAT handle DF=1 packets? 9.Behavior on receipt of out-of-order fragments NAT behavioral requirements for unicast UDP June 2014 Leone - From global measurements to local management 4

NAT behavioral requirements for unicast UDP  Example of UDP test  A NAT must out-of-order packet receive June 2014 Leone - From global measurements to local management 5 UDP packet UC3M SERVER FRAG 1 FRAG 0 UDP packet Response?

1.The NAT must handle ICMP queries and their associated responses 2.Time on expire a determinante session mapping 3.Does NAT permit ICMP packets without any active mapping? 4.Does NAT permit ICMP Error packets from the private realm without any active mapping? 5.Support of hairpinning ICMP packets 6.Support of different sort of ICMP packets: 1.Destination Unrecheable 2.Time exceeded 3.Echo request/reply 4.Etc NAT behavioral requirements for ICMP June 2014 Leone - From global measurements to local management 6

NAT behavioral requirements for ICMP  Example of ICMP test  Behavior when there’s no mapping on the nat and a ICMP error packet is generated June 2014 Leone - From global measurements to local management 7 Initial ICMP packet Arrives? STUN SERVER Initial ICMP packet Error packet  Inside this packet, there’s another that is the one that doesn’t have any mapping on the NAT

NAT behavioral requirements for TCP 1.Type of mapping and filtering being used on the NAT 2.Use of the ports. Are they being overloaded? 3.Support of TCP connections initiated both internally as well as externally 4.Way of handling inbound SYN packets if they are not solicitated 5.Persistence of the mapping 6.A NAT must support Hairpinning for TCP packets 7.Does the receipt of any ICMP packet terminate TCP mapping? June 2014 Leone - From global measurements to local management 8

Initial Results  UDP tests have been executed in different probes June 2014 Leone - From global measurements to local management 9 Endpoint independent Address and port dependent

Initial Results  UDP tests have been executed in different computers June 2014 Leone - From global measurements to local management 10 Endpoint independent Address and port dependent Endpoint independent

Initial Results June 2014 Leone - From global measurements to local management 11  We had tested the recommendations from the RFC, not only mapping or filtering behavior

Future work 1.Finish recommenders for TCP and ICMP 2.Integrate upnp functionalities into the tests 3.Deploy tests in more computers 4.Migrate tests to Android platform Estimated date for TCP and ICMP to be ready for trials: End of this month June 2014 Leone - From global measurements to local management 12

Leone From global measurements to local management Developing the tests & how test functionalities Miguel Ángel Díaz, Francisco Valera June Maribor Meeting

NAT behavioral requirements for unicast UDP  A NAT must have an Endpoint- Independent Mapping behavior  Depending on the use of the NAT it must have Endpoint-Independent filtering or Address-Dependentn filtering behavior  Detect mapping and filtering behavior with STUN protocol June 2014 Leone - From global measurements to local management 14

NAT behavioral requirements for unicast UDP  A NAT must have an Endpoint- Independent Mapping behavior June 2014 Leone - From global measurements to local management 15 IP:X X = Y ? IP:Y iptables -t nat -A POSTROUTING -o eth0 –p udp –dport j SNAT --to IPpublicaNAT:64000  Para endpoint independent

NAT behavioral requirements for unicast UDP  A NAT must not have a port assignment behavoir of port overloading  If NAT preserves port, two applications cannot use the same port to communicate with the same destination June 2014 Leone - From global measurements to local management 16 STUN SERVER IP:X X = Y ? IP:Y

NAT behavioral requirements for unicast UDP  A NAT must not have a port assignment behavoir of port overloading  If NAT preserves port, two applications cannot use the same port to communicate with the same destination June 2014 Leone - From global measurements to local management 17 STUN SERVER IP:X X = Y ? IP:Y iptables -t nat -A POSTROUTING -o eth0 –p udp –dport j SNAT --to IPpublicaNAT  Para que no modifique el puerto de salida

NAT behavioral requirements for unicast UDP  If the NAT that have an IP address pooling, it’s recommended to have Paired behavior  Detect if the NAT implements IP Pooling on the external realm June 2014 Leone - From global measurements to local management 18 STUN SERVER Always the same mapped IP?

NAT behavioral requirements for unicast UDP  If the NAT that have an IP address pooling, it’s recommended to have Paired behavior  Detect if the NAT implements IP Pooling on the external realm June 2014 Leone - From global measurements to local management 19 STUN SERVER Always the same mapped IP? 1, ¿asignar 4 direcciones IP? 2, iptables -t nat -A POSTROUTING -o eth0 –p udp –dport j SNAT --to IPpublicaNAT1-IPpublicaNAT4

NAT behavioral requirements for unicast UDP  It’s recommended that a NAT have a port parity preservation behavior of yes  Detect if the NAT preserves port parity June 2014 Leone - From global measurements to local management 20 STUN SERVER Different source ports Preserve port parity?

