Download NAT - Chair of Network Architectures and Services

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Internet protocol suite wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Net bias wikipedia , lookup

AppleTalk wikipedia , lookup

Computer network wikipedia , lookup

Computer security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Parallel port wikipedia , lookup

Airborne Networking wikipedia , lookup

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Network tap wikipedia , lookup

Distributed firewall wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Chair for Network Architectures and Services – Prof. Carle
Department for Computer Science
TU München
Chair for Network Architectures and Services – Prof. Carle
Department for Computer Science
TU München
Master Course
Computer Networks
IN2097
Network Address Translation
(NAT)
Prof. Dr.-Ing. Georg Carle
Christian Grothoff, Ph.D.
Chair for Network Architectures and Services
Institut für Informatik
Technische Universität München
http://www.net.in.tum.de
NAT: Network Address Translation
‰
Problem: shortage of IPv4 addresses
ƒ only 32bit address field
ƒ more and more devices
‰
Idea: local network uses just one IP address as far as outside world is
concerned:
Address Space
‰
IP addresses are assigned by the Internet Assigned Numbers
Authority (IANA)
RFC 1918 directs IANA to reserve the following IPv4 address
ranges for private networks
ƒ 10.0.0.0 – 10.255.255.255
ƒ 172.16.0.0 – 172.31.255.255
ƒ 192.168.0.0 – 192.168.255.255
‰
ƒ only one IP address for all devices needed from ISP
ƒ can change addresses of devices in local network without
notifying outside world
ƒ can change ISP without changing local addresses
ƒ devices inside local net not explicitly addressable/visible by
outside world (a security plus).
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
‰ The addresses may be used and reused by everyone
ƒ Not routed in the public Internet
ƒ Therefore a mechanism for translating addresses is needed
3
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
4
First approach – Network Address Translation
‰
‰
‰
NAPT: Network Address and Port Translation
Idea: only host communicating with the public Internet need a
public address
ƒ Once a host connects to the Internet we need to allocate one
ƒ Communication inside the local network is not affected
rest of
Internet
10.0.0.1
10.0.0.4
A small number of public addresses may be enough for a large
number of private clients
10.0.0.2
138.76.29.7
10.0.0.3
Only a subset of the private hosts can connect at the same time
ƒ not realistic anymore
ƒ We still need more than one public IP address
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
local network
(e.g., home network)
10.0.0/24
All datagrams leaving local
network have same single source
NAT IP address: 138.76.29.7,
different source port numbers
5
NAT: Network Address Translation
Datagrams with source or
destination in this network
have 10.0.0/24 address for
source, destination as usual
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
6
NAT: Network Address Translation
Implementation: NAT router must:
ƒ outgoing datagrams: replace (source IP address, port #) of
every outgoing datagram to (NAT IP address, new port #)
. . . remote clients/servers will respond using (NAT IP
address, new port #) as destination addr.
2: NAT router
changes datagram
source addr from
10.0.0.1, 3345 to
138.76.29.7, 5001,
updates table
ƒ remember (in NAT translation table) every (source IP
address, port #) to (NAT IP address, new port #) translation
pair
-> we have to maintain a state in the NAT
1: host 10.0.0.1
sends datagram to
128.119.40.186, 80
138.76.29.7, 5001 10.0.0.1, 3345
……
……
S: 10.0.0.1, 3345
D: 128.119.40.186, 80
1
2
ƒ incoming datagrams: replace (NAT IP address, new port #)
in dest fields of every incoming datagram with corresponding
(source IP address, port #) stored in NAT table
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
NAT translation table
WAN side addr
LAN side addr
S: 138.76.29.7, 5001
D: 128.119.40.186, 80
138.76.29.7
S: 128.119.40.186, 80
D: 138.76.29.7, 5001
3: Reply arrives
dest. address:
138.76.29.7, 5001
7
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
3
10.0.0.1
10.0.0.4
S: 128.119.40.186, 80
D: 10.0.0.1, 3345
4
10.0.0.2
4: NAT router
10.0.0.3
changes datagram
dest addr from
138.76.29.7, 5001 to 10.0.0.1, 3345
8
NAT: Network Address Translation
‰
‰
Deployment of NAT
16-bit port-number field:
ƒ ~65000 simultaneous connections with a single LAN-side
address!
