HELSINKI UNIVERSITY OF TECHNOLOGY Department of Communications and Networking S-38.3138 Networking Technology, Special Assignment Veera Andersson Network Address Translator Traversal Using Interactive Connectivity Establishment Espoo, November 30, 2009 Student Number: 60666W Contact Info: veera.andersson@hut.fi Supervisor: Professor Jörg Ott Contents Abbreviations iii List of Figures iv List of Tablesv 1 Introduction1 1.1 Objectives and Scope.............................2 1.2 Structure....................................3 2 Background4 2.1 Network Address Translation.........................4 2.1.1 Basic Network Address Translator..................6 2.1.2 Network Address and Port Translator................7 2.1.3 Benefits and Drawbacks of Network Address Translation......8 2.2 NAT Classification..............................9 2.2.1 Address and Port Mapping Behavior.................9 2.2.2 Port Assignment Behavior...................... 11 2.2.3 Filtering Behavior.......................... 11 2.2.4 Hairpinning Behavior......................... 12 2.3 NAT Traversal................................. 12 2.3.1 STUN................................. 13 2.3.2 TURN................................. 16 2.3.3 Interactive Connectivity Establishment............... 18 2.4 Summary................................... 20 3 Existing NAT Types 21 3.1 Challenges with NAT behavior........................ 21 3.2 NAT Test Results............................... 22 i 3.3 Summary................................... 26 4 Analysis 27 4.1 Analysis on the Test Results......................... 27 4.2 Applicability of ICE for NAT Traversal................... 28 4.3 Using ICE with Arbitrary Hosts in the Internet................ 29 4.4 Summary................................... 30 5 Conclusions 31 ii Abbreviations ALG Application Level Gateway ARPANET Advanced Research Projects Agency Network HMAC Hash-based Message Authentication Code ICE Interactive Connectivity Establishment IP Internet Protocol IPsec IP Security NAPT Network Address Port Translator NAT Network Address Translation / Translator P2P Peer-to-Peer SDP Session Description Protocol SIP Session Initiation Protocol STUN Session Traversal Utilities for NAT TCP Transmission Control Protocol TURN Traversal Using Relays around NAT UDP User Datagram Protocol VoIP Voice over IP iii List of Figures 2.1 Example NAT scenarios............................5 2.2 Basic Network Address Translation with outbound traffic..........6 2.3 Basic Network Address Translation with return traffic............7 2.4 NAPT with outbound traffic.........................7 2.5 NAPT with return traffic...........................8 2.6 Example of endpoint-independent mapping.................9 2.7 Example of address-dependent mapping................... 10 2.8 Example of address and port-dependent mapping.............. 10 2.9 Example of a NAT supporting hairpinning.................. 12 2.10 Example of a STUN configuration...................... 14 2.11 Example of a TURN configuration...................... 16 3.1 Example of peers behind multiple levels of NATs without hairpinning support 22 4.1 Example of peers learning peer reflexive addresses............. 29 iv List of Tables 3.1 NAT mapping types.............................. 23 3.2 NAT filtering types.............................. 24 3.3 Appearance of port preservation and hairpinning............... 25 3.4 Support for UDP hole punching....................... 25 4.1 Propabilities for NAT types between two random hosts........... 30 v Chapter 1 Introduction The Internet we know today has evolved tremendously since its first introduction. Even though it still shares the same underlying concepts, such as packet switching and hierarchi- cal routing, it has very different conception of the scale of the network and the fundamental host-to-host requirements. Something that began as an ARPA (Advanced Research Projects Agency) experiment was not expected to become such an essential part of people’s every- day life. As a result to the rapid growth of the Internet, new protocols and mechanisms have been implemented as new challenges and requirements emerged. Consequently, some of the choices made initially and along the way have later induced further challenges. Since the first packet switching network ARPANET (ARPA Network) in the late 1960s was primarily used by universities and the military, an address space of over 4 billion addresses was considered more than enough for future utilization. But after the Internet became pub- licly better known in the 1990s, the number of Internet hosts started to grow far beyond expectations, showing the 32 bit Internet Protocol (IP) version 4 [1] addresses to be eventu- ally insufficient to uniquely identify all the hosts. Other factors to speed up the IP