P2P and NAT

How to traverse NAT

Davide Carboni © 2005-2006
License
Attribution-ShareAlike 2.5
You are free:
to copy, distribute, display, and perform the work
to make derivative works
to make commercial use of the work
Under the following conditions:

Attribution. You must give the original author credit.

Share Alike. If you alter, transform, or build upon this work, you may distribute the
resulting work only under a licence identical to this one.
For any reuse or distribution, you must make clear to others the licence terms of this
work.
Any of these conditions can be waived if you get permission from the copyright holder.
Your fair use and other rights are in no way affected by the above.
This is a human-readable summary of the Legal Code (the full licence).
Disclaimer
The problem

 The large deployment of NAT builds a

barrier to the development of peer-to-
peer networks.
 Host behind a NAT/Firewall are only
authorized to initiate outgoing traffic
through a limited set of ports (UDP/TCP)
 Host behind a NAT/Firewall are never
authorized to receive incoming TCP or UDP
traffic initiated by a foreign host
Firewall
 A Firewall is a system that filters TCP/IP
UDP/IP packet according to rules
 It can be a software running in the user
machine or in a network router

Rules
Firewall

(Global IP addresses)

router

Rules
NAT
 the process of network address
translation (NAT, also known as network
masquerading or IP-masquerading) involves
re-writing the source and/or destination
addresses of IP packets as they pass
through a router or firewall.
Why NAT is so popular

 IPv4 address shortage

 standard feature in routers for home and
small-office Internet connections
 can enhance the reliability of local systems
by stopping worms and enhance privacy by
discouraging scans
Simple NAT

(Public IP addresses)

(Private IP addresses)

Main NAT
Internet

(Public IP addresses)
Multiple NAT
156.148.70.32
Main
Internet

ISP
(Public IP addresses) NAT

ISP 192.168.2.12
network
192.168.2.99
Home
NAT
(Private IP addresses)
Home
network
10.0.0.12
 NAT Mappings
(1.1.1.4)

192.168.2.2:4445 <-> 1.1.1.5:10100

(192.168.2.2) (1.1.1.5)

A datagram

datagram S=1.1.1.5:10100
D=1.1.1.4:7777
S=192.168.2.2:4445
D=1.1.1.4:7777
Traversing a NAT that
does not collaborate
Relaying

Main
Internet 1
Relay S 2

NAT

NAT
Local
network
Local
network 10.0.0.12
192.168.2.99
host B

host A
Connection reversal

Main
Internet 2
rendezvous S
1

NAT 1.1.1.4
3
Local host B
network
192.168.2.99

host A
TURN protocol

 TURN is a protocol for UDP/TCP relaying

behind a NAT
 Unlike STUN there is no hole punching and
data are bounced to a public server called
the TURN server.
 TURN is the last resource. For instance
behind a symmetric NAT
Role in TURN

 A TURN client is an entity that generates

TURN requests
 A TURN Server is an entity that receives
TURN requests, and sends TURN
responses.
 The server is a data relay, receiving data
on the address it provides to clients, and
forwarding them to the clients
NAT policies

 Full cone NAT

 Restricted cone NAT
 Port restricted cone NAT
 Symmetric NAT
UDP Hole Punching
 Hole punching is a tecnique to allow traffic
from/to a host behind a firewall/NAT
without the collaboration of the NAT itself

 The simplest way is to use UDP packets

 Full cone
(192.168.2.2) (192.168.2.1) (1.1.1.4) (1.1.1.5) (1.1.1.6)
Full
Host A Host B Host C
cone

Packet(S=192.168.2.2:4445, Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777) D=1.1.1.5:7777)

Packet(S=1.1.1.5:4321, Packet(S=1.1.1.5:4321,
D=192.168.2.2:4445) D=1.1.1.4:10100)

Packet(S=1.1.1.6:1234, Packet(S=1.1.1.6:1234,
D=192.168.2.2:4445) D=1.1.1.4:10100)
Full cone mapping and policy

 Mapping
 192.168.2.2:4445 <-> 1.1.1.4:10100
 Policy
 ALLOW ALL TO 1.1.1.4:10100
Holes in Full Cone
rendezvous

