Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIPNAT (source_IP NAT)

Published byEstella Tucker Modified over 6 years ago

Similar presentations

Presentation on theme: "SIPNAT (source_IP NAT)"— Presentation transcript:

1 SIPNAT (source_IP NAT)
November 6, 2009 Keio University © 2009 Wichorus Inc. All rights reserved. © 2009 Wichorus Inc. All rights reserved.

2 Business pitfalls of moving to IPv6 today
Practically all of the customers are using IPv4 So, business must serve IPv4 web accesses Web presence is required 24 x 7 x 52 x … This is not compatible with today’s NAT solutions, or today’s IPv6 solutions Customers need to be able to contact business Not the other way around! Needed: “always on” NAT for v4v6 translation NOTE: NAT is needed for sure [ “evil” or not ] © 2009 Wichorus Inc. All rights reserved.

3 NAT today: works, but running out of steam
Network Address Translation – typically between globally unique IP addr. and “private” IP addr. Net provides a million private addresses per site Net provides 65,536 such private addresses Provides topology hiding; typically bundled with firewall Requires per-function ALGs (e.g., TCP, FTP, …) Always requires that inside host initiates app. Merging networks causes a renumbering nightmare © 2009 Wichorus Inc. All rights reserved.

4 Other existing NAT solutions
Today almost universally (private)IPv4  (global)IPv4 NAPT Outgoing only Port numbers required (so, e.g., GRE does not work). Incompatibilities are confusing for application development Poor results after non-participation by IETF or other SDOs IPv6 requires translation to work with Internet today Many variations for IPv6  IPv4 connections Many approaches require dual-stack (e.g., DS-Lite) Only IVI enables incoming session initiation Not scalable; deployed at least in CERNET © 2009 Wichorus Inc. All rights reserved.

5 Proposal allows IPv4  IPv6 communication
Designed for IETF [behave] wg. For incoming packets, usual NAT needs the dest port # to find the destination  communication already started New proposal uses source IP address to “select” the IPv6 destination May use s-port # for finer control DNS-based setup phase provides an IPv4 address for communication with the IPv6 device Allocation completed using source IP IPv4 Internet IPv6 home / ISP / … © 2009 Wichorus Inc. All rights reserved.

6 Bidirectional NAT v4  v6 (uses DNS)
No changes to IPv6-only hosts or IPv4-only hosts No dual-stack No tunneling Can delegate special domain to NAT box if desired Modeled as a flow-management problem source_IP NAT IPv4 Internet Global net i/f Internal Network Interface IPv6 Internal Network © 2009 Wichorus Inc. All rights reserved.

7 Operation of system… IPv4 Internet source_IP NAT Request IPv4 Address
DNS 2 1 DNS Query for v6host.org 3 Supply NAT_addr4 4 DNS Reply A record NAT_addr4 IPv4 Internet source_IP NAT addr1 addr2 addr3 addr4 For step 3, NAT receives the v4 address request and: Overlays a new flow record for v6host at the v4 address NAT_addr4 Sets BIND_TIMEOUT Awaits packet arrival at NAT_addr4 from v4-internet When packet arrives, resets timeout, adds source_v4 Internal Network Interface Global network i/f © 2009 Wichorus Inc. All rights reserved.

8 Unassisted mode failure: one source  two dests
The system will fail if a specific source tries to access too many destinations At each IPv4 address of the NAT, a source IP address (and, possibly, source port) _identifies_ the flow Can have one flow per source per NATv4 address, if lucky © 2009 Wichorus Inc. All rights reserved.

9 Unassisted mode: failure scenario B
The system will fail if there are too many new flow requests at about the same time Have to keep the request “pending” until a packet arrives to provide the exact source IP address Thus, each flow request temporarily (WAIT_TIME) consumes a NATv4 interface address Since the DNS Request does not have the source IP address, the allocated flow will go to the source of the first packet to arrive that is not already deliverable © 2009 Wichorus Inc. All rights reserved.

