A New Method for Symmetric NAT Traversal
in UDP and TCP
Yuan Wei
Waseda University 3-4-1Okubo,Shinjuku-ku,
Tokyo,JAP AN
Daisuke Y amada
Waseda University 3-4-1Okubo,Shinjuku-ku,
Tokyo,JAP AN
Suguru Y oshida
Waseda University 3-4-1Okubo,Shinjuku-ku,
Tokyo,JAPAN
{wei,daiski,yoshida,goto}@goto.info.waseda.ac.jp
Shigeki Goto
Waseda University 3-4-1Okubo,Shinjuku-ku,
Tokyo,JAP AN
ABSTRACT
This paper proposes a new method for Network Address Translator (NAT)Traversal in UDP.Several techniques have been proposed for traversing NAT or firewall boxes in UDP.These techniques can establish UDP communication between hosts behind NATs.However,existing NAT traversal meth-ods,including Universal Plug and Play (UPnP),Simple traver-sal of UDP over NATs (STUN)and Teredo,cannot traverse symmetric NAT boxes.Our method uses a new port predic-tion method.It controls ports to traverse symmetric NAT boxes as well as other kinds of NATs.In addition,our new method can be extended for simple NAT traversal in TCP.The method is based on a new UDP hole punching tech-nique.
We have tested nine working NAT products in our labora-tory.The results show that our method can
be practically implemented for successful NAT traversal for real use.
Keywords
NAT traversal,Symmetric NAT,UDP,P2P,Stateful Packet Inspection,TCP
1.INTRODUCTION
A network address translator (NAT)is a well-known,ver-satile tool that enables the reuse of IP addresses in the In-ternet.Using a NAT,we can convert private IP addresses to global IP addresses.However,a fatal problem can occur if an applications protocol includes an IP address as part of the payload of IP packets.This is because NAT translates IP addresses in the header properly,it cannot convert IP ad-dresses in the payload.Examples of applications that suffer from this problem include Voice Over IP and Multimedia Over IP applications such as SIP [1]and H.323[2]as well as online games.
Copyright is held by the author/owner(s).Asia Pacific Advanced Network 2008,4-8August 2008,New Zealand.Network Research Workshop 2008,4August 2008,New Zealand.
There have been many proposals to solve this problem.Sev-eral real-time multimedia applications,on
line games,and other applications that work properly across NATs have been developed using standard techniques such as Universal Plug and Play (UPnP)which has been adopted by many vendors [3].Another example of a commonly used protocol is Simple Traversal of UDP (STUN)[4],which is an imple-mentation of the UNilateral Self-Address Fixing (UNSAF)protocol [5].Teredo realizes an UNSAF mechanism by tun-neling IPv6over UDP/IPv4[6].However,these proposals do not solve the problem completely because none of them can work successfully with all types of NATs.
This paper proposes a new method for NAT traversal,which is applicable to symmetric NATs as well as other types of NATs.Symmetric NATs are used when high security com-munication is required.For example,the most expensive router sold by a Japanese manufacturer,who sells nine types of routers in the market,is the one equipped with symmet-ric NAT functionality.Symmetric NATs are installed as routers in business enterprises and also as high-end routers for home use.Our new method is based on port prediction .It manipulates port numbers in order to traverse symmetric NATs successfully.We have conducted several experiments to evaluate the performance of our new method.The re-sults show that our method can be practically implemented for successful NAT traversal.In addition,the new method can be also extended to develop a new method for NAT traversal in TCP.
Section 2describes the various types of NATs.Section 3surveys the existing methods of NAT traversa
l.Our new method is proposed in Section 4.Section 5shows the results of our experiments and Section 6concludes this paper.
2.TAXONOMY OF NATS
The study on the STUN protocol [4],use terms such as Full Cone ,Restricted Cone ,Port Restricted Cone and Symmet-ric to describe the different types of NATs.These NATs are discussed with reference to UDP only.We will mention TCP NATs briefly in Section 4.4.
