Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera

LeoneFrom global measurements to local management

UC3M: inHome NAT detectionRFC recommender

ICMPUDPTCP

Miguel Ángel Díaz, Francisco Valera

Leone - From global measurements to local management

2

METRIC OBJECTIVE

Overall picture

8th October, 2013

EXTERNAL NETWORKS


3

METRIC OBJECTIVE

Overall picture

8th October, 2013

EXTERNAL NETWORKS

Each Internet provider may use a different NAT implementation attending to the mapping, the filtering of the packets, and many more parameters

We want to evaluate the different implementation of NATs in different providers

Guideline marked by RFC 5382 for TCP RFC 5508 for ICMP RFC 4787 for UDP

UDP validator is implemented TCP and ICMP validators are

under developing

Some tests are defined on RFC 5780 (Nat behavior discovery using STUN)


4

1. Type of mapping and filtering being used on the NAT

2. Use of the ports. Are they being overloaded?

3. IP address pool on the external realm

4. Does the NAT preserve port parity?

5. Persistence of the mapping

6. A NAT must support Hairpinning

7. Does the receipt of any ICMP packet terminate UDP mapping?

8. How does the NAT handle DF=1 packets?

9. Behavior on receipt of out-of-order fragments

NAT behavioral requirements for unicast UDP

June 2014


5

NAT behavioral requirements for unicast UDP Example of UDP test

A NAT must out-of-order packet receive

June 2014

UDP packet UC3M SERVER

FRAG 1

FRAG 0

UDP packet

Response?


6

1. The NAT must handle ICMP queries and their associated responses

2. Time on expire a determinante session mapping

3. Does NAT permit ICMP packets without any active mapping?

4. Does NAT permit ICMP Error packets from the private realm without any active mapping?

5. Support of hairpinning ICMP packets

6. Support of different sort of ICMP packets:1. Destination Unrecheable

2. Time exceeded

3. Echo request/reply

4. Etc

NAT behavioral requirements for ICMP

June 2014


7

NAT behavioral requirements for ICMP Example of ICMP test

Behavior when there’s no mapping on the nat and a ICMP error packet is generated

June 2014

Initial ICMP packet

Arrives?

STUN SERVER

Initial ICMP packet

Error packet

Inside this packet, there’s another that is the one that doesn’t have any mapping on the NAT


8

NAT behavioral requirements for TCP

1. Type of mapping and filtering being used on the NAT

2. Use of the ports. Are they being overloaded?

3. Support of TCP connections initiated both internally as well as externally

4. Way of handling inbound SYN packets if they are not solicitated

5. Persistence of the mapping

6. A NAT must support Hairpinning for TCP packets

7. Does the receipt of any ICMP packet terminate TCP mapping?

June 2014


9

Initial Results

UDP tests have been executed in different probes

June 2014

Mapping0.001.002.003.004.005.00

32

Mapping behavior

Serie 1Serie 2

Endp

oint

inde

pend

ent

Addr

ess

and

port

depe

nden

t

Categoría 10

2

4

6

5

Filtering behavior

Serie 1

Addr

ess

and

port

depe

nden

t


10

Initial Results

UDP tests have been executed in different computers

June 2014

Mapping0.002.004.006.008.00

10.00

0

5

Mapping behavior

Serie 1Serie 2

Endp

oint

inde

pend

ent

Addr

ess

and

port

depe

nden

t

Categoría 102468

10

14

Filtering behavior

Serie 1Serie 2

Addr

ess

and

port

depe

nden

t

Endp

oint

inde

pend

ent


11

Initial Results

June 2014

Port parity preservation Port preservation Deterministic Behavior IP pooling out of order receiveDon't fragment flag Mapping lifetime > 2 minutes Outbound renuevalProbe 1 YES NO YES NO YES YES NO YESProbe 2 YES NO YES NO YES YES NO YESProbe 3 YES NO YES NO YES YES NO YESProbe 4 YES NO YES NO NO YES NO YESProbe 5 YES NO YES NO YES NO NO YESComputer 1 NO YES YES NO YES YES NO YESComputer 2 NO YES YES NO YES YES NO YESComputer 3 NO YES YES NO YES YES NO YESComputer 4 NO YES YES NO YES YES NO YESComputer 5 NO YES YES NO YES YES NO YES