ƒ helps against the IP shortage
‰
Multiple levels of NAT possible
Internet
ISP NAT
NAT is controversal:
ƒ routers should only process up to layer 3
ƒ violates end-to-end argument
ISP net
• NAT possibility must be taken into account by app designers,
eg, P2P applications
Home NAT
ƒ address shortage should instead be solved by IPv6
home net
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
Home NAT
9
home net
Home NAT
home net
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
NAT Implementation
Binding
‰
Implementation not standardized
ƒ thought as a temporary solution
‰
When creating a new state, the NAT has to assign a new source
port and IP address to the connection
‰
implementation differs from model to model
ƒ if an application works with one NAT does not imply that is
always works in a NATed environment
‰
Binding covers context based packet translation
‰
Port binding describes the strategy a NAT uses for the
assignment of a new external source port
ƒ source port can only be preserved if not already taken
‰
NAT binding describes the behavior of the NAT regarding the
reuse of an existing binding
ƒ 2 consecutive connections from the same source
ƒ 2 different bindings?
‰
NAT behavior
ƒ Binding
• NAT binding
• Port binding
ƒ Endpoint filtering
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
10
11
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
12
Port binding
‰
Port-Preservation:
ƒ the local source port is preserved
‰
Port-Overloading:
ƒ port preservation is always used
ƒ existing state is dropped
‰
‰
NAT binding
Port-Multiplexing:
ƒ ports are preserved and multiplexing is done using the
destination transport address
ƒ more flexible
ƒ additional entry in the NAT table
No Port-Preservation:
ƒ the NAT changes the source port for every mapping
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
13
‰
Reuse of existing bindings
ƒ two consecutive connections from the same transport address
(combination of IP address and port)
ƒ NAT binding: assignment strategy for the connections
‰
Endpoint-Independent
ƒ the external port is only dependent on the source transport address
ƒ both connections have the same IP address and port
‰
Address (Port)-Dependent
ƒ dependent on the source and destination transport address
ƒ 2 different destinations result in two different bindings
ƒ 2 connections to the same destination: same binding
‰
Connection-Dependent
ƒ a new port is assigned for every connection
ƒ strategy could be random, but also something more predictable
ƒ Port prediction is hard
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
Endpoint filtering
‰
‰
‰
‰
NAT Types
Filtering describes
ƒ how existing mappings can be used by external hosts
ƒ How a NAT handles incoming connections
Independent-Filtering:
ƒ All inbound connections are allowed
ƒ Independent on source address
ƒ As long as a packet matches a state it is forwarded
ƒ No security
Address Restricted Filtering:
ƒ packets coming from the same host (matching IP-Address) the
initial packet was sent to are forwarded
Address and Port Restricted Filtering:
ƒ IP address and port must match
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
14
15
‰
With Binding and Filtering 4 NAT types can be defined (RFC 3489)
‰
Full Cone NAT
ƒ Endpoint independent
ƒ Independent filtering
‰
Address Restricted NAT
ƒ Endpoint independent binding
ƒ Address restricted filtering
‰
Port Address Restricted NAT
ƒ Endpoint independent binding
ƒ Port address restricted filtering
‰
Symmetric NAT
ƒ Endpoint dependent binding
ƒ Port address restricted filtering
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
16
NAT Types
‰
With Binding and Filtering 4 NAT types can be defined (RFC 3489)
‰
Full Cone NAT
ƒ Endpoint independent
ƒ Independent filtering
‰
Address Restricted NAT
ƒ Endpoint independent binding
ƒ Address restricted filtering
‰
Port Address Restricted NAT
ƒ Endpoint independent binding
ƒ Port address restricted filtering
‰
Symmetric NAT
ƒ Endpoint dependent binding
ƒ Port address restricted filtering
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
Full Cone NAT
17
NAT Types
‰
With Binding and Filtering 4 NAT types can be defined (RFC 3489)
‰
Full Cone NAT
ƒ Endpoint independent
ƒ Independent filtering
‰
Address Restricted NAT
ƒ Endpoint independent binding
ƒ Address restricted filtering
‰
Port Address Restricted NAT
ƒ Endpoint independent binding