1 NAT

5 3
host A
4

host B
 Restricted cone
(192.168.2.2) (192.168.2.1) (1.1.1.4) (1.1.1.5) (1.1.1.6)
Restricted
Host A Host B Host C
cone

Packet(S=192.168.2.2:4445, Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777) D=1.1.1.5:7777)

Packet(S=1.1.1.5:4321, Packet(S=1.1.1.5:4321,
D=192.168.2.2:4445) D=1.1.1.4:10100)

Packet(S=1.1.1.6:1234,
D=1.1.1.4:10100)
X
Packet(S=192.168.2.2:4445, Packet(S=1.1.1.4:10100,
D=1.1.1.6:7777) D=1.1.1.6:7777)

Packet(S=1.1.1.6:4321, Packet(S=1.1.1.6:4321,
D=192.168.2.2:4445) D=1.1.1.4:10100)
Restricted cone
mapping and policy
 Mapping
 192.168.2.2:4445 <-> 1.1.1.4:10100

 Policy
 ALLOW 1.1.1.5 TO 1.1.1.4:10100
 ALLOW 1.1.1.6 TO 1.1.1.4:10100
Holes in Restricted Cone
rendezvous

NAT
1
5 3 4
host A
6

host B
 Port restricted cone
(192.168.2.2) (192.168.2.1) (1.1.1.4) (1.1.1.5) (1.1.1.6)
Port - restr
Host A Host B Host C
cone

Packet(S=192.168.2.2:4445, Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777) D=1.1.1.5:7777)

Packet(S=1.1.1.5:4321,
D=1.1.1.4:10100)

Packet(S=1.1.1.5:7777, Packet(S=1.1.1.5:7777,
D=192.168.2.2:4445) D=1.1.1.4:10100)
Port restricted cone
mapping and policy
 Mapping
 192.168.2.2:4445 <-> 1.1.1.4:10100

 Policy
 ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100
 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10100
Holes in Port restricted Cone
rendezvous

NAT
1
5 3 4
host A
6

host B
 Symmetric NAT
(192.168.2.2) (192.168.2.1) (1.1.1.4) (1.1.1.5) (1.1.1.6)

Host A symmetric Host B Host C

Packet(S=192.168.2.2:4445, Packet(S=1.1.1.4:10100,
D=1.1.1.5:7777) D=1.1.1.5:7777)

Packet(S=1.1.1.5:7777, Packet(S=1.1.1.5:7777,
D=192.168.2.2:4445) D=1.1.1.4:10100)

Packet(S=192.168.2.2:4445, Packet(S=1.1.1.4:10179,
D=1.1.1.6:7777) D=1.1.1.6:7777)

Packet(S=1.1.1.6:7777, Packet(S=1.1.1.6:7777,
D=192.168.2.2:4445) D=1.1.1.4:10179)

Packet(S=1.1.1.6:7777,
D=1.1.1.4:10100)
X
Symmetric
mapping and policy
 Mapping
 192.168.2.2:4445 <-> 1.1.1.4:10100
 192.168.2.2:4445 <-> 1.1.1.4:10179

 Policy
 ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100
 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10179
Holes in Symmetric
STUN protocol

 protocol to discover the presence and

types of NAT and firewalls between them
and the public Internet
 STUN allows applications to determine the
public IP addresses allocated to them by
the NAT
STUN protocol

 STUN is specified in RFC 3489 and

defines the operations and the message
format needed to understand the type of
NAT
TCP Hole Punching
 TCP connections between hosts behind
NATs is slightly more complex than for
UDP

 Berkeley sockets allows a TCP socket to

initiate an outgoing or to listen for incoming
connections but not both.
TCP Hole punching

 we need to use a single local TCP port to

listen for incoming TCP connections and to
initiate multiple outgoing TCP connections
concurrently
 to bind multiple sockets to the same local
endpoint BSD systems have introduced a
SO_REUSEADDR and SO_REUSEPORT
TCP Hole punching
1.1.1.6
Main
rendezvous S Internet

