スライド 1 - 早稲田大学

Download Report

Transcript スライド 1 - 早稲田大学 

A New Method for Symmetric NAT
Traversal in UDP and TCP
Yuan Wei & Daisuke Yamada &
Suguru Yoshida & Shigeki Goto
Waseda University
{wei,daisk,yoshida,goto}@goto.info.waseda.ac.jp
2008/8/4
Wei Yuan
1
Agenda





Network Address Translator (NAT)
Existing problems in NAT traversal
New method
Experiment
Conclusion
2008/8/4
2
Wei Yuan
NAT (Network Address Translator)


Translate private IP addresses to a global IP
address
NAT includes Network Address Port Translation,
(NAPT)
enable multiple hosts
on a private network to
access the Internet
using a single public IP
address
2008/8/4
3
Wei Yuan
Full Cone NAT (Easy)
One-to-one
2008/8/4
4
Wei Yuan
Restricted Cone NAT
Another IP address
2008/8/4
5
Wei Yuan
Port Restricted Cone NAT
another port number
2008/8/4
6
Wei Yuan
Symmetric NAT (Difficult)
Unique mapping
Another client
2008/8/4
7
Wei Yuan
P2P and NAT (Problem)



P2P networks are based on global IP
address
Users cannot connect P2P network
behind NAT devices
NAT traversal becomes an active area of
research
2008/8/4
8
Wei Yuan
Existing Methods



No NAT traversal techniques can be
successfully applied symmetric NATs
TCP NAT traversal is difficult
Unique security filtering functions on
NATs
2008/8/4
9
Wei Yuan
New Method

UDP NAT traversal :
– Applicable to symmetric NATs

TCP NAT traversal :
– Applicable to simple NATs
2008/8/4
10
Wei Yuan
How to Traverse Symmetric NAT




Simulate normal UDP communications
– IP address and port number must correspond
to NAT.
Do not use a spoof packet from another IP
address
Establish direct communication between two
end points
Predict port numbers of NATs
2008/8/4
11
Wei Yuan
Phase I
F1: S1 gets the information of a port number
translated by NAT a.
F2: Send it back to the
echo client.
F3: S2 analyzes the port number of NAT a and
records it.
2008/8/4
12
Wei Yuan
Phase II
F4: S1 gets the information of a port number
translated by NAT b.
F5: Send it back to the
echo client.
F6: S2 analyzes the port number of NAT b and
records it.
2008/8/4
13
Wei Yuan
Phase III
F7: Predict a port number for hole
punching
F8: Send a large number of packets
with a small TTL value
F9: Predict a port number for hole punching
F10: Send a large number of packets
F11: P2P connection established
2008/8/4
14
Wei Yuan
New Method: UDP Multi Hole Punching
1.
Normal UDP communications
– Existing method uses another extra IP address
2.
Precise port number prediction
– Observe port translate algorithm: increment, decrement, leap
3.
Control port numbers
– control random port algorithm
– Binding port numbers
4.
Utilize many port numbers
– High success rate of hole punching
2008/8/4
15
Wei Yuan
TCP Hole Punching

SPI (Stateful Packet Inspection)
– a type of function for filtering of TCP packets

A valid sequence of packets should follow the 3-way
handshake.
1. [SYN] - out
2. [SYN, ACK] - in
3. [ACK] - out
2008/8/4
16
Wei Yuan
How to deal with SPI

Divide 3-way handshake section and hole punching section
– Hole punching section is similar to “Simple Traversal
of UDP Through NATs and TCP too” (STUNT)

3-way handshake section
– Send sequence number info to server.
– Use low TTL ( =1 ) to establish
– Packet does not reach at NATs

Set SO_REUSEADDR
option of setsockopt()
to combine (re-bind)
two section
2008/8/4
17
Wei Yuan
Experiment





Use WinStun to determine the type of NATs
Use Wireshark to capture packets
Evaluate Skype for NAT traversal
Test the performance of the new method
for UDP NAT traversal
Realize TCP NAT traversal
2008/8/4
18
Wei Yuan
Results


9 routers tested (3 routers were Symmetric NAT)
The success ratio of the P2P communication about Skype
was 46%
– Skype does not use UDP hole punching when the voice quality was
good.

The success ratio of the P2P communication about our
new method was 97%
– The combination of Buffalo and NEC had an 80% success rate on
average. The other combinations were 100% successful.


Succeeded in port prediction and control of port numbers
Succeeded in establishing TCP connections for five NAT
products out of six
2008/8/4
19
Wei Yuan
Control of port numbers
Random
2008/8/4
Incremental20
Wei Yuan
Conclusion




Succeed in port prediction
Succeed in control of port numbers
Skype is 46%. Our new method outperforms it with a
success rate of 97%
succeed in establishing TCP connections
for five NAT products out of six
WinStun
2008/8/4
Skype
New
Method
Symmetric NAT
33%
0%
100%
All routers
66%
46%
97%
21
Wei Yuan
END
2008/8/4
Wei Yuan
22