ƒ Port address restricted filtering
‰
Symmetric NAT
ƒ Endpoint dependent binding
ƒ Port address restricted filtering
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
18
Address Restricted Cone NAT
19
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
20
NAT Types
‰
With Binding and Filtering 4 NAT types can be defined (RFC 3489)
‰
Full Cone NAT
ƒ Endpoint independent
ƒ Independent filtering
‰
Address Restricted NAT
ƒ Endpoint independent binding
ƒ Address restricted filtering
‰
Port Address Restricted NAT
ƒ Endpoint independent binding
ƒ Port address restricted filtering
‰
Symmetric NAT
ƒ Endpoint dependent binding
ƒ Port address restricted filtering
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
Port Address Restricted Cone NAT
21
NAT Types
‰
With Binding and Filtering 4 NAT types can be defined (RFC 3489)
‰
Full Cone NAT
ƒ Endpoint independent
ƒ Independent filtering
‰
Address Restricted NAT
ƒ Endpoint independent binding
ƒ Address restricted filtering
‰
Port Address Restricted NAT
ƒ Endpoint independent binding
ƒ Port address restricted filtering
‰
Symmetric NAT
ƒ Endpoint dependent binding
ƒ Port address restricted filtering
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
22
Symmetric NAT
23
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
24
NAT-Traversal Problem
‰
Example: Session Initiation Protocol (SIP)
Divided into four categories: (derived from IETF-RFC 3027)
ƒ Realm-Specific IP-Addresses in the Payload
• SIP
ƒ Peer-to-Peer Applications
• Any service behind a NAT
ƒ Bundled Session Applications (Inband Signaling)
• FTP
• RTSP
• SIP together with SDP
Request/Respone
Line
Message-Header
ƒ Unsupported Protocols
• SCTP
• IPSec
Message-Body
(optional)
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
25
‰
client wants to connect to server
with address 10.0.0.1
ƒ server address 10.0.0.1 local
to LAN (client can’t use it as
destination addr)
ƒ only one externally visible
NATted address: 138.76.29.7
solution 1: statically configure
NAT to forward incoming
connection requests at given port
to server
ƒ e.g., (123.76.29.7, port 2500)
always forwarded to 10.0.0.1
port 25000
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
v=0
o=Alice 214365879 214365879 IN IP4 192.168.1. 5
c=IN IP4 192.168.1.5
t= 0 0
m=audio 5200 RTP/AVP 0 9 7 3
a=rtpmap:8 PCMU/8000
a=rtpmap:3 GSM/8000
RTP-Session
Specification
(for 2nd channel)
SDP
Media description
for 2nd channel
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
example: p2p applications
‰
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 192.168.1.5:5060
From: < sip:[email protected] >
To: <sip:[email protected]>
CSeq: 1 INVITE
Contact: <sip:[email protected]:5060>
Content-Type: application/sdp
26
Existing Solutions to the NAT-Traversal Problem
‰
Individual solutions
ƒ Explicit support by the NAT
• static port forwarding, UPnP, NAT-PMP
ƒ NAT-behavior based approaches
10.0.0.1
Client
?
• dependent on knowledge about the NAT
• hole punching using STUN (IETF - RFC 3489)
10.0.0.4
138.76.29.7
ƒ External Data-Relay
NAT
router
• TURN (IETF - Draft)
‰
27
Frameworks integrating several techniques
ƒ framework selects a working technique
ƒ ICE as the most promising for VoIP (IETF - Draft)
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
28
Explicit support by the NAT (1)
‰
Explicit support by the NAT (2)
Application Layer Gateway (ALG)
ƒ implemented on the NAT device and operates on layer 7
ƒ supports Layer 7 protocols that carry realm specific
addresses in their payload
• SIP, FTP
‰
‰
‰
Universal Plug and Play (UPnP)
ƒ Automatic discovery of services (via Multicast)
ƒ Internet Gateway Device (IGD) for NAT-Traversal
‰
IGD allows NATed host to
ƒ automate static NAT port map configuration
ƒ learn public IP address
(138.76.29.7)
ƒ add/remove port mappings
138.76.29.7
(with lease times)
Advantages
ƒ transparent for the application
ƒ no configuration necessary
Drawbacks
ƒ protocol dependent (e.g. ALG for SIP, ALG for FTP...)
ƒ may or may not be available on the NAT device
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
‰
29
Behavior based (1): STUN
‰
Simple traversal of UDP through NAT (old) (RFC 3489)
ƒ Session Traversal Utilities for NAT (new) (RFC 5389)
‰
Lightweight client-server protocol
ƒ queries and responses via UDP (optional TCP or TCP/TLS)
‰
Helps to determine the external transport address (IP address
and port) of a client.
