Introduction to TCP/IP and NAT Traversal Techniques Jacopo Daeli Software Engineer San Francisco, Mar 28th 2017 Holberton School 

Summary • Introduction to TCP/IP • Network Address Translation (NAT) • NAT Traversal Techniques • UDP Hole Punching in action 

What is TCP/IP? TCP/IP is the set of communications protocols used on the Internet and similar computer networks today, also known as Internet Protocol suite. 

TCP/IP overview 

How TCP/IP works? 

Internet protocol Internet Protocol (IP) is the main communication protocol in the TCP/IP suite. Currently there are two version of IP: IPv4 and IPv6. IPv4 is the historical and currently dominant protocol of the Internet. IPv6 is the most recent version of IP. It has been designed to solve the exhaustion of IP addresses available caused by rapid growth of devices connected to the Internet in the past 20 years. 

IPv4 IPv4 was the first version deployed for production in the ARPANET in 1983. The Advanced Research Projects Agency Network (ARPANET) was an early packet switching network and the first network to implement the protocol suite TCP/IP. ARPANET was initially funded by the Advanced Research Projects Agency (ARPA) of the United States Department of Defense. 

IPv4 IPv4 is a address-based connectionless protocol for packet-switched networks. IPv4 does not guarantee delivery and not assure proper sequencing or avoidance of duplicate delivery. These aspects are addressed by the upper transport layer, thanks to protocols such as the TCP. IPv4 uses 32-bit addresses which limits the address space to 2^32 (~ 4B) addresses. ~18 million addresses are reserved for private networks. 

Address representation IPv4 addresses are generally written in the dot-decimal notation, which consists of four blocks of 8 bits expressed individually in decimal numbers and separated by periods. 

Transport protocols Protocols in the transport layer provide application-to- application communications, in contrast with IP that only provides host-to-host communications. These protocols include a multiplexing feature, using “ports” to enable multiple applications on a single host to be connected on the same network simultaneously. Ports are similar to names on postal address in the real world. They help to distinguish between different recipients on the same location. 

TCP The Transmission Control Protocol (TCP) is the most used protocol of the Transmission layer. TCP provides reliable, ordered, and error-checked delivery of a stream of bytes between applications running on hosts communicating by an IP network. TCP is the foundation of well-known application protocols like HTTP, FTP and SSH. TCP is a connection-oriented communication protocol: the communication always starts with an handshaking to establish a session between the two peers. 

TCP 3-Way Handshake Initiator sends a SYNchronize packet to Responder. Responder receives the SYN. Responder sends a SYNchronize+ACKnowledgement to Initiator. Initiator receives the SYN+ACK. Initiator sends the ACKnowledge. Responder receives the ACK. TCP socket connection is ESTABLISHED. 

UDP The User Datagram Protocol (UDP) is an alternative to the TCP where reduced latency is more important than reliability (video streaming, etc.). UDP uses a simple connectionless transmission model, it has no handshaking dialogues, and there is no guarantee of delivery, ordering, or duplicate protection. 

IPv4 address exhaustion An IP address needs to be assigned to every host (or device) that wants to connect to the Internet. IPv4 address exhaustion is the reduction of the pool of unallocated IPv4 addresses. IPv4 address accelerated depletion is mainly due to the rapid growth of devices connected to the Internet started in the 80’s. In response to this scalability problem, several technologies have been proposed: NAT (Network Address Translation), CIDR, IPv6. 

CIDR Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and IP routing. CIDR is a network addressing architecture used as alternative to the classful network architecture to help slow the rapid exhaustion of IPv4 addresses. CIDR architecture architecture optimizes the address blocks allocations. In practice, with classful network all the sites that needed larger address blocks than a Class C network provided, they received a Class B block, which was in most cases much larger than what required, wasting a lot of IP addresses. 

CIDR blocks CIDR blocks are constructed from an IP address, a slash ('/') character, and a decimal number. They facilitates routing by grouping IP addresses that share an initial sequence of bits in their binary representation. An IP address is part of a CIDR block, if the initial n bits of the address and the CIDR prefix are the same. 

IPv4 Private networks Of ~4 billion addresses defined in IPv4, ~18 millions are reserved for private networks. Private IP addresses can be reused in different private networks! 

IPv4 Private networks Hosts in a private networks cannot directly communicate with public networks because private addresses only have meaning to devices within the private network itself as there are hundreds of thousand of private networks that use the same address space. To make the communication possible, IP packets with private addresses require Network Address Translation (NAT) at the routing gateway. 

NAT Essentially, NAT allows a small pool of Public IP addresses to be used by a large number of devices. It is important to distinguish between Basic NAT and Network address/Port Translation (NAPT). 

Basic NAT Basic NAT allows one-to-one address mapping. For example, if a node in the private network wishes to access the public network then the NAT device assigns it a public IP for that session. 

NAPT NAPT maps between public and private IP:Port combinations. This allows for the efficient use of available public IP addresses, as many such private addresses may be mapped to the one public address. NAPT is many to one mapping. 

NAT-enabled Router A NAT-enabled router behaves to the outside world as a single device with a single IP address. It has an interface for connecting to the public network (Internet), and one that serves as a Internet Gateway in the private network. 

