the dynamic port reservation protocol

May 9, 2002 Andrew Reitz ([email protected])

The Dynamic Port Reservation Protocol

Andrew Reitz ([email protected])

Advisor: Robin Kravets ([email protected])


The Internet Today

• Much to the chagrin of the technical community, the Internet is still based on IPv4.

• Technologies like Network Address Translation have gained prominence, lengthening the life of IPv4.

• Rate of adoption for IPv6 is slow.


Network Address Translation

• Allows one valid public IP address to be shared by many machines, via a gateway that dynamically modifies source and destination IP address and port numbers of packets that traverse it.– Breaks the one-to-one IP address to Internet host

model.– Establishes the notion of public versus private

hosts.


The Benefits of NAT

• In general, NAT works well for the most prevalent Internet applications:– Web, E-mail, FTP (passive mode), streaming

audio/video, etc.

• Security is increased, because unsolicited in-bound connections are not permitted to private hosts, and because the presence of private hosts is occluded.


The “Problem” With NAT

• In the last several years, there has been a large growth in applications that demand unsolicited in-bound connectivity:– All peer-to-peer applications (file sharing,

instant messaging, personal video conferencing, multiplayer games, etc.).

– Security protocols, like IPsec.

• Prominence from “Napster Bubble”.


Potential Solutions

• This problem has been “solved”, in various ways, by several other people/groups:– Dan Kegel published a “UDP Hack”– The IETF is working on “Realm-Specific IP”– Eugene Ng (CMU) created the “Address

Virtualization Enabling Service” (AVES).


Dan Kegel’s UDP Hack

• Relies upon UDP’s connectionless nature, and NAT gateway’s ability to preserve port numbers.

• Private hosts learn of each other’s public IP address and port via 3rd party.

• Each host begins sending UDP datagrams to each other’s public IP, forging enough state in each NAT gateway for connection.


Pros and Cons of UDP Hack

• Pros:– Minimal set of changes to existing Internet

infrastructure.– Can be added by application developers on an

as-needed basis.

• Cons:– Fails when NAT gateway must translate ports.– Only works with UDP.


Realm-Specific IP

• A new IETF draft, which aims to restore complete connectivity to private hosts.

• An RSIP-enabled host can obtain a lease on a public IP address from an RSIP-enabled gateway.

• Host builds “public” packets, passes to gateway via tunnel, which injects the packets into the network.


Pros and Cons of RSIP

• Pros:– Restores complete connectivity for private

hosts: even IPsec works.

• Cons:– Requires extensive infrastructure modifications:

private host IP stack, NAT gateway, application modification.

– Public IP address pool weakens NAT address conservation gains.


AVES

• Connectivity for NAT-friendly applications.

• Private hosts are enumerated in DNS.

• DNS server works in conjunction with waypoint server, to establish a private to public address mapping.

• Waypoint server tunnels traffic bound for private host to NAT gateway.


Pros and Cons of AVES

• Pros:– Transparent to existing hosts.– Supports public servers behind NAT.

• Cons:– DNS maintenance adds complexity.– Public IP pool exhaustion is DoS.– Ingress filtering at edge router requires all

traffic to be forwarded through waypoint.


Room For A Better Method

• The ideal solution makes it easy to support the widespread of applications (P2P).

• Must support TCP and UDP.

• In order to be deployable, cannot modify host IP stack or Internet routers.

• Shouldn’t require extra infrastructure, such as proxies that don’t scale or can fail.


Enter DPRP

• Aim is to make the port forwarding functionality of most NAT gateways more accessible.

• Develop protocol, so that applications can signal NAT gateway to reserve port.

• Apply DHCP techniques for managing reserved ports.


More Explanation

• DPRP allows end-users to reserve specific TCP or UDP ports on the NAT gateway.

• Unsolicited in-bound packets to reserved port are redirected to private host.

• Port reservation takes form of lease.

• Address/Port can be advertised through “normal” channels (URL, P2P registry, etc).


Sample Implementation

• Client and server were written in Java.

• GUI client allows end-users to reserve ports for legacy applications (web servers, etc).

• Java Napster client, XNap, was modified to include DPRP client functionality.

• Java DPRP server interacted with NAT gateway via iptables commands.


Security Implications

• DPRP doesn’t poke any new holes in NAT gateway, it simply moves port forwarding from administrator to user control.

• Only as secure as applications.

• Adminstrator has controls over DPRP use.

• DPRP-enabled worms could pose problems.


Microsoft Stole My Idea

• It appears as if a new technology called Universal Plug ‘n Play incorporates all of these ideas.

• UPnP is a network service discovery platform.

• Network elements can query each other, in order to disseminate capabilities.


“UPnP NAT Traversal Solution”

• A subset of UPnP, that purports to provide the following services:– Discovery of public IP address.– Enumeration of existing port mappings.– Addition and removal of port mappings.– Assignment of lease times to port mappings.

• Goes the “last mile”, and takes care of the transparency problems that DPRP had.


Conclusion

• DPRP accomplished initial goals, in terms of application support (TCP & UDP) and deployability.

• Further technical analysis of UPnP needed.

• Will IPv6 ever see mass-acceptance?

the dynamic port reservation protocol

Documents

public ip address pool

valid public ip address

public address mapping

destination ip address

onetoone ip address

private host ip stack

public packets

presence of private