IETF Logo Mail Archive

RE: [SAFE] Addressing nested NAT issues for STUN control

"Dan Wing" <dwing@cisco.com> Thu, 25 October 2007 19:51 UTC

Return-path: <safe-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Il8k7-0002zD-N1; Thu, 25 Oct 2007 15:51:47 -0400
Received: from safe by megatron.ietf.org with local (Exim 4.43) id 1Il8k5-0002xX-Nk for safe-confirm+ok@megatron.ietf.org; Thu, 25 Oct 2007 15:51:45 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Il8k5-0002xK-E1 for safe@ietf.org; Thu, 25 Oct 2007 15:51:45 -0400
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Il8jz-0002pW-3m for safe@ietf.org; Thu, 25 Oct 2007 15:51:45 -0400
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-5.cisco.com with ESMTP; 25 Oct 2007 12:51:33 -0700
Received: from sj-core-3.cisco.com (sj-core-3.cisco.com [171.68.223.137]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l9PJpWoJ017693; Thu, 25 Oct 2007 12:51:32 -0700
Received: from dwingwxp01 ([10.32.240.196]) by sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id l9PJpVBu005487; Thu, 25 Oct 2007 19:51:32 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Magnus Westerlund' <magnus.westerlund@ericsson.com>, safe@ietf.org
References: <47209D16.7010902@ericsson.com>
Subject: RE: [SAFE] Addressing nested NAT issues for STUN control
Date: Thu, 25 Oct 2007 12:51:31 -0700
Message-ID: <092101c81740$7125fd40$c4f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
In-Reply-To: <47209D16.7010902@ericsson.com>
Thread-Index: AcgXDN3m/RbQqD1RTb+pVs9b/shl9AAMNROg
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4614; t=1193341892; x=1194205892; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[SAFE]=20Addressing=20nested=20NAT=20issues=20for=20S TUN=20control |Sender:=20; bh=yHDYsG6LPVMK5Hi7NejL/AnjTaxWMCQ3+cK2hIdCb0A=; b=lulGUOVHrj0qLbUpJosk1sjyjC6p8FDcXDOElQn1Z/EV7btArLFv0vnNzurUaCZ0KACxuJR6 O13LgpC8mPzGibhNPGcLEU6inLHh605+cj0RisuGccnlZ9t2Lr6t6KKY;
Authentication-Results: sj-dkim-2; header.From=dwing@cisco.com; dkim=pass (s ig from cisco.com/sjdkim2002 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 5ebbf074524e58e662bc8209a6235027
Cc:
X-BeenThere: safe@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Self-Address Fixing Evolution <safe.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/safe>
List-Post: <mailto:safe@ietf.org>
List-Help: <mailto:safe-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=subscribe>
Errors-To: safe-bounces@ietf.org

> -----Original Message-----
> From: Magnus Westerlund [mailto:magnus.westerlund@ericsson.com] 
> Sent: Thursday, October 25, 2007 6:42 AM
> To: safe@ietf.org
> Subject: [SAFE] Addressing nested NAT issues for STUN control
> 
> Hi,
> 
> Isn't there a related issue to what is brought up in section 
> 8.1 in that
> the STUN client will be able to send packets to that NAT.
> 
> If a NAT on the path has the same address as another NAT then you can
> only send to the closest one.
> 
> STUN Client 192.168.1.2
> 
> NAT-A 192.168.1.1/10.0.0.45
> 
> NAT-B 10.0.0.1/192.168.1.2
> 
> NAT-C 192.168.1.1/192.0.2.53
> 
> In this case the STUN client can't send to NAT-B as there is 
> no external
> address which routes from STUN client to NAT-B.
> 
> Have you thought of this problem? 

Yes.

> I think this one is more serious as
> private address spaces used on the internal side are limited to a few
> common ones. And here it is likely that even if the client in 
> the above
> example wasn't using 192.168.1.2 then another host in his private
> network would.

I know a way to detect such an address overlap has occurred, and abandon
STUN Control in that situation.  The only way to allow STUN Control to
work is to have each NAT participate as a STUN Control client itself
(and control the next-hop NAT).  This could work, but I haven't put much
thought into that and it seems to get complex quickly.


Detecting address overlap
-------------------------

If we want to merely detect address overlap (so that STUN Control can
be abandoned), we would need to add a way for each NAT to identify itself 
uniquely, and allow the outer NAT to learn that unique identifier from its
next-innermost NAT.  Using your example above:

  STUN Client 192.168.1.2
 
  NAT-A 192.168.1.1/10.0.0.45
 
  NAT-B 10.0.0.1/192.168.1.2
 
  NAT-C 192.168.1.1/192.0.2.53

  STUN server 161.44.1.1 (on the Internet)

The STUN client would contact the STUN server on the Internet and learn the
public IP address (192.0.2.53) of the outer-most NAT (NAT-C).  The STUN client
would then send a STUN Control message to that public IP address on the STUN
port 192.0.2.53, UDP port 3478.  NAT-C would receive that message.  What we
would add to the existing STUN Control procedure is to have NAT-C then send
its own STUN Control message to the STUN port of the next-innermost NAT's IP
address (this is the IP address NAT-C normally sends in XOR-INTERNAL-ADDRESS),
and collect a NAT-IDENTIFIER value in the response.  NAT-C would include that
NAT-IDENTIFIER value  to the STUN client.  Then, when the STUN client tries to
contact 192.168.1.1, and sees a different NAT-IDENTIFIER value, it knows it is
talking to a different NAT.  The STUN client could then abandon the STUN
Control optimization.

Message flow:

  STUN Client   NAT-A   NAT-B  NAT-C  STUN Server
      |           |       |      |        |
1.    |---------------------------------->|
      |           |       |      |        |
2.    |<----------------------------------|
      |           |       |      |        |
3.    |------------------------->|        |
      |           |       |      |        |
4.    |           |       |<-----|        |
      |           |       |      |        |
5.    |           |       |----->|        |
      |           |       |      |        |
6.    |<-------------------------|        |    
      |           |       |      |        |
7.    |---------->|       |      |        |
      |           |       |      |        |
8.    |<----------|       |      |        |
      

1-2 are classic RFC3489 STUN.  Message 3 is the existing STUN Control request
message.  Messages 4-5 are new; In message 4, NAT-C sends a STUN request to
NAT-B.  Message 5 contains NAT-B's NAT-IDENTIFIER value.  In message 6,
NAT-B's NAT-IDENTIFIER value is returned (in a new NAT-IDENTIFIER-INTERNAL
attribute), and NAT-C's identifier is returned (in a new NAT-IDENTIFIER
attribute).  In message 7, the STUN client is sending a packet to NAT-B's
public IP address; however, this is also NAT-A's public IP address, so the
message is routed to NAT-A.  In message 8, the STUN client learns NAT-A's
NAT-IDENTIFIER value, and sees it differs from the value returned in message
6.  This causes the STUN client to abandon STUN Control.

Today, STUN Control encourages the NAT to not listen on the STUN port on its
public (WAN) interface.  For this idea to work, that would need to be softened
so the NAT listens on its public interface has an RFC1918 address.

-d


_______________________________________________
SAFE mailing list
SAFE@ietf.org
https://www1.ietf.org/mailman/listinfo/safe

v2.23.0 | Report a Bug | By Email