2.1Full Cone NAT
A full cone NAT is also known as a one-to-one NAT.Once an internal IP address and port are mapped to some external
Figure 1:Full cone NAT IP address and port respectively,all the packets with the internal IP address and port will be translated to the fixed external IP address and port.Furthermore,any external host can send a packet to the internal host by sending a packet to the mapped external address.The full cone NAT is illustrated in Figure 1.
2.2Restricted Cone NAT
In the restricted cone NAT,all requests from an internal IP address and port are mapped to a fixed external IP address and port.It is similar to the full cone NAT except that un-like the full cone NAT,an external host s 2(with IP address x )can send a packet to an internal host only if the inter-nal host has previously sent a packet to the IP address x through the restricted cone NAT.The restricted cone NAT is illustrated in Figure 2.
Figure 2:Restricted cone NAT
2.3Port Restricted Cone NAT
The port restricted cone NAT is similar to the restricted cone NAT.However,the port restricted cone NAT also takes the port numbers into account along with the IP addresses.An external host can send
a packet with source IP address x and source port p to an internal host only if the internal host has previously sent a packet to the IP address x and port p .The port restricted cone NAT is illustrated in Figure 3.
2.4Symmetric NAT In a symmetric NAT,any request from an internal IP ad-dress and a port number to some destination IP address and port number is mapped to a unique external IP address and a unique port number.If the same host sends a packet from the same source address and the same port number but to a different destination,a different mapping is used.Only the external host that receives a packet from an
internal Figure 3:Port restricted cone NAT
host can send a UDP packet back to the internal host.The symmetric NAT is illustrated in Figure
4.
Figure 4:Symmetric NAT
3.EXISTING TRA VERSAL METHODS
There have been many proposals on methods to traverse NATs.This section describes some well-known techniques such as UPnP,STUN,and Teredo.It should be noted here that none of these techniques can be successfully imple-mented for symmetric NATs.
3.1
UPnP
UPnP is a set of computer network protocols promulgated by the UPnP Forum [3].The UPnP architecture allows the de-velopment of peer-to-peer networks of PCs,networked appli-ances,and various wireless devices.When a new host needs a connection,a UPnP device can automatically configure a network address,announce its presence on the network subnet,and exchange a description of device and services.Currently,many Internet gateway vendors such as D-Link,Intel,Buffalo Technology,and Arescom are offering devices with UPnP functionality.NAT traversal in UPnP is known as the Internet Gateway Device (IGD)Protocol.However,one of the disadvantages of UPnP is that it requires that all the devices in the network should support UPnP.Even if a single device does not conform to the UPnP standard,we cannot realize a peer-to-peer network.
3.2STUN
STUN is a protocol used for communication between a client and a server [4].
If a peer-to-peer software package includes a STUN client,it sends a request to a STUN server.The server then reports back to the STUN client about the global IP address of the NAT router.It also reports the opened port number at the NAT for incoming traffic to the private network.
The STUN client determines the type of NAT in use on the basis of the response of the STUN server.
There are certain differences in the handling of the incoming of the UDP packets by various types of NATs.STUN works well with three types of NATs:full cone,restricted cone,and port restricted cone NATs.One of the drawbacks of STUN is that it does not work with symmetric NATs which are often used in networks in large enterprises.
In general,STUN assumes that the NAT being used is a cone type NAT.If we use a cone NAT,the IP address and the port number of the STUN client arefixed.STUN cannot handle symmetric NATs because the global IP address and port number translated from the private address and port number of the client are not fixed.
Figure5:Using STUN to traverse NAT
3.3Teredo
Teredo has been proposed by Microsoft[6].It is based on IPv6tunneling technology.A Teredo client obtains a Teredo IPv6address from the Teredo server.It utilizes a IPv6address with IPv6tunneling in UDP/IPv4.A Teredo client communicates with other Teredo clients and other IPv6nodes through a Teredo relay.A Teredo server should have both an IPv4global address and an IPv6global ad-dress.A Teredo relay should have an IPv4global address and an IPv6global address.Teredo relay provides ro
uting between the Teredo clients and nodes on the IPv6Internet. Teredo does not work well with symmetric NATs.