NAT-enabled Router Nat-enabled routers offer transparent routing to hosts by mapping private and public address realms based on a conceptual communication session. A NAT-enabled router implement a NAT translation table hiding the details private network to the outside world. NAT translation table 

NAT-enabled Router Generally, a NAT-enabled router gets its public IP address from the ISP’s DHCP server, and runs a DHCP server to provide addresses to devices within the private network. 

P2P communications Peer-to-Peer (P2P) communications refer to communications connection between two peers (or endpoints). P2P communications rely to the principle of end-to-end connectivity. This type of communications are the foundation in applications such as P2P file sharing and Voice over IP (VoIP). 

End-to-end connectivity Because of its nature, NAT breaks the principle of end- to-end connectivity originally envisioned in the design of the Internet: hosts behind two different private networks cannot directly communicate via the public Internet, but NAT Traversal techniques such as UPnP Internet Gateway Device Protocol (IGDP), NAT Port Mapping Protocol (NAT-PMP) and NAT Hole Punching are required. 

Universal Plug and Play (UPnP) Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing. Internet Gateway Device Protocol (IGD Protocol) is a protocol for mapping specific ports in NAT setups generally supported by NAT-enabled routers. It is implemented through UPnP, and is a solution for NAT Traversal. 

Universal Plug and Play (UPnP) With UPnP enabled (and IGDP supported), NAT-enabled routers allow any local UPnP client to perform a variety of actions, including retrieving the external IP address of the router, and add or remove port mapping rules to the NAT translate table. By adding a port mapping, a UPnP client behind the Internet Gateway Device can enable traversal of the IGD from an external address to an internal address. 

NAT Hole Punching NAT Hole Punching is a technique in computer networking for establishing a direct connection between two peers in which one or both are behind NAT-enabled routers. UDP and TCP Hole Punching respectively use UDP and TCP Protocols. In this presentation we focus on UDP Hole Punching: it is easier to implement compared to TCP Hole Punching and, and it is also widely supported by the Nat-enabled routers commercialized today. 

NAT categorization for UDP traffic There are four types of NAT depending on their address binding scheme for UDP traffic: Full Cone, Restricted Cone, Port Restricted Cone, Symmetric. 

Full Cone A full cone NAT maps an internal IP address and port to the same public external IP address regardless of the destination address and port. 

Restricted Cone A restricted cone NAT also maps an internal IP address and port to the same public external IP and port regardless of the destination address and port. However, an external host (with address X) can only send a packet to an internal host through this mapped address and port previously sent a packet to the IP address X. 

Port Restricted Cone Similar to the Restricted Cone NAT type, but it only accepting packets from an external host with address X and port P if the internal host has previously sent a packet to the IP address X on port P. 

Symmetric Symmetric NAT creates a binding based on source IP address and port as well as destination IP address and port. Therefore Symmetric NAT creates a different address mapping on the same internal address and port for each destination IP address and port. 

Symmetric NAT and Hole Punching Internal host’s packet to the external host would result in a new IP address and port binding by Symmetric NAT. Thus an external host can only send a UDP packet back to the internal host through the mapped IP address and port that was created from a previously transmission from the internal host to the external host. UDP Hole Punching isn’t possible if both peers are behind Symmetric NATs. 

UDP Hole Punching Briefly, UDP Hole Punching is a NAT Traversal Technique used to establish direct P2P communications between hosts without compromising the security of the private network. It consists of two-phases. In the first phase, each peer behind a NAT discovers the presence and types of NATs and firewalls between them and the Internet. In the second phase, the public address and the NAT type obtained in the first phase are used to predict the address and port number for a subsequent session between the peers. 

UDP Hole Punching In practice, how to establish a P2P communication between two peers (A and B) behind NAT using UDP Hole Punching can be resumed in 4 steps: 1. each peer creates a UDP session with a common randezvous server (S) which records the private and public IP address and port of the peer 2. A asks S for help establishing a UDP session with B 3. S replies to A with the public and private address of B. At the same time, S uses its UDP session with B to forward to B the connection request containing A’s public and private addresses and ports. At this step, each peer knows the addresses of the other. 4. When a peer (A or B) receives the public and private addresses of the other, it starts sending UDP packets to both these of these addresses and becomes connected to whichever address that responds to it first. 

Demo: UDP Hole Punching 

Demo: UDP Hole Punching 

Questions? @JacopoDaeli [email protected] 

Appendix A: Router A router is a networking device that forwards IP packets between computer networks. Routers perform the traffic directing functions on the Internet. An IP packet is typically forwarded from one router to another router through the networks that constitute the internetwork until it reaches its destination node. 

Appendix B: Routing Protocols Interior gateway protocols type 1: link-state routing protocols, such as OSPF, IS-IS. Interior gateway protocols type 2: distance-vector routing protocols, such as Routing Information Protocol, RIPv2, IGRP. Exterior gateway protocols are routing protocols used on the Internet for exchanging routing information between Autonomous Systems, such as Border Gateway Protocol (BGP), Path Vector Routing Protocol.