1.1.1.5
1.1.1.4
NAT
NAT Local
network
Local
network 10.0.0.12
192.168.2.99
host B

host A
TCP Hole punching
1.1.1.6
Main
rendezvous S Internet

NAT

NAT Local
network
Local
1.1.1.5:4444
network

host B
1.1.1.4:1234
host A
STUNT

 Simple Traversal of UDP Through NATs

and TCP too (STUNT), which extends
STUN to include TCP functionality
 A JAVA implementation of STUNT is
available
 See
http://nutss.gforge.cis.cornell.edu/stunt.php
Traversing a NAT that
collaborates
Socks
 SOCKS is a client server protocol that
allows a client behind a firewall to use a
server in the public Internet to relay
traffic
 Two operations: CONNECT and BIND
 It is widely adopted, for instance Mozilla
can be configured to use SOCKS
 Two versions. SOCKS4 and SOCKS5
SOCKS CONNECT
server S
Socks proxy
2. connect()

1. CONNECT

NAT

host A
SOCKS BIND
server S
3. connect(33102) Socks proxy

2. Ok. Port=33102
1. BIND (localport=4445, S)

NAT

host A listening on 4445

SOCKS and Java

SocketAddress addr =
new InetSocketAddress("socks.mydomain.com", 1080);

Proxy proxy = new Proxy(Proxy.Type.SOCKS, addr);

URL url = new URL("ftp://ftp.gnu.org/README");

URLConnection conn = url.openConnection(proxy);

SOCKS4 and SOCKS5
 SOCKS4 doesn't support authentication while
SOCKS5 has the built-in mechanism to support a
variety of authentications methods.

 SOCKS4 doesn't support UDP proxy while

SOCKS5 does.

 SOCKS4 clients require full support of DNS

while SOCKS5 clients can rely on SOCKS5 server
to perform the DNS lookup.
UPnP NAT Traversal
 Internet Gateway Device (IGD) protocol[1] is
defined by UPnP
 It is implemented in some internet routers.
 It allows applications to automatically configure
NAT routing.
 IGD makes it easy to do the following:
 Learn the public (external) IP address
 Enumerate existing port mappings
 Add and remove port mappings
 Assign lease times to mappings
UPnP API provided by COM
IStaticPortMapping::get_ExternalIPAddress()
IStaticPortMapping::get_ExternalPort()
IStaticPortMapping::get_InternalPort()
IStaticPortMapping::get_Protocol()
IStaticPortMapping::get_InternalClient()
IStaticPortMapping::get_Enabled()
IStaticPortMapping::get_Description()
UPnP Port Forward
Issues with UPnP

 Oppents to IGD see a significant security

risk
 UPnP allows any program, even malicious
programs, to create a port mapping
through the router.
 with UPnP, the port mapping can be
created even without any knowledge of the
administrative password to the router
 References
 Peer-to-Peer Communication Across NAT
http://www.brynosaurus.com/pub/net/p2pnat/
 STUN Protocol RFC.
http://www.ietf.org/rfc/rfc3489.txt
 TCP NAT traversal.
http://nutss.gforge.cis.cornell.edu//stunt.php
 Traversal Using Relay NAT (TURN) IETF
RFC
References (2)

 SOCKS5 IETF RFC

http://www.ietf.org/rfc/rfc1928.txt
 SOCKS4
http://archive.socks.permeo.com/protocol/socks4.protocol
 Java Networking and Proxies
http://java.sun.com/j2se/1.5.0/docs/guide/net/proxies.html
 Using UPnP for Programmatic Port
Forwardings and NAT Traversal
http://www.codeproject.com/internet/PortForward.asp
License
Attribution-ShareAlike 2.5
You are free:
to copy, distribute, display, and perform the work
to make derivative works
to make commercial use of the work
Under the following conditions:

Attribution. You must give the original author credit.

Share Alike. If you alter, transform, or build upon this work, you may distribute the
resulting work only under a licence identical to this one.
For any reuse or distribution, you must make clear to others the licence terms of this
work.
Any of these conditions can be waived if you get permission from the copyright holder.
Your fair use and other rights are in no way affected by the above.
This is a human-readable summary of the Legal Code (the full licence).
Disclaimer