072 The Reality of Network Address Translators

8/7/2019 072 The Reality of Network Address Translators

1/21

The reality of Network Address Translators

by

Harald Welte


2/21

Reality of NAT

Contents

RFC3489: STUNRFC3714: IAB problem statement / congestion controlRFC3448: TFRC, TFRC-PSDCCPNSIS: GIMPS / NAT NSLPBEHAVE


3/21

Reality of NAT

NAT Basics

Network Address Translation is an old techniqueWidely used throughout the net as a way to cope with addressshortageMore and more popular with to DSL and cable modem routersUnfortunately not standardized at allNAT itself is not a security technology !!


4/21

Reality of NAT

NAT Basics

What does NAT do?Rewrite addresses of packets as they pass a particular forwarding machine

What can be translated?

Layer 3 (IP) addressesLayer 4 (TCP/UDP/SCTP/...) specific addressesLayer 5+ (e.g. FTP PORT statements)

Where can it be translated?Traditionally, at a routerBut also possible on a bridge


5/21


6/21

Reality of NAT

Why is NAT a nightmare

NAT might have been a solution 8 years agoHowever,it is very much designed for the traditional client/server paradigmthe Internet sees more advanced applications such aspeer-to-peer networksVoice over IPMultimedia streamsprotocols are getting increasingly complexmultiple layer 4 connections comprising one logical connectionembedding layer 3/4 addresses in payload leads to ALG requirementdirect client-to-client transmission of media streams not possible due to deployment of NAT.


7/21

Reality of NAT

NAT Basics

But well, even eight years ago....NATing a FTP connection is a real PITA. Why?First you change the source ip/port of the control connectionThen your ftp client sends a PORT command (in ASCII!!!)PORT 123,123,123,123,1,0

Then your ftp nat ALG needs to change that toPORT 1,1,1,1,10,10Thus, the resulting string is shorter!therefore you need to mangle every sequence number of each successive packetnow think of multiple port commands being issued within a single TCP window and retransmissionsif that is not enough, think of SACKSummaryIt is ugly as hellDifficult to impossible to get right in all cases


8/21

Reality of NAT

Why is NAT a nightmare

Todays NATs horribly violate the network layering modela NAT (although it operats on a rotuer or bridge) requires knowledge of theapplication protocolssupport for every new protocol needs to be added to all NATs

Also, you loose the ability to encrypt the payloadSIP can PGP-encrypt SDP.However, port numbers are inside SDPTherefore, if you use crypto, it just cant work


9/21

Reality of NAT

Types of NAT (STUN RFC3489)

Full Coneall requests from the same internal IP and port are mapped to the same externalIP address and port

any external host can send a packet to the internal host by sending a packet tothe mapped address

Restricted Coneall requests from the same internal IP and port are mapped to the same externalIP address and port.an external host can send a packet to the internal host only if the internal hosthad previously ent a packet to that particular external host


10/21

Reality of NAT

Types of NAT (STUN RFC3489)

Port Restricted Conelike restricted cone, but includes port numbersan external host can send a packet with source IP X and port P to the internalhost only of the internal host had perviously sent a packet to IP address X andport P

Symmetricall requests from same internal IP address and port to a specifica destination IPand port are mapped to the same external IP and port.if the same host sends a packet with the same source address and port, but to adifferent estination, a different mapping is used. Only the external host thatreceives a packet can send a packet back to the external host


11/21

Reality of NAT

Types of NAT: draft-audet-nat-behave

Address and port bindingExternal NAT binding is endpoint independentExternal NAT binding is endpoint address dependentExternal NAT binding is endpoint address and port dependent

Port AssignmentPort PreservationPort Overloading

Bind Refresh ScopePer bindingPer sessionOnly outgoing or also incoming?


12/21

Reality of NAT

Types of NAT: draft-audet-nat-behave

Filtering of unsolicited packetsExternal filtering is endpoint independentExternal filtering is endpoint address dependentExternal filtering is endpoint address and port dependent

Hairpinning BehaviourWhat happens if two endpoints are behind same nat

Deterministic PropertiesChaning over time:Port preservationPort allocation algorithmAddress and port bindingFiltering

Multicast Behaviour


13/21

Reality of NAT

The IETF and NAT

The IETF has long ignored the fact that NATs are commonplaceTherefore, theres a lack of standardization in NAT behaviourFurthermore, it is impossible to make a protocol work with all existing NATsProtocol designers normally dont consider NAT when developing new protocols


14/21

Reality of NAT

The IETF and NAT

SIP was the first IETF protocol that had _serious_ NAT issuesTherefore, the SIP working group came up with FCP (Firewall Control Protocol)Later, a new working group MIDCOM was foundedMIDCOM took several years but didnt really come up with a solution

Now there are dozens of groups publishing papers, drafts andRFCs.Most of them are targeted at UDP-only operationMost of them target consumer side NAT devices


15/21

Reality of NAT

How to solve the NAT problem?

At a protocol leveldesigning protocols in a way to operate on most/all NATsSIP has some extensions for thisIPsec also introduced NAT-T to tackle the problemVery difficult because of the number of differnet implementations and lack ofstandardization

At a NAT levelMaking NATs interoperate with all different kinds of protocols

Support operations like hole-punching for UDP and TCPProblematic because of large existing deployment


16/21

Reality of NAT

How to solve the NAT problem?

With a specific NAT configuration protocolFCPMIDCOMGIMPS NSIS NAT NSLPuPnP

There is no good solution without standardization


17/21

Reality of NAT

RFC3489: STUN

RFC3489: STUN (Simple Traversal of UDP Through NAT)Helps endpoints to find out whether they are behind some form ofNAT by communication with a host known to have an official IPTries to create NAT binding(s) on NAT devices

allows applications to open ports on the NATimplemented with lots of apps, including gnomemeeting


18/21

Reality of NAT

RFC3714

IAB problem statement about media traffic without congestioncontroldanger of congestion collapse with VoIP / streaming mediaIETF actions to counter this problemupgrade RTP to make packet loss monitoring a MUST

TFRC (TCP Friently Rate Control)TFRC-PS (TCP Friendly Rate Control - Packet Size)DCCP (Datagram Congestion Control Protocol)Adaptive Audio Codecsspecified drop rate for mimimum sending rate (tables)

Result:Well see new layer four protocols that need NAT, too


19/21

Reality of NAT

NSIS WG

NSIS (Next Step In Signalling) WG:Signalling Transport protocol for Signalling QoS, NAT, FirewallsGIMPS (Generic Internet Messaging Protocol for Signalling)Builds on top of TCP/UDP/SCTP/DCCPcan be combined with TLS and IPsecHas Messages with Router Alert that are to be processed by Routers/Firewalls/NATs

NAT NSIS Signalling Layer Protocolwants to establish a connection between two ends, any number of Firewalls / NATs in betweendraft-aoun-nsis-nslp-natfw-migration-02draft-tschofenig-nsis-natfw-security-problems-00draft-aoun-nsis-nslp-natfw-intrarealm-00.txtdraft-martin-nsis-nslp-natfw-sip-00.txt

draft-fessi-nsis-natfw-threats-01.txt


20/21

Reality of NAT

BEHAVE

Behave working groupParts of IETF acknowledge NAT is realityAcknowledges lack of standardizationwants to provide vendor guidelines for NAT implementationfocus on UDP and TCP unicastwill adress multicast NAT, toogoal: NAT-BEHAVE BCP RFCsecond document describing protocol design for BEHAVE-compliant NATscurrent draft:require outbound-only UDP timer refresh

strongly discourages port persistencyrequires no NAT for IPv6


21/21

Reality of NAT

Thanks

Thanks toAlan Cox, Alexey Kuznetsov, David Miller, Andi Kleenfor implementing (one of?) the worlds best TCP/IP stacksPaul Rusty Russellfor starting the netfilter/iptables projectfor trusting me to maintain it today

Astaro AGfor sponsoring parts of my netfilter workFree Software Foundationfor the GNU Projectfor the GNU General Public License

The slides of this presentation are available at http://www.gnumonks.org/

Further ReadingThe netfilter homepage http://www.netfilter.org/

Documents

072 The Reality of Network Address Translators