10 Testing Started with HP’s 85 million access records for World Cup 1998
By preprocessing input, can adjust many parameters DNS response time Arrival rate for DNS request == flow allocation request WAIT_TIME BIND_TIMEOUT Number of destinations… sources Crucial need for more real-world data Have run thousands of scenarios; results available Old website © 2009 Wichorus Inc. All rights reserved.

11 Is it really like flow management?
Incoming <v4dev, sport, NATaddr, dport, TOS>  <v4mapped, sport, v6dev, dport, TOS> Use DPI to figure out which ALG to use Gradually move more functions to hardware? Checksums Pattern recognition Have to search overlapping flow records per v4addr Determine maximum degree of overlap? This is what provides scalability for the solution © 2009 Wichorus Inc. All rights reserved.

12 Payload assist for higher scalability / robustness
Base v4v6 NAT system works well Can improve scalability and robustness using known payload fields (for certain protocols) Good example: http GET contains “http.host” field, identifying the destination Also: works for SIP (e.g., VoIP, presence, instant messaging, …) Additional techniques to enable peer-to-peer © 2009 Wichorus Inc. All rights reserved.

13 Pattern Matching techniques
A large majority of website pathnames are unique to specific destinations A pattern matching machine could identify the correct destination based only on HTTP pathname This could even be guaranteed for cooperative clients For example: © 2009 Wichorus Inc. All rights reserved.

14 Recent analytical results
“Queueing Theoretic Analysis of Source IP NAT” with Cedric Westphal submitted to ICC 2010 Wait time W  0 as # of translation interfaces grows Analytical expressions for W are derived under various conditions Single interface Multiple interfaces, random assignment Multiple interfaces, round-robin assignment © 2009 Wichorus Inc. All rights reserved.

15 Conclusions Business use of IPv6 requires access from IPv4
SIPNAT enables bidirectional, transparent communication between IPv4  IPv6 Internets No tunneling, no host upgrades, no dual-stack Can run at line speed using flow management Basic system offers high reliability Using additional DPI-related techniques, SIPNAT can provide 100% packet delivery accuracy © 2009 Wichorus Inc. All rights reserved.

16 Future work That’s why I am here 
Order of application for various techniques Design for additional ALGs (e.g., BitTorrent) Performance measurements Additional datasets Evaluation of techniques relative to each other Deployment (bridge story?) © 2009 Wichorus Inc. All rights reserved.

Download ppt "SIPNAT (source_IP NAT)"

Similar presentations

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.

CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.

CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
COS 420 Day 18. Agenda Assignment 4 Posted Chap 16-20 Due April 6 Group project program requirements Submitted but Needs lots of work Individual Project.

COS 420 Day 18. Agenda Assignment 4 Posted Chap Due April 6 Group project program requirements Submitted but Needs lots of work Individual Project.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
NAT: Network Address Translation 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 138.76.29.7 local network (e.g., home network) 10.0.0/24 rest of Internet Datagrams.

NAT: Network Address Translation local network (e.g., home network) /24 rest of Internet Datagrams.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Middleboxes & Network Appliances EE122 TAs Past and Present.

Middleboxes & Network Appliances EE122 TAs Past and Present.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
Network Address Translation (NAT) CS-480b Dick Steflik.

Network Address Translation (NAT) CS-480b Dick Steflik.
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.

9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
© MMII JW RyderCS 428 Computer Networking1 Private Network Interconnection  VPN - Virtual Private Networks  NAT - Network Address Translation  Describe.

© MMII JW RyderCS 428 Computer Networking1 Private Network Interconnection  VPN - Virtual Private Networks  NAT - Network Address Translation  Describe.
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.

1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
Introduction to Network Address Translation

Introduction to Network Address Translation
CS 540 Computer Networks II Sandy Wang

CS 540 Computer Networks II Sandy Wang

Similar presentations

Ads by Google