ƒ e.g. query from 192.168.1.1:5060 results in 131.1.2.3:20000
‰
Algorithm to discover NAT type
ƒ server needs 2 public IP addresses
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
10.0.0.1
IGD
10.0.0.4
NAT
router
Drawbacks
ƒ no security, evil applications can establish
port forwarding entries
ƒ doesn‘t work with cascaded NATs
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
30
STUN Algorithm
ask server to
send a packet from the same
address and port the packet has been sent to
ask server to
send a packet from a different
address and port the packet has been sent to
31
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
32
Example: STUN and SIP
‰
Limitations of STUN
VoIP client queries STUN server
ƒ learns its public transport address
ƒ can be used in SIP packets
‰
• Full Cone NAT
• Address Restricted Cone NAT
• Port Address restricted cone NAT
STUN server
1)
10.0.0.4
SIP server
Request/Respone
Line
Message-Header
ƒ Not with symmetric NAT!
2)
138.76.29.7
NAT
router
VoIP Client
10.0.0.1
‰
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 138.76.29.7:5060
From: < sip:[email protected] >
To: <sip:[email protected]>
CSeq: 1 INVITE
Contact: <sip:[email protected]:5060>
Content-Type: application/sdp
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
33
34
Hole Punching in detail
STUN not only helps if we need IP addresses in the payload
ƒ for establishing a direct connection between two peers
‰
Before hole punching
Server S
(18.181.0.31)
1) determine external IP address/port
and exchange it through
Rendezvous Point
Session A-S
18.181.0.31:1234
155.99.25.11:62000
2) both hosts send packets
towards the other host
outgoing packet creates
hole
NAT
(155.99.25.11)
Session A-S
18.181.0.31:1234
10.0.0.1:4321
3) establish connection.
hole is created by first
packet
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
Why?
ƒ Since we first query the STUN server (different IP and port)
and then the actual server
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
STUN and Hole Punching
‰
STUN only works if
ƒ the NAT assigns the external port (and IP address) only
based on the source transport address
ƒ Endpoint independent NAT binding
Client A
(10.0.0.1)
35
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
Session B-S
18.181.0.31:1234
138.76.29.7:31000
NAT
(138.76.29.7)
Session B-S
18.181.0.31:1234
10.1.1.3:4321
Client B
(10.1.1.3)
36
Hole Punching in detail
‰
DIY Hole Punching: practical example
Hole punching
(2) Forward B‘s
endpoints to A
138.76.29.7:31000
10.1.1.3:4321
(2) Forward A‘s
endpoints to B
155.99.25.11:62000
10.0.0.1:4321
Server S
(18.181.0.31)
NAT
(155.99.25.11)
Client A
(10.0.0.1)
You need 2 hosts
ƒ One in the public internet (client)
ƒ One behind a NAT (server)
‰
Firstly start a UDP listener on UDP port 20000 on the “server” console behind
the NAT/firewall
ƒ server/1# nc -u -l -p 20000
‰
An external computer “client" then attempts to contact it
ƒ client# echo "hello" | nc -p 5000 -u serverIP 20000
ƒ Note: 5000 is the source port of the connection
‰
as expected nothing is received because the NAT has no state
‰
Now on a second console, server/2, we punch a hole
ƒ Server/2# hping2 -c 1 -2 -s 20000 -p 5000 clientIP
‰
On the second attempt we connect to the created hole
ƒ client# echo "hello" | nc -p 5000 -u serverIP 20000
NAT
(138.76.29.7)
(3) Connect to
(3) Connect to A
138.76.29.7:31000 155.99.25.11:62000
1) Request
connection to B
‰
to 10.1.1.3:4321
Client B
(10.1.1.3)
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
37
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
TCP Hole Punching
‰
‰
Symmetric NATs
Hole Punching not straight forward due to stateful design of TCP
ƒ 3-way handshake
ƒ Sequence numbers
ƒ ICMP packets may trigger RST packets
‰
How can we traverse symmetric NATs
ƒ Endpoint dependent binding
• hole punching in general only if port prediction is possible
ƒ Address and port restricted filtering
Low/high TTL(Layer 3) of Hole-Punching packet
ƒ As implemented in STUNT (Cornell University)
TCP-SYN
TCP RST
‰
38
TCP-SYN (low TTL)
ICMP TTL
exceeded
TCP-SYN
TCP-SYN
TCP-SYNACK
TCP-SYNACK
TCP-ACK
TCP-ACK
Bottom line: NAT is not standardized
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
39
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
40
Data Relay (1)
‰
‰
‰
‰
‰
Data Relay
Idea: Outbound connections are always possible
3rd party (relay server) in the public internet