4.NEW METHOD
In this section we propose a new method for UDP multi-hole punching.This method establishes a UDP connection between two end points through NATs,as shown in Figure 6.
The new method is based on port prediction and limited TTL values.The method controls the port numbers to allow successful traversing of symmetric NATs.It also works well for the other types of NATs.In addition,the new method can be extended to NAT traversal in TCP.It is well known that NAT traversal in TCP is more difficult than that in UDP.This is an advantage of the proposed new method. 4.1Phase I
The new method is divided into three phases.In this method, the client is known as an echo client and the server is
known Figure6:New method of UDP multi-hole punching as an echo server because there are a series of packet ex-changes between them.An echo client communicates with two servers S1and S2.S1and S2record the IP address and port number of the echo client,and these are then translated by NAT a.The following are the steps of the method:
F1:The echo client communicates with S1.Then,S1ana-lyzes the port number mapped by NAT a.
F2:S1conveys the port number to the echo client.
F3:The echo client sends a packet to S2.It includes infor-mation obtained on the port number of NAT a when the echo client communicated with S1.Then,S2ana-lyzes the port number of NAT a and records it.Fur-thermore,S2also records the information obtained on the port number of NAT a when the echo client com-municated with S1at step F1.
4.2Phase II
In phase II,the echo server communicates with S1and S2 in a manner similar to that in phase I.
F4:The echo server communicates with S1.Then,S1an-alyzes the port number mapped by NAT b.
F5:S1conveys the port number to the echo server.
F6:The echo server sends a packet to S2.The packet in-cludes the port number information of NAT b obtained from the communication of the echo server with S1at step F4.Then,S2analyzes the port number of NAT
b and records it.Furthermore,S2records the port
number information of NAT b obtained when the echo server communicated with S1at step F4.
Figure7:Phase I
Figure8:Phase II
4.3Phase III
In phase III,the method performs port prediction.As de-scribed in phase I,NAT a maps the port number twice, one each in steps F1and F3.For example,if NAT a uses 5361in F1and5362in F3,then we can predict that the punching mode of NAT a is incremental and that the pre-dicted port number is5363.Thus the new method can de-termine the punching mode as incremental,decremental,or the skip mode.Then,it communicates the target global IP address and the punching mode to the echo client and the echo server.The echo client and the echo server receive the information and then initiate multi-hole punching to estab-lish communication between them.
F7:Based on the two types of information communicated in phases I and II,namely the communications of NAT
a with S1and S2,we can predict a suitable port num-
ber for hole punching.We can also determine the punching mode.S2sends the information containing
the predicted port number and the punching mode to the echo server.
F8:Based on this information,the echo server sends a large number of packets.These packets have afixed destina-tion port and a low TTL value.The echo server binds the port.The packets are then sent to the echo client. F9:Using the two kinds of information obtained in phases
I and II,namely,the communications of NAT b with S1
and S2,we can predict a suitable port number for the hole punching.S2sends the information that contains the predicted port number and the punching mode to the echo client in a manner similar to that of step F7. F10:On the basis of the information obtained in step F9, the echo client sends many packets to the echo server.
These packets have afixed destination port.The echo client binds the port.After sending all the packets, the echo client switches to the receiving mode.
In step F10,NAT b receives many UDP packets from the echo client.If one of the source port numbers of the echo client matches the destination port number mapped by NAT b,then NAT b translates the packets and sends it to the echo server successfully.The echo server closes all the opened ports except the ports that have successfully received the packets.
F11:The echo server replies to the echo client.It establishes
a P2P connection between the echo client and the echo
server at this
stage.
Figure9:Phase III
4.4Advantages of the New Method
Normal UDP communications
The new method puts small TTL value,2or3,in a packet from the Echo Server.In step F8we observe that the packet reaches NAT b but does not reach NAT a.In steps F8to F11,we can observe that packets go through NAT a or b, as shown in Figure6and Figure9.These packets appears normal UDP communications if we neglect the extra packets.
