Upload
auro-tripathy
View
144
Download
0
Tags:
Embed Size (px)
Citation preview
Of Knights and Drawbridges
Auro Tripathy
A halt-who-goes-there medieval story about the modern mystery of NAT Traversal
2
Using an Analogy to explain NATs
NAT NAT NAT NAT +-+ +-+ +-+ +-+ +----+ | | | | | | | | +----+ |EP-a|---+ +...+ +---((Public Network))---+ +...+ +---|EP-b| +----+ | | | | | | | | +----+ +-+ +-+ +-+ +-+
EP = End Point NAT = Network Address Translation
Source : https://tools.ietf.org/html/draft-takeda-symmetric-nat-traversal-00
3
Imagine…
The fortress (your home) is a private network
The tenant is an end-point device (e.g. PC, network attached storage, wireless thermostat, wireless smoke-alarm, IoT device)
The NAT is the “moat”, to defend the fort.
A tenant can send out a packet by lowering the drawbridge
Until a tenant sends a packet out of the fort, the fort is locked-down; there are no drawbridges
4
Fortifying your defenses with a Moat
Lowering the drawbridge is an opportunity for unintended “knight” to come in The bridge must be defended against uninvited knights.
The rules of the drawbridge define the Moat Full-Cone NAT (least restrictive crossing) Restricted-Cone NAT Port-restricted cone NAT Symmetric NAT (most restrictive crossing)
5
Full-Cone NAT
When the tenant (end-point) in the fort sends a knight (packet) out, a drawbridge will be lowered with a guard to determine who can come-in using that drawbridge.
For an in-coming knight (packet), the guard checks: Are you, Sire, visiting the tenant who
created this drawbridge? If yes, go on in.
The guard does not check where the knight (packet) came from(could be any end-point). Whether the knight had an invitation
6
The Invitation Letter
The trick to traverse a NAT with UDP is to utilize the 'invitation letter” (packet).
The invitation packet is not necessarily a 'special' invitation packet. The first part of outgoing data transmission works as an invitation because it lowers a drawbridge assigns a guard for incoming knights.
7
Restricted-Cone NAT
A drawbridge will be lowered when a tenant(endpoint) in the fort sends an invitation letter (a packet) for the first time to another fort.
The guard on the drawbridge will check if the in-coming knight (packet) is visiting the tenant who lowered this drawbridge.
The guard also checks if the knight came from the fort that received the invitation letter from the tenant.
The guard does not check the invitation letter, just the fort name to which the invitation was sent.
8
Port-restricted-Cone NAT
A drawbridge will be lowered when a tenant(endpoint) in a fort sends an invitation letter (a packet) for the first time to a tenant in another fort.
The guard will check if each knight (packet) trying to enter (via the drawbridge) is visiting the tenant who lowered the drawbridge.
The guard checks if the knight came from the fort that received the invitation letter from the tenant.
The guard also checks if the knight has received the invitation letter from the tenant.
You came from the correct fort, do you have the
invitation?
9
Symmetric-Cone NAT
In the case of non-symmetric NATS, the same drawbridge will be used whenever the same tenant in a fort sends an invitation packet to a different destination.
In a symmetric NAT, a new drawbridge will be always lowered every time the tenant in the fort sends an “invitation” packet.
Fort
Moat
Drawbridge
Tenant
Each invitation has it own drawbridge
The drawbridge for a knight to enter from one fort is not the same for other knights to enter from other forts
10
Summary
NAT-Type Intended for Tenant who lowered the Drawbridge?
Invitation to Fort F2 and coming from Fort F2?
Has the Invitation Letter?
Coming-in on the same drawbridge that the invitation went out on?
FullCone
Yes,Go-on in
Not Checked Not Checked Not-Checked
Restricted Cone Yes and… Yes, go-on in Not Checked Not Checked
Port-Restricted Cone Yes and … Yes, and … Yes, go-on in Not Checked
SymmetricCone*
Yes Yes, and… Yes, and Yes, go-on in
F2
11
Applying the Analogy
In this analogy, a 'tenant' represents local UDP port.
Several tenants comprise a device. Each device has an IP address.
A fort protects multiple devices with a NAT (the moat)
A drawbridge is a mapping and a rule for incoming packets.