Traversing symmetric NAT with predictable port allocation function

SIN 2014

Dušan Klinec, Vashek Matyáš

Faculty of Informatics, Masaryk University

I2

After you try to find us:

I3

I

Centre for Research on Cryptography and Security

4

I

Outline

• UDP Hole punching• Symmetric NAT• Port allocation function• Our algorithms• Evaluation• Results

5

I

Motivation

• Establish a direct connection between two hosts– Both are behind a symmetric NAT.

• No relay servers needed– Better connection parameters (latency, jitter).– Architecture scales better, cheaper.– Security consequences (MiTM).

• Plenty of NATs types already covered in literature– Our motivation: 1/3 of mobile internet provider market

uses symmetric NAT.

6

I7

UDP Hole punching

90

90

.10 .30

A B

80

Step 1rule

Step 2rule

Step 3

I

UDP Hole punching

• Easy if both sides know external mapped port of each other.

• Difficult if mapped port changes.• Difficult if mapped port blocks incoming

communication from “outside”.

8

I9

Symmetric NAT

Peer AI.15

STUN

E.615000

3478

E.60

3478

5000

NAT+FirewallAddr: E.10

32000

Mapping:I.15:1234 = E.10:1234

1234

I10

Port allocation function

16

Peer AI.15

STUN

NAT+FirewallAddr: E.10

10

11

12

13

14

15

16

E.60.10

20

21

22

23

24

26

32000

Taken

I

Apply UDP Hole Punching

• Challenge: Predict a next allocated port.– On both sides, at the same time.– May be problem if NAT is shared among other hosts.– Need to determine state of the NAT the user is using.

• STUN server used for this.• State may change quickly.

• Approach: Multiple retries, maximize success rate.

11

I

Algorithm #1

• Baby-step, giant-step.• Main idea:

– Node A scans ports of the node B with step ∆B.

– Node B scans ports of the node A with step 2∆A.

• Benefit: Only one source port @ device, destination port varies.

12

13

Alice Bob

X

X+1D

X+2D

X+3D

X+4D

X+5D

X+6D

Y

Y+1D

Y+2D

Y+3D

Y+4D

Y+5D

Y+6D

I

Probabilistic distribution on ports

• Probability distribution on the next allocated port of the peer: Poisson distribution.

14

I

Another algorithms

• Expected port value– Computes expected value E[X] of the next port

distribution.– Poisson distribution is assumed.

• Poisson sampling algorithm– Measurement process estimates parameter λ– Algorithm samples Poisson distribution on ports.

15

I

Evaluation

• Algorithm simulation.– Artificial data, Poisson distribution sampling, multiple λ.

• Ability to test algorithms in different network load.– Real data from NetFlow probes from university network.

• Real-world test.• Poisson distribution hypothesis tests.

• Real world algorithm test.– Mobile internet service provider.– Symmetric NAT with incremental port allocation function.

Success rate above 95%

16

I

Results – success rate

A: Baby stepgiant step

B: Fix dest.

C: E[X]

D: Opt. Pois.

E: Poisson

17

I

Results - steps

18

A: Baby stepgiant step

B: Fix dest.

C: E[X]

D: Opt. Pois.

E: Poisson

I

Results - both

19

I

Thank you for your attention!

Questions?

20