We had tested the recommendations from the RFC, not only mapping or filtering behavior


12

Future work

1. Finish recommenders for TCP and ICMP

2. Integrate upnp functionalities into the tests

3. Deploy tests in more computers

4. Migrate tests to Android platform

Estimated date for TCP and ICMP to be ready for trials: End of this month

June 2014

LeoneFrom global measurements to local management

Developing the tests & how test functionalities

Miguel Ángel Díaz, Francisco ValeraJune 2014. Maribor Meeting


14

NAT behavioral requirements for unicast UDP A NAT must have an Endpoint-

Independent Mapping behavior Depending on the use of the NAT it must

have Endpoint-Independent filtering or Address-Dependentn filtering behavior

Detect mapping and filtering behavior with STUN protocol

June 2014


15

NAT behavioral requirements for unicast UDP A NAT must have an Endpoint-

Independent Mapping behavior

June 2014

IP:X

X = Y ?

IP:Yiptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT:64000 Para endpoint independent


16

NAT behavioral requirements for unicast UDP A NAT must not have a port assignment

behavoir of port overloading If NAT preserves port, two applications cannot

use the same port to communicate with the same destination

June 2014

STUN SERVER

IP:X

X = Y ?

IP:Y


17

NAT behavioral requirements for unicast UDP A NAT must not have a port assignment

behavoir of port overloading If NAT preserves port, two applications cannot

use the same port to communicate with the same destination

June 2014

STUN SERVER

IP:X

X = Y ?

IP:Y

iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT Para que no modifique el puerto de salida


NAT behavioral requirements for unicast UDP If the NAT that have an IP address

pooling, it’s recommended to have Paired behavior Detect if the NAT implements IP Pooling on

the external realm

June 2014

18

STUN SERVER

Always the same mapped IP?


NAT behavioral requirements for unicast UDP If the NAT that have an IP address

pooling, it’s recommended to have Paired behavior Detect if the NAT implements IP Pooling on

the external realm

June 2014

19

STUN SERVER

Always the same mapped IP?

1, ¿asignar 4 direcciones IP?

2, iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT1-IPpublicaNAT4


20

NAT behavioral requirements for unicast UDP It’s recommended that a NAT have a port

parity preservation behavior of yes Detect if the NAT preserves port parity

June 2014

STUN SERVERDifferent source ports

Preserve port parity?


21

NAT behavioral requirements for unicast UDP A NAT UDP mapping timer must not expire

in less than two minutes for applications that dont use 0-1023 range port

June 2014

Binding request : X

Binding request : Y

Response to Y or to X?

STUN SERVER

1, Bind de dos sockets a dos puertos conocidos

iptables -t nat -A POSTROUTING -o eth1 –p udp –dport Y -j DNAT --to IPprivadaNODO:X


22

NAT behavioral requirements for unicast UDP A NAT must support Hairpinning. External

IP behavior

June 2014

Binding request : X

Binding request to mapped address: Y

Response?

STUN SERVER


23

NAT behavioral requirements for unicast UDP A NAT must support Hairpinning

June 2014

Binding request : X


Response?

STUN SERVER1, iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 –sport X -j SNAT --to

IPpublicaNAT:64000

2, iptables -t nat -A POSTROUTING -o eth0 –p udp –d IPpublicaNAT –dport 64000 -j SNAT --to IPpublicaNAT:64000

3, iptables -t nat -A POSTROUTING -o eth0 –p udp –d IPpublicaNAT –dport 64000 -j DNAT --to IPprivadaNodo:Y


24

NAT behavioral requirements for unicast UDP Receipt of any sort of ICMP message

must not terminate the NAT mapping. Mirar desde donde son los icmp

June 2014

Binding request : X

Same mapping?