address exhaustion are the increased amount of network accessable devices, such as mobile phones, and the inefficient use of the address space. Network Address Translation (NAT) [21] is one of the solutions to the problem with IP address depletion. Although it only serves as a short-term solution, it has gained popularity due to its simplicity of deployment [7, 12]. A Network Address Translator has one or more addresses to be shared by multiple hosts. Basically this works by placing a group of hosts with private addresses behind a NAT, and the NAT assigns them globally routable addresses only when communication to the outside is required. Since the private addresses are only 1 CHAPTER 1. INTRODUCTION 2 valid within the private network and not seen outside, they can be reused in other private networks. Most NATs are built based on the assumption that communication is client-server based: connections are initiated by the client and servers are usually located in the public network. However, nowadays an increased amount of traffic is based on peer-to-peer (P2P) communication, which means that direct connections can be initiated by either of the peers. Since any host is capable of working as a peer, it is possible for peers to be located behind a NAT, which makes contacting them a bit more tricky. To help setting up a connection, peers often need to make use of a signalling channel, such as one created using the Session Initiation Protocol (SIP) [5]. The signalling channel is used for exchanging control messages, but it is inefficient for carrying data traffic, since it usually causes an indirect path between the peers. The general term used to describe the techniques that help the peers in creating a direct path in the presence of NATs, is called NAT traversal. Since the NATs were only recently standardized, there is no single way guaranteed to work every time. This is why several mechanisms may need to be tried out before succeeding. Session Traversal Utilities for NAT (STUN) [20] is a mechanism that a host can use to discover its globally routable address that another host may try to use for contacting it. However, sometimes it is impossible to create a direct connection between the peers. In such a case, relaying the data messages via an external intermediate node is required. Traversal Using Relays around NAT (TURN) [19] is a protocol that provides such a relaying service. Interactive Connectivity Establishment (ICE) [17] utilizes the mechanisms of both STUN and TURN for providing a complete NAT traversal solution. ICE tries to find the optimal path for communication between two peers, using relaying only as a last resort. A new version of the Internet Protocol with larger IP addresses, IPv6 [6], is considered as a long-term solution to the IP address exhaustion. Yet, to fully upgrade an existing infrastructure to support IPv6 services takes time [2]. Even after a full integration of IPv6, the need for NAT traversal will still remain: It is not only NATs that make use of NAT traversal, there are also other types of middle-boxes that benefit from using it, such as firewalls. Besides, even if more than enough IP addresses would be available, the benefits of private networks still make network address translation a desirable feature. 1.1 Objectives and Scope The objective of this work is to provide a study on NAT traversal using Interactive Con- nectivity Establishment (ICE). This is a literature study, meaning that no measurements or CHAPTER 1. INTRODUCTION 3 simulations were performed for the purposes of this work. Nonetheless, we present the research results that have been carried out on the existing NATs in recent years, including information on how well ICE actually works in traversing NATs. Protocols intended to traverse NATs might also be usable for traversing other type of middle-boxes. However, regarding this work, these are out of scope. Additionally, we only discuss NAT traversal for UDP-based traffic due to the multiple additional challenges related to TCP NAT traversal. 1.2 Structure In this chapter we introduced the subject area, as well as the objectives and scope for the work. Chapter2 provides the theoretical background on the topic. Chapter3 combines the research results made on the existing NATs in recent years. In Chapter4, we analyse the results and consider the applicability of ICE for NAT traversal. Finally, in Chapter5, we conclude the work. Chapter 2 Background In this chapter we present the concepts and functions of NATs and NAT traversal. We start by introducing NATs, and take a more detailed look at two of the most common NAT types. We also show a way of classifying different NATs based on their behaviors. Finally, we explain NAT traversal and present protocols useful for the task. 2.1 Network Address