28

Realtime Multimedia in Presence of Firewalls and

Network Address Translation (NAT)

Knut OmangIfi/Energima14 Sep, 2020

29

Overview● Solving the traversal problem from a ’network owner’ perspective

● Quick overview of some protocols in use for real-time multimedia

– SIP/SDP

– Other protocols that struggles with firewall/NAT

● Details of SIP/SDP

– Firewall and NAT traversal examples with SIP/SDP

● IPv6 to the rescue?

● Firewall and NAT support in the Linux kernel

– Iptables and ebtables

– Routing

– Traffic control using tc● qdiscs and filters● netem

30

Solving the traversal problem from a ’network owner’ perspective

● Discovery methods so far:– what can we achieve if we have no influence over the network layout or

services offered

● What if we control the network - other approaches we can use?– Extending the firewall/NAT functionality?

– Let firewall route some traffic via special ‘gateways’ (= delegate)

● Make the firewall collaborative, trusting (some…) clients

● Transparently handle more protocols (also at higher levels such as session layer)

31

Collaborative: Controlled Firewalls● Adding a separate firewall control protocol● Client requests opening of ports in firewall● Examples: SOCKS, UPnP (“Universal Plug and Play”)

● About trusting clients on local network

● UPnP: Clients must trust any device replying to broadcast

32

Application Level Gateways (ALG)• Server/service in connection with firewall

– Allowed in FW rules

– Controls firewall through control protocol

– Or built into firewall

• Old proto example: ftp

• Some VPN gateways

• Session Border Controller:

– SIP ALG

– Terminates traffic in both directions

– Masks real source/destination at the session layer

33

Application Level Gateways (ALG)● Server/service in connection with firewall

– either built-in (plugin) or separate service

● Sometimes called ‘application level proxy’

● Protocol examples: – ftp (file transfer protocol)

– SIP (Session Initiation Protocol) [Often called Session Border Controller (SBC)]

– H.323

– RTSP (Real Time Streaming Protocol)

34

ALGs vs simple firewalls?

Firewalls often dedicated hardware - long lived compared to other infrastructure!

● IP,UDP,TCP: Stable protocols, modest changes– easy to maintain in firewalls

● Contrast with many upper level protocols: Lots of features, lots of development => lots of bugs/fixes

● Linux maybe altering the picture as more FW/NAT devices are powered by Linux, and are software upgradable?

● ALGs must be trusted: If encrypted data, they might need to decrypt

35

Some protocols exposed to firewall/NAT issues

• FTP (File Transfer Protocol)

• SIP (Session Initiation Protocol)

• H323 (ITU – telecoms standard)

• Skype (proprietary peer-to-peer)

• XMPP (Extensible Messaging and Presence Protocol)

• IPsec (AH/ESP/Tunnel mode)

36

Session Initiation Protocol (SIP)• HTTP inspired protocol for session management:

– Registration/location information– Establish (and take down) session– Multiple channels (voice,video,ppt,chat,…)– Add/remove participants– Renegotiate media– ’Forking’– Bridge to POTS (Plain Old Telephony Systems)

• Session layer running on top of different protocols (UDP,TCP,…)• VoIP (Voice over IP) usually means SIP based• Lots of equipment available/being developed that uses SIP in some

form• Also ’embraced’ by telecoms by means of IMS

37

Skype and firewall/NAT

• Based on software developed for Kazaa (early file sharing: Napster)– Per-to-peer intended for file sharing

– Got much ’for free’ from P2P..

– Proprietary and encrypted -> tech likely lives on in MNP24..

– Solves NAT traversal with similar strategies as STUN/TURN and tunnelling if necessary

– Relaying via (and relying on) private users

– Breakdown in 2007 thought to be due to diminishing number of non-fw/NAT’ed users

38

WebRTC● Open source APIs initiated by Google to make it easier to implement

peer-to-peer unified communication from web browsers.

● Supports different underlying protocols for signalling and media, for instance SIP over Websockets for signalling and STUN, TURN and ICE for discovery

39

Unified communication in the COVID-19 era

Examples of commercial, cross platform “conference” type collaboration software:

● Zoom

● Microsoft Teams (evolution from Skype and other products)

● Google Meet (former Hangouts)

40

Unified communication in the COVID-19 era

Open source conferencing:

● BigBlueButton– Used by Linux Plumbers Conference (LPC) ‘2020:

https://lwn.net/Articles/830436/

● Jitsi– Evaluated runner-up for LPC’2020

(https://lwn.net/Articles/815751/)

41

Chat applications...

Proprietary:

● Facebook Messenger

● Telegram

● Slack

● WhatsApp

● WeChat

● Discord

● ...

Open source:

● IRC

● Signal

● Mattermost

● …..

42

Protocols in use:● Google Meet, Discord, Facebook Messenger: WebRTC

● Zoom:– Indicate they only use peer-to-peer for 2-person calls (WebRTC?)

– Larger conferences appear to be solely client-server based (proprietary)

● Microsoft Teams: MNP24 - evolution from ‘Skype consumer code’– e.g. proprietary, but uses similar techniques as STUN, TURN, ICE

– But ‘bridge’ that supports SIP and H.323 - likely to allow seamless use of conference equipment etc

43

IPsec

• AH (Authentication Header protocol)

– Additional header that authenticates the information in the IP header

• Ensures that the IP header information is not changed by intermediates..• Does not encrypt payload but checksums it to avoid tampering..

• ESP (Encapsulating Security Payload protocol)

– Encapsulates and encrypts a checksum of the IP payload– does not checksum/verify the IP header

• Tunnel mode: – Either or combinations of ESP/AH where the payload is a complete IP packet

with its own IP header

44

IPsec and Firewall/NAT

• AH:

– Defeats the very purpose of NAT!

• Any NAT’ed packets will be dropped..

• ESP:

– Address modifications may pass

– Port modifications lead to dropped packets!

• The port numbers are in the transport headers (UDP/TCP..) which are inside the encrypted payload!

45

IPsec and Firewall/NAT (2)

• NAT-T (RFC 3947,3948)

– Adds an additional UDP header to ESP packets– Defines port 4500 as the ipsec-nat-t port– Limited: Requires one side to have destination nat (’static’ nat)

– Defines a protocol for exchanging NAT information

• Problem:– DNAT allows a single listener– What if multiple VPNs are to communicate across the same

NAT devices?– Approach requires firewall access – not always possible

46

MSNP (MSN) and firewall/NAT

• RealTunnel used to serve MSN community with free download

– Had significant user base

• Microsoft increasingly aware of problem

• Acquired Skype in 2011 for 8.5$ bn…

• Discontinued old MSN client in 2013

• Replaced with Skype..

47

XMPP and Firewall/NAT

• Jabber

• Basis for a.o. original Googletalk, Cisco Jabber...

• Implements STUN/TURN/ICE for XMPP(++)

48

Firewalls and IPv6

• Most of the problems remains

– Open/blocked ports

– Detecting best path for media

– UDP/TCP

– QoS problems

49

NAT and IPv6?

Pros:• Avoiding renumbering:

– when changing Internet provider..

• Facilitating multi-homing– Use of multiple providers from same

domain

• Topology hiding– Preventing host counting by attackers– Router scalability

• IPv6 already old – what about host mobility?

Cons:• End-to-end routability

– All the complexity of NAT in today’s lecture..

• Much reconfiguration to do already– DHCP, DNS dynamic update

• Provider independent IP blocks– Good for switch vendors… – See RFC 5902

50

NAT and IPv6?

• 2011: Linux implementation of NAT for IPv6

• In mainline kernel from v.3.7(merged Oct.2012)

51

Some firewall/NAT RFCs...

● RFC 5389: Session Traversal Utilities for NAT (STUN) (2008)

● RFC 5766: Traversal Using Relays Around NAT (TURN) (2010)

● RFC 8445: Interactive Connectivity Establishment (ICE) (2018)

● RFC 4787: NAT Behavioral Requirements for Unicast UDP (2007)

● RFC 5382: NAT Behavioral Requirements for TCP (2012)

● RFC 5902: IAB Thoughts on IPv6 NAT (2010)

● RFC 7857: Updates to NAT Behavioral Requirements (2016)

52

Other RFCs in this area:● RFC 6146: Stateful NAT64: NAT from IPv6 clients to IPv4 servers (2011)

● RFC 3261: SIP: Session Initiation Protocol (2002)

● RFC 5411: A Hitchhiker’s Guide to the Session Initiation Protocol (SIP) (2009)

53

Our simple call example: (now with SIP)