Binding request : X

ICMP request

STUN SERVER


25

NAT behavioral requirements for unicast UDP Receipt of any sort of ICMP message

must not terminate the NAT mapping

June 2014

Binding request : X

Same mapping?

Binding request : X

ICMP request

STUN SERVER

iptables -t nat -A POSTROUTING -o eth0 –p udp –dport 3478 -j SNAT --to IPpublicaNAT:64000 Para que sea siempre el mismo


26

NAT behavioral requirements for unicast UDP If the packet received on an internal IP

address has DF=1, the NAT must send back an ICMP message “Fragmentation needed and DF set” to the host

June 2014

UDP packet with DF = 1

Response?

Wireshark


27

NAT behavioral requirements for unicast UDP A NAT must support receiving in-order and

out-of-order fragments, sot it must have received out of order behavior

June 2014

UDP packet

Response?

UC3M SERVER

FRAG 1

FRAG 0

UDP packet

Wireshark


28

NAT behavioral requirements for ICMP Same process as the UDP RFC

Nat device must permit ICMP queries and their associated responses

June 2014

ICMP request

ICMP response

Internet

ICMP request

ICMP response

Does the ping get the response?


29

NAT behavioral requirements for ICMP An ICMP session timer must not expire in

less than 60 seconds

June 2014

UC3M LEONE SERVERICMP packet

Sleep 60

ICMP packet


30

NAT behavioral requirements for ICMP If the NAT has an active mapping for the

embedded payload of an incoming error packet, it must change the transport headers, leaving the error code unchanged

June 2014

UC3M LEONE SERVERUDP packet

ICMP error packet

Do we get the error packet?

Code and type == 3 ?


31

NAT behavioral requirements for ICMP If the NAT has an active mapping for the

embedded payload of an outgoing error packet, it must change the transport headers, leaving the error code unchanged

June 2014

UC3M LEONE SERVERUDP packet

ICMP error packet UDP packet with the result


32

NAT behavioral requirements for ICMP All NAT devices must support the traversal of

hairpinned ICMP error messages

June 2014

STUN SERVERUDP packet

ICMP error packet

Mapped IP and port


33

NAT behavioral requirements for ICMP A NAT must support Destination unreachable,

Time exceeded and echo request/reply packets

June 2014

STUN SERVERUDP packet TTL = 3

Time exceeded error packet

Tested on previous tests Tested doing ping


34


A NAT must have an “Endpoint-Independent Mapping” behavior

June 2014

STUN SERVER

Connect to STUN server from port X

Connect to alternative STUN server address

If the mapping in these two cases isthe same, then it has a an

“Endpoint-Independent Mapping” behavior


35


A NAT must not have a “Port assigment behavior of “Port overloading””

June 2014

STUN SERVER

If there’s any port being reused, the NAT fails this requirement


36


A NAT must support “hairpinning”

June 2014

STUN SERVER



37

NAT behavioral requirements for TCP Receipt of any sort of ICMP message

must not terminate the NAT mapping

June 2014

Binding request : X

Same mapping?

Binding request : X

ICMP request

STUN SERVER


38


A NAT must not respond to an unsolicited inbound SYN packet for at least 6 seconds after the pakcet is received. If during this interval the NAT receives and translates an outbound SYN for the connection the NAT must silently drop the original unsolicited SYN

A NAT must handle the TCP simultaneous-open mode of connection initiation

June 2014


39


June 2014

If there’s no reset nor ICMP error, and the SYN packet arrived to the server OK

Initial UDP packetSTUN SERVER

SYN packet

RESET?SYN packet

ICMP unreachable?

UDP packet containing the result

Initial UDP packet

Documents

Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera