View
219
Download
0
Category
Tags:
Preview:
Citation preview
LeoneFrom global measurements to local management
UC3M: inHome NAT detectionRFC recommender
ICMPUDPTCP
Miguel Ángel Díaz, Francisco Valera
Leone - From global measurements to local management
2
METRIC OBJECTIVE
Overall picture
8th October, 2013
EXTERNAL NETWORKS
Leone - From global measurements to local management
3
METRIC OBJECTIVE
Overall picture
8th October, 2013
EXTERNAL NETWORKS
Each Internet provider may use a different NAT implementation attending to the mapping, the filtering of the packets, and many more parameters
We want to evaluate the different implementation of NATs in different providers
Guideline marked by RFC 5382 for TCP RFC 5508 for ICMP RFC 4787 for UDP
UDP validator is implemented TCP and ICMP validators are
under developing
Some tests are defined on RFC 5780 (Nat behavior discovery using STUN)
Leone - From global measurements to local management
4
1. Type of mapping and filtering being used on the NAT
2. Use of the ports. Are they being overloaded?
3. IP address pool on the external realm
4. Does the NAT preserve port parity?
5. Persistence of the mapping
6. A NAT must support Hairpinning
7. Does the receipt of any ICMP packet terminate UDP mapping?
8. How does the NAT handle DF=1 packets?
9. Behavior on receipt of out-of-order fragments
NAT behavioral requirements for unicast UDP
June 2014
Leone - From global measurements to local management
5
NAT behavioral requirements for unicast UDP Example of UDP test
A NAT must out-of-order packet receive
June 2014
UDP packet UC3M SERVER
FRAG 1
FRAG 0
UDP packet
Response?
Leone - From global measurements to local management
6
1. The NAT must handle ICMP queries and their associated responses
2. Time on expire a determinante session mapping
3. Does NAT permit ICMP packets without any active mapping?
4. Does NAT permit ICMP Error packets from the private realm without any active mapping?
5. Support of hairpinning ICMP packets
6. Support of different sort of ICMP packets:1. Destination Unrecheable
2. Time exceeded
3. Echo request/reply
4. Etc
NAT behavioral requirements for ICMP
June 2014
Leone - From global measurements to local management
7
NAT behavioral requirements for ICMP Example of ICMP test
Behavior when there’s no mapping on the nat and a ICMP error packet is generated
June 2014
Initial ICMP packet
Arrives?
STUN SERVER
Initial ICMP packet
Error packet
Inside this packet, there’s another that is the one that doesn’t have any mapping on the NAT
Leone - From global measurements to local management
8
NAT behavioral requirements for TCP
1. Type of mapping and filtering being used on the NAT
2. Use of the ports. Are they being overloaded?
3. Support of TCP connections initiated both internally as well as externally
4. Way of handling inbound SYN packets if they are not solicitated
5. Persistence of the mapping
6. A NAT must support Hairpinning for TCP packets
7. Does the receipt of any ICMP packet terminate TCP mapping?
June 2014
Leone - From global measurements to local management
9
Initial Results
UDP tests have been executed in different probes
June 2014
Mapping0.001.002.003.004.005.00
32
Mapping behavior
Serie 1Serie 2
Endp
oint
inde
pend
ent
Addr
ess
and
port
depe
nden
t
Categoría 10
2
4
6
5
Filtering behavior
Serie 1
Addr
ess
and
port
depe
nden
t
Leone - From global measurements to local management
10
Initial Results
UDP tests have been executed in different computers
June 2014
Mapping0.002.004.006.008.00
10.00
0
5
Mapping behavior
Serie 1Serie 2
Endp
oint
inde
pend
ent
Addr
ess
and
port
depe
nden
t
Categoría 102468
10
14
Filtering behavior
Serie 1Serie 2
Addr
ess
and
port
depe
nden
t
Endp
oint
inde
pend
ent
Leone - From global measurements to local management
11
Initial Results
June 2014
Port parity preservation Port preservation Deterministic Behavior IP pooling out of order receiveDon't fragment flag Mapping lifetime > 2 minutes Outbound renuevalProbe 1 YES NO YES NO YES YES NO YESProbe 2 YES NO YES NO YES YES NO YESProbe 3 YES NO YES NO YES YES NO YESProbe 4 YES NO YES NO NO YES NO YESProbe 5 YES NO YES NO YES NO NO YESComputer 1 NO YES YES NO YES YES NO YESComputer 2 NO YES YES NO YES YES NO YESComputer 3 NO YES YES NO YES YES NO YESComputer 4 NO YES YES NO YES YES NO YESComputer 5 NO YES YES NO YES YES NO YES