User: per User: ida

192.168.0.81

per@realsip.com: 192.168.0.81:5060ida@realsip.com: 192.168.20.10:4560

192.168.20.10

REGISTER sip:realsip.com

200 OK

REGISTER sip:realsip.com

200 OK

• Registration

54

Our simple call example: (now with SIP)

User: per User: ida

192.168.0.81

per@realsip.com: 192.168.0.81:5060

ida@realsip.com: 192.168.20.10:5060

192.168.20.10

INVITE sip:ida@realsip.com…m=audio 42921 RTP/AVP

200 OK…m=audio 14351 RTP/AVP

INVITE sip:ida@realsip.com

200 OK

• Call:

192.168.0.81:42921

192.168.0.81:14351

55

A complete SIP dialoguePer IdaSIP registrar

INVITE sip:ida@realsip.com

INVITE sip:ida@realsip.com100 Trying

180 Ringing 180 Ringing Ida answers

200 OK 200 OK

ACK sip:ida@192.168.20.10:5060ACK sip:ida@192.168.20.10:5060

.

.

.In call…

BYE sip:ida@192.168.20.10:5060BYE sip:ida@192.168.20.10:5060

200 OK 200 OK

56

A SIP request with SDPINVITE sip:ida@realsip.com SIP/2.0Via: SIP/2.0/UDP 192.168.0.81:5061;branch=z9hG4bK-32063-1-1From: "per" <sip:per@realsip.com>;tag=1To: <sip:ida@realsip.com>Call-ID: 1-32063@192.168.0.81CSeq: 1 INVITEContact: <sip:per@192.168.0.81:5061>Max-Forwards: 70Subject: Simple CallContent-Type: application/sdpContent-Length: 186

v=0o=- 53655765 2353687637 IN IP4 192.168.0.81s=-c=IN IP4 192.168.0.81t=0 0m=audio 6001 RTP/AVP 8a=rtpmap:8 PCMA/8000a=rtpmap:101 telephone-event/8000a=fmtp:101 0-11,16

57

A SIP request with SDP (received)INVITE sip:ida@192.168.0.81:5062 SIP/2.0Via: SIP/2.0/UDP 192.168.0.84:5060;branch=z9hG4bK-ffdef4f8xc0a80054Via: SIP/2.0/UDP 192.168.0.81:5061;branch=z9hG4bK-32063-1-3From: "per" <sip:per@realsip.com>;tag=1To: <sip:ida@realsip.com>Call-ID: 1-32063@192.168.0.81CSeq: 2 INVITEContact: <sip:per@192.168.0.81:5061>Max-Forwards: 69Subject: Simple CallContent-Type: application/sdpRecord-Route: <sip:192.168.0.84:5060;lr>Content-Length: 186

v=0o=- 53655765 2353687637 IN IP4 192.168.0.81s=-c=IN IP4 192.168.0.81t=0 0m=audio 6001 RTP/AVP 8a=rtpmap:8 PCMA/8000a=rtpmap:101 telephone-event/8000a=fmtp:101 0-11,16

58

A SIP response with SDPSIP/2.0 200 OKVia: SIP/2.0/UDP 192.168.0.81:5061;branch=z9hG4bK-32063-1-3Record-Route: <sip:192.168.0.84:5060;lr>From: "per" <sip:per@realsip.com>;tag=1To: <sip:ida@realsip.com>;tag=1Call-ID: 1-32063@192.168.0.81CSeq: 2 INVITEContact: <sip:ida@192.168.0.81:5062;transport=UDP>Content-Type: application/sdpContent-Length: 131

v=0o=- 53655765 2353687637 IN IP4 192.168.0.81s=-c=IN IP4 192.168.0.81t=0 0m=audio 6000 RTP/AVP 0a=rtpmap:0 PCMU/8000

59

A SIP response with SDP (received)SIP/2.0 200 OKVia: SIP/2.0/UDP 192.168.0.84:5060;branch=z9hG4bK-ffdef4f8xc0a80054Via: SIP/2.0/UDP 192.168.0.81:5061;branch=z9hG4bK-32063-1-3Record-Route: <sip:192.168.0.84:5060;lr>From: "per" <sip:per@realsip.com>;tag=1To: <sip:ida@realsip.com>;tag=1Call-ID: 1-32063@192.168.0.81CSeq: 2 INVITEContact: <sip:ida@192.168.0.81:5062;transport=UDP>Content-Type: application/sdpContent-Length: 131

v=0o=- 53655765 2353687637 IN IP4 192.168.0.81s=-c=IN IP4 192.168.0.81t=0 0m=audio 6000 RTP/AVP 0a=rtpmap:0 PCMU/8000