NAT behavioral requirements for unicast UDP  A NAT UDP mapping timer must not expire in less than two minutes for applications that dont use range port June 2014 Leone - From global measurements to local management 21 Binding request : X Binding request : Y Response to Y or to X? STUN SERVER 1, Bind de dos sockets a dos puertos conocidos iptables -t nat -A POSTROUTING -o eth1 –p udp –dport Y -j DNAT --to IPprivadaNODO:X

NAT behavioral requirements for unicast UDP  A NAT must support Hairpinning. External IP behavior June 2014 Leone - From global measurements to local management 22 Binding request : X Binding request to mapped address: Y Response? STUN SERVER

NAT behavioral requirements for unicast UDP  A NAT must support Hairpinning June 2014 Leone - From global measurements to local management 23 Binding request : X Binding request to mapped address: Y Response? STUN SERVER 1, iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 –sport X -j SNAT --to IPpublicaNAT: , iptables -t nat -A POSTROUTING -o eth0 –p udp –d IPpublicaNAT –dport j SNAT --to IPpublicaNAT: , iptables -t nat -A POSTROUTING -o eth0 –p udp –d IPpublicaNAT –dport j DNAT --to IPprivadaNodo:Y

NAT behavioral requirements for unicast UDP  Receipt of any sort of ICMP message must not terminate the NAT mapping. Mirar desde donde son los icmp June 2014 Leone - From global measurements to local management 24 Binding request : X Same mapping? Binding request : X ICMP request STUN SERVER

NAT behavioral requirements for unicast UDP  Receipt of any sort of ICMP message must not terminate the NAT mapping June 2014 Leone - From global measurements to local management 25 Binding request : X Same mapping? Binding request : X ICMP request STUN SERVER iptables -t nat -A POSTROUTING -o eth0 –p udp –dport j SNAT --to IPpublicaNAT:64000  Para que sea siempre el mismo

NAT behavioral requirements for unicast UDP  If the packet received on an internal IP address has DF=1, the NAT must send back an ICMP message “Fragmentation needed and DF set” to the host June 2014 Leone - From global measurements to local management 26 UDP packet with DF = 1 Response? Wireshark

NAT behavioral requirements for unicast UDP  A NAT must support receiving in-order and out-of-order fragments, sot it must have received out of order behavior June 2014 Leone - From global measurements to local management 27 UDP packet Response? UC3M SERVER FRAG 1 FRAG 0 UDP packet Wireshark

NAT behavioral requirements for ICMP  Same process as the UDP RFC  Nat device must permit ICMP queries and their associated responses June 2014 Leone - From global measurements to local management 28 ICMP request ICMP response Internet ICMP request ICMP response Does the ping get the response?

NAT behavioral requirements for ICMP  An ICMP session timer must not expire in less than 60 seconds June 2014 Leone - From global measurements to local management 29 UC3M LEONE SERVER ICMP packet Sleep 60 ICMP packet

NAT behavioral requirements for ICMP  If the NAT has an active mapping for the embedded payload of an incoming error packet, it must change the transport headers, leaving the error code unchanged June 2014 Leone - From global measurements to local management 30 UC3M LEONE SERVER UDP packet ICMP error packet  Do we get the error packet?  Code and type == 3 ?  Do we get the error packet?  Code and type == 3 ?

NAT behavioral requirements for ICMP  If the NAT has an active mapping for the embedded payload of an outgoing error packet, it must change the transport headers, leaving the error code unchanged June 2014 Leone - From global measurements to local management 31 UC3M LEONE SERVER UDP packet ICMP error packet UDP packet with the result

NAT behavioral requirements for ICMP  All NAT devices must support the traversal of hairpinned ICMP error messages June 2014 Leone - From global measurements to local management 32 STUN SERVER UDP packet ICMP error packet  Mapped IP and port

NAT behavioral requirements for ICMP  A NAT must support Destination unreachable, Time exceeded and echo request/reply packets June 2014 Leone - From global measurements to local management 33 STUN SERVER UDP packet TTL = 3 Time exceeded error packet  Tested on previous tests  Tested doing ping

NAT behavioral requirements for TCP  A NAT must have an “Endpoint-Independent Mapping” behavior June 2014 Leone - From global measurements to local management 34 STUN SERVER  Connect to STUN server from port X  Connect to alternative STUN server address If the mapping in these two cases is the same, then it has a an “Endpoint-Independent Mapping” behavior

NAT behavioral requirements for TCP  A NAT must not have a “Port assigment behavior of “Port overloading”” June 2014 Leone - From global measurements to local management 35 STUN SERVER If there’s any port being reused, the NAT fails this requirement

NAT behavioral requirements for TCP  A NAT must support “hairpinning” June 2014 Leone - From global measurements to local management 36 STUN SERVER Binding request to mapped address: Y

NAT behavioral requirements for TCP  Receipt of any sort of ICMP message must not terminate the NAT mapping June 2014 Leone - From global measurements to local management 37 Binding request : X Same mapping? Binding request : X ICMP request STUN SERVER

NAT behavioral requirements for TCP  A NAT must not respond to an unsolicited inbound SYN packet for at least 6 seconds after the pakcet is received. If during this interval the NAT receives and translates an outbound SYN for the connection the NAT must silently drop the original unsolicited SYN  A NAT must handle the TCP simultaneous-open mode of connection initiation June 2014 Leone - From global measurements to local management 38

NAT behavioral requirements for TCP June 2014 Leone - From global measurements to local management 39 If there’s no reset nor ICMP error, and the SYN packet arrived to the server  OK Initial UDP packet STUN SERVER SYN packet RESET? SYN packet ICMP unreachable? UDP packet containing the result Initial UDP packet

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.