We had tested the recommendations from the RFC, not only mapping or filtering behavior
Leone - From global measurements to local management
12
Future work
1. Finish recommenders for TCP and ICMP
2. Integrate upnp functionalities into the tests
3. Deploy tests in more computers
4. Migrate tests to Android platform
Estimated date for TCP and ICMP to be ready for trials: End of this month
June 2014
LeoneFrom global measurements to local management
Developing the tests & how test functionalities
Miguel Ángel Díaz, Francisco ValeraJune 2014. Maribor Meeting
Leone - From global measurements to local management
14
NAT behavioral requirements for unicast UDP A NAT must have an Endpoint-
Independent Mapping behavior Depending on the use of the NAT it must
have Endpoint-Independent filtering or Address-Dependentn filtering behavior
Detect mapping and filtering behavior with STUN protocol
June 2014
Leone - From global measurements to local management
15
NAT behavioral requirements for unicast UDP A NAT must have an Endpoint-
Independent Mapping behavior
June 2014
IP:X
X = Y ?
IP:Yiptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT:64000 Para endpoint independent
Leone - From global measurements to local management
16
NAT behavioral requirements for unicast UDP A NAT must not have a port assignment
behavoir of port overloading If NAT preserves port, two applications cannot
use the same port to communicate with the same destination
June 2014
STUN SERVER
IP:X
X = Y ?
IP:Y
Leone - From global measurements to local management
17
NAT behavioral requirements for unicast UDP A NAT must not have a port assignment
behavoir of port overloading If NAT preserves port, two applications cannot
use the same port to communicate with the same destination
June 2014
STUN SERVER
IP:X
X = Y ?
IP:Y
iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT Para que no modifique el puerto de salida
Leone - From global measurements to local management
NAT behavioral requirements for unicast UDP If the NAT that have an IP address
pooling, it’s recommended to have Paired behavior Detect if the NAT implements IP Pooling on
the external realm
June 2014
18
STUN SERVER
Always the same mapped IP?
Leone - From global measurements to local management
NAT behavioral requirements for unicast UDP If the NAT that have an IP address
pooling, it’s recommended to have Paired behavior Detect if the NAT implements IP Pooling on
the external realm
June 2014
19
STUN SERVER
Always the same mapped IP?
1, ¿asignar 4 direcciones IP?
2, iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT1-IPpublicaNAT4
Leone - From global measurements to local management
20
NAT behavioral requirements for unicast UDP It’s recommended that a NAT have a port
parity preservation behavior of yes Detect if the NAT preserves port parity
June 2014
STUN SERVERDifferent source ports
Preserve port parity?
Leone - From global measurements to local management
21
NAT behavioral requirements for unicast UDP A NAT UDP mapping timer must not expire
in less than two minutes for applications that dont use 0-1023 range port
June 2014
Binding request : X
Binding request : Y
Response to Y or to X?
STUN SERVER
1, Bind de dos sockets a dos puertos conocidos
iptables -t nat -A POSTROUTING -o eth1 –p udp –dport Y -j DNAT --to IPprivadaNODO:X
Leone - From global measurements to local management
22
NAT behavioral requirements for unicast UDP A NAT must support Hairpinning. External
IP behavior
June 2014
Binding request : X
Binding request to mapped address: Y
Response?
STUN SERVER
Leone - From global measurements to local management
23
NAT behavioral requirements for unicast UDP A NAT must support Hairpinning
June 2014
Binding request : X
Binding request to mapped address: Y
Response?
STUN SERVER1, iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 –sport X -j SNAT --to
IPpublicaNAT:64000
2, iptables -t nat -A POSTROUTING -o eth0 –p udp –d IPpublicaNAT –dport 64000 -j SNAT --to IPpublicaNAT:64000
3, iptables -t nat -A POSTROUTING -o eth0 –p udp –d IPpublicaNAT –dport 64000 -j DNAT --to IPprivadaNodo:Y
Leone - From global measurements to local management
24
NAT behavioral requirements for unicast UDP Receipt of any sort of ICMP message
must not terminate the NAT mapping. Mirar desde donde son los icmp
June 2014
Binding request : X
Same mapping?