60

Linux packet handling toolbox● Packet filtering (iptables,ebtables → nft (bpfilter?) )

● Connection tracking (conntrack)

● Packet classification and traffic shaping/control (tc)

● Routing/forwarding (ip route)

● Test tools (netem, tcpdump, wireshark, log targets,…)

61

Why is this interesting?● Linux powers most of the world’s firewalls today

● Cloud: – SDN (Software Defined Networking)

– Virtual machines

– Nested virtual machines

– Containers

62

netfilter packet flow..

63

iptables● able to filter where packets are passed at the IP protocol level

● 5 tables: filter, nat, mangle, raw, security

● filter for typical filtering of packets– FORWARD, INPUT and OUTPUT

● nat for network address translation– PREROUTING (incoming)

– POSTROUTING (forwarded outgoing)

– OUTPUT (packets coming from the host itself)

● mangle: modify the packets before subject to other rules

64

ebtables● similar to iptables but at the link layer

● filter, forward, nat on ethernet addresses

● send “upwards” in stack

● can be used to implement special handling in virtual bridges

● often IP layer does not see packet at all

● useful in virtualization:– host want's to interfere with bridged traffic from guests

65

Packet filtering - ongoing evolution● nftables (nft)

– iptables replacement, started 2009.

– more coherent syntax, transactions

– easier to extend

– easier to write efficient rule sets

– default for firewalld from Fedora 32

● eBPF (extended Berkeley Packet Filter)– a small byte code executor within the kernel

– simple programming language

– security? “Verifier”, simple language,…

– bpfilter: Netfilter implementation in eBPF

66

Linux routing/forwarding

[root@ukvm01 ~]# ip route show

default via 192.168.167.1 dev eth0  proto static  metric 100  

192.168.167.0/24 dev eth0  proto kernel  scope link  src 192.168.167.101  metric 100

[root@ukvm01 ~]# ip route show table local broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1  local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1  local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1  broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1  broadcast 192.168.167.0 dev eth0  proto kernel  scope link  src 192.168.167.101  local 192.168.167.101 dev eth0  proto kernel  scope host  src 192.168.167.101  broadcast 192.168.167.255 dev eth0  proto kernel  scope link  src 192.168.167.101

67

ip route● Table space defined by

/etc/iproute2/rt_tables:

● May add own table names or just use number:

# # reserved values # 255     local 254     main 253     default 0       unspec # # local # #1      mytable

[root@ukvm01 ~]# ip route add 192.168.1.0/24 dev eth0 table 23 [root@ukvm01 ~]# ip route show table 23 192.168.1.0/24 dev eth0  scope link

68

Connection tracking: conntrack● Built into the kernel

– optional user level tool to display: conntrack

● All connections tracked by the kernel

● Usable by firewall and NAT functionality

● Allows optimization to only inspect packets that does not belong to a connection

69

Traffic shaping and control: tc● Ability to discriminate traffic

● Traffic classes– Examples: High bandwidth, low latency

– Allow setup to get resources distributed among usages

– Prioritize traffic as needed

– “Easy” to combine with packet filtering (iptables)

70

Network namespacesAllows virtualization of network for a process (or set of processes..)

● No network at all (only loopback)

● Specifically configured, separate network device instance(s)

● Own routing tables, etc etc..

● Container systems use it...

[root@ukvm01 ~]# ip netns list[root@ukvm01 ~]# ip netns add myns[root@ukvm01 ~]# ip netns listmyns[root@ukvm01 ~]# ip netns exec myns bash[root@ukvm01 ~]# ip link show1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

71

Summary● RT multimedia protocols

– demands good RT QoS - peer to peer!

– Particularly susceptible to firewalls and NAT

– Can generate very complex initiation scenarios

● Firewalls and NAT– Firewalls and NAT can to some extent

be characterized● potential for issues and problems● limited observability in the general case!

– Lots of protocols exhibit similar problems

– No rescue in IPv6….

● Linux and firewall/NAT– Linux powers many of the worlds firewalls

– Readily available to experiment with and deploy

– Lots of development going on

– Lots of tools and knowledge available