Both hosts actively establish a connection to relay server
Relay server forwards packets between these hosts
TURN as IETF draft
‰
relaying (used in Skype)
ƒ NATed client establishes connection to relay
ƒ External client connects to relay
ƒ relay bridges packets between to connections
ƒ IETF draft: TURN
2. connection to
relay initiated
by client
Client
3. relaying
established
1. connection to
relay initiated
by NATted host
138.76.29.7
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
41
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
Frameworks
‰
‰
All possible endpoints are collected and exchanged during call setup
ƒ local addresses
ƒ STUN determined
ƒ TURN determined
All endpoints are „paired“ and tested (via STUN)
ƒ best one is determined and used for VoIP session
‰
Advantages
ƒ high sucess rate
ƒ integrated in application
‰
Drawbacks
ƒ overhead
ƒ latency dependent on number of endpoints (pairing)
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
NAT
router
42
Success Rates for existing solutions
Interactive Connectivity Establishment (ICE)
ƒ IETF draft
ƒ mainly developed for VoIP
ƒ signaling messages embedded in SIP/SDP
‰
10.0.0.1
43
‰
http://nattest.net.in.tum.de
‰
UPnP
31 %
‰
Hole Punching
ƒ UDP
ƒ TCP low TTL
ƒ TCP high TTL
73%
42%
35%
‰
Relay
100%
‰
Propabilities for a direct connection
ƒ UDP Traversal: 85 %
ƒ TCP Traversal: 82 %
ƒ TCP inclusive tunneling: 95 %
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
44
Service Categories for NAT-Traversal (TUM)
‰
Global Service-Provisioning (GSP)
ƒ Globally accessible public endpoint
ƒ Only the service host needs software support
Techniques
(3)
(1)
Service
New approach (TUM)
‰
(2)
(2)
UPnP
• who runs framework
• which external entities are available?
HP if Full-Cone NAT
‰
Service-Provisioning using Pre-Signaling (SPPS)
Open Relay
ƒ pre-signaling and security
ƒ knowledge based
ƒ Pre-Signaling through Rendezvous-Point
ƒ No assumptions about NAT-Traversal techniques
ƒ Both hosts need software support
‰
Secure Service-Provisioning (SSP)
ƒ Extension for SPPS
ƒ Only authorized users can allocate mappings
ƒ Created mapping can only be accessed by the creator
‰
Advanced NAT-Traversal Service (ANTS)
ƒ considers different service categories
• NAT-Traversal decision is made upon knowledge
ƒ performance
• Less latency through knowledge based approach
Techniques
ƒ success rates
HP if Restricted NAT
• 95% for a direct connection for TCP
Secure Relay
ƒ available for new (API) and legacy applications (TUN)
ALG Service-Provisioning (ALG-SP)
‰
ƒ Explicit support for Layer 7 protocols (SIP-VoIP)
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
45
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
NAT Conclusion
‰
NAT helps against the shortage of IPv4 addresses
ƒ only the border gateway needs a public IP address
ƒ NAT maintains mapping table and translates addresses
‰
NAT works as long as the server part is in the public internet
‰
for more information
ƒ http://nattest.net.in.tum.de/?mod=publications
NAT and IPv6
‰
IPv6 provides a 128bit address field
ƒ do we still need NAT?
‰
Firewall traversal
ƒ bundled session applications
P2P communication across NAT is difficult
ƒ NAT breaks the end-to-end connectivity model
‰
Topology hiding
ƒ „security“
‰
NAT behavior is not standardized
ƒ keep that in mind when designing a protocol
‰
Business models of ISPs
ƒ how many IP addresses do we really get (for free)?
‰
many solutions for the NAT-Traversal problem
ƒ none of them works with all NATs
ƒ framework can select the most appropriate technique
‰
NAT for IPv6 (NAT66) standardization already started (IETF)
ƒ goal: „well behaved NAT“
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
46
47
Masterkurs
Rechnernetze
Network Security,
WS 2008/09, Chapter 9
48
Related documents
Network Address Translation (NAT)
Network Address Translation (NAT)
Network Address Translation (NAT)
Network Address Translation (NAT)
percussion WHAT IS INVOLVED IN NAT 5 MUSIC?
percussion WHAT IS INVOLVED IN NAT 5 MUSIC?
Transcript: Introducing NAT
Transcript: Introducing NAT
Cornell Chap 3,4 - Santa Rosa Home
Cornell Chap 3,4 - Santa Rosa Home
Princess Margaret Cancer Centre
Princess Margaret Cancer Centre
Discovery 3 Module 4 Quiz
Discovery 3 Module 4 Quiz
Solutions to Finals
Solutions to Finals
VPN and NAT
VPN and NAT
Network Address Translation
Network Address Translation
Chapter 1: Protocols and Layers
Chapter 1: Protocols and Layers