Binding request : X
ICMP request
STUN SERVER
Leone - From global measurements to local management
25
NAT behavioral requirements for unicast UDP Receipt of any sort of ICMP message
must not terminate the NAT mapping
June 2014
Binding request : X
Same mapping?
Binding request : X
ICMP request
STUN SERVER
iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT:64000 Para que sea siempre el mismo
Leone - From global measurements to local management
26
NAT behavioral requirements for unicast UDP If the packet received on an internal IP
address has DF=1, the NAT must send back an ICMP message “Fragmentation needed and DF set” to the host
June 2014
UDP packet with DF = 1
Response?
Wireshark
Leone - From global measurements to local management
27
NAT behavioral requirements for unicast UDP A NAT must support receiving in-order and
out-of-order fragments, sot it must have received out of order behavior
June 2014
UDP packet
Response?
UC3M SERVER
FRAG 1
FRAG 0
UDP packet
Wireshark
Leone - From global measurements to local management
28
NAT behavioral requirements for ICMP Same process as the UDP RFC
Nat device must permit ICMP queries and their associated responses
June 2014
ICMP request
ICMP response
Internet
ICMP request
ICMP response
Does the ping get the response?
Leone - From global measurements to local management
29
NAT behavioral requirements for ICMP An ICMP session timer must not expire in
less than 60 seconds
June 2014
UC3M LEONE SERVERICMP packet
Sleep 60
ICMP packet
Leone - From global measurements to local management
30
NAT behavioral requirements for ICMP If the NAT has an active mapping for the
embedded payload of an incoming error packet, it must change the transport headers, leaving the error code unchanged
June 2014
UC3M LEONE SERVERUDP packet
ICMP error packet
Do we get the error packet?
Code and type == 3 ?
Leone - From global measurements to local management
31
NAT behavioral requirements for ICMP If the NAT has an active mapping for the
embedded payload of an outgoing error packet, it must change the transport headers, leaving the error code unchanged
June 2014
UC3M LEONE SERVERUDP packet
ICMP error packet UDP packet with the result
Leone - From global measurements to local management
32
NAT behavioral requirements for ICMP All NAT devices must support the traversal of
hairpinned ICMP error messages
June 2014
STUN SERVERUDP packet
ICMP error packet
Mapped IP and port
Leone - From global measurements to local management
33
NAT behavioral requirements for ICMP A NAT must support Destination unreachable,
Time exceeded and echo request/reply packets
June 2014
STUN SERVERUDP packet TTL = 3
Time exceeded error packet
Tested on previous tests Tested doing ping
Leone - From global measurements to local management
34
NAT behavioral requirements for TCP
A NAT must have an “Endpoint-Independent Mapping” behavior
June 2014
STUN SERVER
Connect to STUN server from port X
Connect to alternative STUN server address
If the mapping in these two cases isthe same, then it has a an
“Endpoint-Independent Mapping” behavior
Leone - From global measurements to local management
35
NAT behavioral requirements for TCP
A NAT must not have a “Port assigment behavior of “Port overloading””
June 2014
STUN SERVER
If there’s any port being reused, the NAT fails this requirement
Leone - From global measurements to local management
36
NAT behavioral requirements for TCP
A NAT must support “hairpinning”
June 2014
STUN SERVER
Binding request to mapped address: Y
Leone - From global measurements to local management
37
NAT behavioral requirements for TCP Receipt of any sort of ICMP message
must not terminate the NAT mapping
June 2014
Binding request : X
Same mapping?
Binding request : X
ICMP request
STUN SERVER
Leone - From global measurements to local management
38
NAT behavioral requirements for TCP
A NAT must not respond to an unsolicited inbound SYN packet for at least 6 seconds after the pakcet is received. If during this interval the NAT receives and translates an outbound SYN for the connection the NAT must silently drop the original unsolicited SYN
A NAT must handle the TCP simultaneous-open mode of connection initiation
June 2014
Leone - From global measurements to local management
39
NAT behavioral requirements for TCP
June 2014
If there’s no reset nor ICMP error, and the SYN packet arrived to the server OK
Initial UDP packetSTUN SERVER
SYN packet
RESET?SYN packet
ICMP unreachable?
UDP packet containing the result
Initial UDP packet
Recommended