Thus,UDP packets have less possibility of being discarded because of the use of security criteria for screening packets at NATs.
Precise port number prediction
Most NATs translate port numbers according to one of the following algorithms:increment,decrement,,skip-ping alternative port numbers,or random.Our proposed method uses two servers so that we can observe any type of port translation.
Control of port numbers
peerThe new method usesfixed port numbers rather than ran-dom numbers.When the source port numbers are{x,x+ 1,x+2,...}and the translated port numbers are{n,n+ 1,n+2,...},we can detect the translation algorithm at a NAT based on the sequences of the source ports and the translated ports.The new method can also detect random port translation.
Use of many port numbers
The new method uses many port numbers.The current implementation uses1,000port numbers.The large number of ports increases the success rate of hole punching.When NAT a translates port numbers by some unknown algorithm and one of the1,000ports matches with the mapping of NAT b,the communication is successfully established. Stateful Packet Inspection(SPI)in TCP
Currently,many NAT products are equipped with Stateful Packet Inspection(SPI).It is a type of function forfiltering of TCP packets.When SPI is applied,a valid sequence of packets should follow the3-way handshake of TCP.The3-way handshake is as follows:
1.[SYN]-outgoing
2.[SYN,ACK]-incoming
3.[ACK]-outgoing
The proposed method can be extended to cover TCP NAT traversal.It simulates the3-way handshake in accordance with SPI criteria.The actual packets are composed by the echo server,the echo client,S1,and S2.A TCP packet has twoflags,SYN and ACK,which are easily set.The sequence number is an importantfield in a TCP packet,which is com-posed by S1and S2for NAT traversal.S1and S2monitor the packets from the echo client and echo server to obtain the original sequence numbers.Thus,hole punching can also be extended to TCP using the new traversal method.
5.EXPERIMENTS
We conductedfive experiments to evaluate our new method and compared it with other existing methods.We used the WinStun software to classify the type of NATs in thefirst experiment.In the second experiment we used Wireshark, which is a packet capture tool.In the third experiment,we evaluated the use of the Skype software for NAT traversal. The fourth experiment was performed to test the perfor-mance of the new method for UDP NAT traversal.The new method was applied to TC
P NAT traversal in thefifth experiment.We tested several router products,which are shown in Table
1.Thefirst router“Iptables”is not a hardware product but
a software tool for routing.It is included in the list so that we can observe the details of Iptables.It is also possible to capture packets at a PC that runs Iptables.The other routers listed are commercial hardware products,and we do not know their detailed internal structure or functions. This is the reason we conducted thefirst experiment on the classification type of NATs.
Table1:Routers used in the experiments
manufacturer model number
Iptables Iptables
I-O Date NP-BBRL
I-O Date WN-WAPG/R
Buffalo BBR-4HG
Linksys BEFSR41C-JP3
Planex BRL-04CW
Corega CG-BARMX2
NEC AtermBR1500H
Cisco Cisco2621
5.1Classification of Types of NAT using Win-
Stun
We used the WinStun software to classify NATs.WinStun shows two outputs which are the possibility of NAT traversal by STUN and the NAT type.The types of NATs are defined in[7].
Figure10:Network configuration of WinStun The network configuration of thefirst experiment is shown in Figure10.The results of thefirst experiment indicate that Cisco2621and IO-Data(WN-WAPG/R)are“impossible to measure”.NEC router is“VOIP will NOT work”that means the possibility of symmetric NAT is high.Other routers can also be traversed by STUN.We used nine routes for all the experiments,except the TCP experiment.
5.2Packet Capturing
In order to study the port translation algorithm,we used a packet capture software.This software monitors the port number information in the packets.The test was conducted for afixed source port number of5323.The packets are sent to the appropriate destination port,whose number is changed using the incremental algorithm.
The network configuration of the second experiment is shown in Figure11.A part of the results is shown in Figure13, Figure14,and Figure12.The results show that the packets are sent to designated port numbers.
The packets were captured at a switch,where a mirror func-tion had been enabled.
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论