the dynamic port reservation protocol
DESCRIPTION
The Dynamic Port Reservation Protocol. Andrew Reitz ([email protected]) Advisor: Robin Kravets ([email protected]). The Internet Today. Much to the chagrin of the technical community, the Internet is still based on IPv4. - PowerPoint PPT PresentationTRANSCRIPT
May 9, 2002 Andrew Reitz ([email protected])
The Dynamic Port Reservation Protocol
Andrew Reitz ([email protected])
Advisor: Robin Kravets ([email protected])
May 9, 2002 Andrew Reitz ([email protected])
The Internet Today
• Much to the chagrin of the technical community, the Internet is still based on IPv4.
• Technologies like Network Address Translation have gained prominence, lengthening the life of IPv4.
• Rate of adoption for IPv6 is slow.
May 9, 2002 Andrew Reitz ([email protected])
Network Address Translation
• Allows one valid public IP address to be shared by many machines, via a gateway that dynamically modifies source and destination IP address and port numbers of packets that traverse it.– Breaks the one-to-one IP address to Internet host
model.– Establishes the notion of public versus private
hosts.
May 9, 2002 Andrew Reitz ([email protected])
The Benefits of NAT
• In general, NAT works well for the most prevalent Internet applications:– Web, E-mail, FTP (passive mode), streaming
audio/video, etc.
• Security is increased, because unsolicited in-bound connections are not permitted to private hosts, and because the presence of private hosts is occluded.
May 9, 2002 Andrew Reitz ([email protected])
The “Problem” With NAT
• In the last several years, there has been a large growth in applications that demand unsolicited in-bound connectivity:– All peer-to-peer applications (file sharing,
instant messaging, personal video conferencing, multiplayer games, etc.).
– Security protocols, like IPsec.
• Prominence from “Napster Bubble”.
May 9, 2002 Andrew Reitz ([email protected])
Potential Solutions
• This problem has been “solved”, in various ways, by several other people/groups:– Dan Kegel published a “UDP Hack”– The IETF is working on “Realm-Specific IP”– Eugene Ng (CMU) created the “Address
Virtualization Enabling Service” (AVES).
May 9, 2002 Andrew Reitz ([email protected])
Dan Kegel’s UDP Hack
• Relies upon UDP’s connectionless nature, and NAT gateway’s ability to preserve port numbers.
• Private hosts learn of each other’s public IP address and port via 3rd party.
• Each host begins sending UDP datagrams to each other’s public IP, forging enough state in each NAT gateway for connection.
May 9, 2002 Andrew Reitz ([email protected])
May 9, 2002 Andrew Reitz ([email protected])
Pros and Cons of UDP Hack
• Pros:– Minimal set of changes to existing Internet
infrastructure.– Can be added by application developers on an
as-needed basis.
• Cons:– Fails when NAT gateway must translate ports.– Only works with UDP.
May 9, 2002 Andrew Reitz ([email protected])
Realm-Specific IP
• A new IETF draft, which aims to restore complete connectivity to private hosts.
• An RSIP-enabled host can obtain a lease on a public IP address from an RSIP-enabled gateway.
• Host builds “public” packets, passes to gateway via tunnel, which injects the packets into the network.
May 9, 2002 Andrew Reitz ([email protected])
May 9, 2002 Andrew Reitz ([email protected])
Pros and Cons of RSIP
• Pros:– Restores complete connectivity for private
hosts: even IPsec works.
• Cons:– Requires extensive infrastructure modifications:
private host IP stack, NAT gateway, application modification.
– Public IP address pool weakens NAT address conservation gains.
May 9, 2002 Andrew Reitz ([email protected])
AVES
• Connectivity for NAT-friendly applications.
• Private hosts are enumerated in DNS.
• DNS server works in conjunction with waypoint server, to establish a private to public address mapping.
• Waypoint server tunnels traffic bound for private host to NAT gateway.
May 9, 2002 Andrew Reitz ([email protected])
May 9, 2002 Andrew Reitz ([email protected])
Pros and Cons of AVES
• Pros:– Transparent to existing hosts.– Supports public servers behind NAT.
• Cons:– DNS maintenance adds complexity.– Public IP pool exhaustion is DoS.– Ingress filtering at edge router requires all
traffic to be forwarded through waypoint.
May 9, 2002 Andrew Reitz ([email protected])
Room For A Better Method
• The ideal solution makes it easy to support the widespread of applications (P2P).
• Must support TCP and UDP.
• In order to be deployable, cannot modify host IP stack or Internet routers.
• Shouldn’t require extra infrastructure, such as proxies that don’t scale or can fail.
May 9, 2002 Andrew Reitz ([email protected])
Enter DPRP
• Aim is to make the port forwarding functionality of most NAT gateways more accessible.
• Develop protocol, so that applications can signal NAT gateway to reserve port.
• Apply DHCP techniques for managing reserved ports.
May 9, 2002 Andrew Reitz ([email protected])
More Explanation
• DPRP allows end-users to reserve specific TCP or UDP ports on the NAT gateway.
• Unsolicited in-bound packets to reserved port are redirected to private host.
• Port reservation takes form of lease.
• Address/Port can be advertised through “normal” channels (URL, P2P registry, etc).
May 9, 2002 Andrew Reitz ([email protected])
May 9, 2002 Andrew Reitz ([email protected])
Sample Implementation
• Client and server were written in Java.
• GUI client allows end-users to reserve ports for legacy applications (web servers, etc).
• Java Napster client, XNap, was modified to include DPRP client functionality.
• Java DPRP server interacted with NAT gateway via iptables commands.
May 9, 2002 Andrew Reitz ([email protected])
Security Implications
• DPRP doesn’t poke any new holes in NAT gateway, it simply moves port forwarding from administrator to user control.
• Only as secure as applications.
• Adminstrator has controls over DPRP use.
• DPRP-enabled worms could pose problems.
May 9, 2002 Andrew Reitz ([email protected])
Microsoft Stole My Idea
• It appears as if a new technology called Universal Plug ‘n Play incorporates all of these ideas.
• UPnP is a network service discovery platform.
• Network elements can query each other, in order to disseminate capabilities.
May 9, 2002 Andrew Reitz ([email protected])
“UPnP NAT Traversal Solution”
• A subset of UPnP, that purports to provide the following services:– Discovery of public IP address.– Enumeration of existing port mappings.– Addition and removal of port mappings.– Assignment of lease times to port mappings.
• Goes the “last mile”, and takes care of the transparency problems that DPRP had.
May 9, 2002 Andrew Reitz ([email protected])
Conclusion
• DPRP accomplished initial goals, in terms of application support (TCP & UDP) and deployability.
• Further technical analysis of UPnP needed.
• Will IPv6 ever see mass-acceptance?