Native SCTP, DCCP, UDP-Lite and Home Gateway Nats

Native SCTP, DCCP, UDP-Lite and Home Gateway NATs

Runa Barik (UiO), Michael Welzl, Gorry Fairhurst, Thomas Dreibholz, Ahmed Elmokashﬁ, Stein Gjessing

maprg @104th IETF Meeting Prague 28th March 2019

IETF104 Native SCTP, DCCP, UDP-Lite and Home Gateway NATs 1 / 11 Methodology

Detecting support for native SCTP, DCCP, UDPLite using transport header checksum (and Vtag for native SCTP). Using local testbed to study NAT boxes Off-the-shelf equipment tests netﬁlter in Linux IPF, PF and IPFW in FreeBSD Lessons learnt

IETF104 Native SCTP, DCCP, UDP-Lite and Home Gateway NATs 2 / 11 Off-the-shelf equipment tests

Dlink: DIR 655-A2, A3, B1; DIR 619-Ax; DI-614+-B2 Jensen: Air:Link WBR 7954 v2,v3; AirLink 1000Gv2 (A) Linksys: E2500, WRT54G/ GL/GS v1.1, WRT54G, E4200 Netgear: WGR 614v7, WGR 614v9, WNDR3400 Topcom: WBR 254G, BR 604 TP-LINK: TL-MR3020 v1, TL-WR703N 3G modem: WR3G050-02 (Spi59-YJ v2.0) ZyXEL: P8702N, P-2812HNU-F3 Edimax: BR-6574N (A) Xiaomi: Router 3C OS and versions: Linux 2.4-Linux 4.4,ThreadX, VxWorks, OpenWRT MiWiFi ROM, Unknown.

IETF104 Native SCTP, DCCP, UDP-Lite and Home Gateway NATs 3 / 11 Protocol with transport Obs. Observation header checksum No. NA(P)Ting with zero UDP with zero checksum Obs-1 checksum DCCP, SCTP, UDP-Lite NAT’ing, i.e. no transport Obs-2 and unassigned number header update DCCP, SCTP, UDP-Lite No NAT’ing Obs-3 and unassigned number DCCP, SCTP, UDP-Lite Dropping Obs-4 and unassigned number Table: Behavior of transport protocols across the middleboxes

UDP with zero checksum remains intact in all devices. VxWorks OS follows Obs-4 for new transport protocols. Jensen, Topcom and some Dlink devices follow Obs-3. The remaining devices follow IP-level NATing (success for SCTP, but not for DCCP and UDPLite).

IETF104 Native SCTP, DCCP, UDP-Lite and Home Gateway NATs 4 / 11 Netﬁlter in Linux

Linux kernel (version 3.18.109 for MIPS architecture) in TP-Link TL-MR3020, using OpenWRT. Netﬁlter: conntrack_proto_X and nat_proto_X X = {SCTP, DCCP, UDPLite} conntrack_proto_X : Responsible for transport header veriﬁcation, NATing, state machine. It fails for port collision. nat_proto_X : Responsible for port-mapping and checksum update.

Linux netfilter supports SCTP, DCCP and UDPLite. Netfilter changes the SCTP port on collision. sysctl variable nf_conntrack_checksum verifies the checksum on incoming packets

IETF104 Native SCTP, DCCP, UDP-Lite and Home Gateway NATs 5 / 11 FreeBSD

Used FreeBSD 11.2 in a x86-64 PC. Firewall variants of FreeBSD: IPF, PF and IPFW No support for DCCP and UDPLite. Only IPFW/libalias supports SCTP.

IETF104 Native SCTP, DCCP, UDP-Lite and Home Gateway NATs 6 / 11 FreeBSD

Protocol IPFW (first / later clients) PF (first / later clients) IPF (first / later clients)

UDP with zero checksum Obs-1 / Obs-1 Obs-1 / Obs-1 Obs-1 / Obs-1

DCCP, UDP-Lite Obs-2 / Obs-2* Obs-2 / Obs-4 Obs-2 / Obs-3

SCTP Obs-2 / Obs-2 Obs-2 / Obs-4 Obs-2 / Obs-3

Table: Behavior of transport protocols in FreeBSD NAT ﬁrewalls (*: the response packets are forwarded to the last client)

Observation Obs. No.

Obs-1 NA(P)Ting with zero checksum Obs-2 NAT’ing, i.e. no transport header update Obs-3 No NAT’ing Obs-4 Dropping

Table: Behavior of transport protocols across the middleboxes

IETF104 Native SCTP, DCCP, UDP-Lite and Home Gateway NATs 7 / 11 Idle-timeout of NAT devices

Smaller idle-timeout is good for SCTP. >1200

1000

800

600

400

200 Idle Timeout (in seconds)

dl5 dl6 js2 em1ls1 ls2 ls3 ls4 ls5 ls7 tl1 tl2 tl3 3g zy1zy2xi1 ng4dl1 dl2 dl3 dl4

IETF104 Native SCTP, DCCP, UDP-Lite and Home Gateway NATs 8 / 11 Lessons learnt

Conﬁgurable support in the device setting for checksum veriﬁcation or new transport protocols. Emulating UDP-Lite with UDP with zero checksum. Native protocols are not enabled by default. An unusual mechanism or a new option in UDP or TCP has greater chances of success than a new protocol. Avoiding the pseudo-header for checksum calculation could improve the chances of NAT traversals. To support multi-homing feature, individual connections to a NAT should look like single-homed ones.

IETF104 Native SCTP, DCCP, UDP-Lite and Home Gateway NATs 9 / 11 Q&A?

IETF104 Native SCTP, DCCP, UDP-Lite and Home Gateway NATs 10 / 11 SCTP Multi-homing with IPFW/libalias

Client NAT A NAT B Server Client NAT ANAT B Server Client NAT ANAT B Server INIT INIT INIT

INIT−ACK INIT−ACK INIT−ACK COOKIE−ECHO COOKIE−ECHO COOKIE−ECHO

COOKIE−ACK COOKIE−ACK COOKIE−ACK INIT

ASCONF (0) ASCONF (B1) INIT−ACK COOKIE−ECHO HEARTBEAT MISSING STATE ERROR COOKIE−ACK MISSING STATE ERROR

Linux End−systems with Proposed method in IETF draft Our Proposed method with IPFW/libalias NAT with IPFW/libalias NAT IPFW/libalias NAT Sequence diagram showing SCTP multi-homing support

IETF104 Native SCTP, DCCP, UDP-Lite and Home Gateway NATs 11 / 11