• No results found

Peer-to-Peer Systems and Security

N/A
N/A
Protected

Academic year: 2021

Share "Peer-to-Peer Systems and Security"

Copied!
70
0
0

Loading.... (view fulltext now)

Full text

(1)

Peer-to-Peer Systems and Security

Network Address Translation

Christian Grothoff

Technische Universit¨at M¨unchen

April 8, 2013

“Freedom of connection with any application to any party is the fundamental social basis of the Internet. And now, is the basis of

(2)

Network Address Translation

Why NAT?

I IPv4 address shortage I “private” network / firewall

(3)

Network Address Translation

Why is NAT relevant for P2P networks? I common type of middlebox

I Many variations in the specific implementation

I IP violation creates issues for TCP, UDP, ICMP, SCTP, ... I Problems: classification, detection, traversal, application

impact

⇒ Thousands of papers (Google Scholar gives ≥ 1 million results for “network address translation”)

(4)

Network Address Translation

Why is NAT relevant for P2P networks? I common type of middlebox

I Many variations in the specific implementation

I IP violation creates issues for TCP, UDP, ICMP, SCTP, ... I Problems: classification, detection, traversal, application

impact

⇒ Thousands of papers (Google Scholar gives ≥ 1 million results for “network address translation”)

(5)

Network Address Translation: Classification

A well-known classification scheme uses: I Full-cone NAT

I (Address)-restricted-cone NAT I Port-restricted cone NAT I Symmetric NAT

(6)

Full-Cone NAT

Server 1 Server 2 Client NAT 1 2 3

(7)

Address-restricted NAT

Server 1 Server 2 Client NAT 1 2 3

(8)

Port- and Address-restricted NAT

Server 1 Server 2 Client NAT 1 2

(9)

Symmetric NAT

Server 1

Server 2 Client

(10)

General Properties for NAT

I Which fields have to match for the NAT to map a packet from the outside?

I How long do mappings last?

I Does the NAT track the TCP session state? I How does the NAT select the external port? (port

preservation, linear, random)

I What happens with multiple inside devices using the same source port?

I How are errors (TCP RST, ICMP) processed?

I Which protocols (UDP, TCP, ICMP, SCTP, IPSec) are supported?

(11)

NAT hair-pinning

Client 2 NAT 1 2 3 Server Client 1 ?

(12)

NAT Protocol Translation (NAT-PT)

NAT-PT can be used to translate from IPv4 to IPv6 (or vice versa),

but ...

I IP options missmatch I ICMP code missmatch

(13)

NAT Protocol Translation (NAT-PT)

NAT-PT can be used to translate from IPv4 to IPv6 (or vice versa), but ...

I IP options missmatch I ICMP code missmatch

(14)

Problems with NAT

NAT breaks the end-to-end principle! I Global IP unknown to local software I Incoming connections “not possible”

I Protocols may include (LAN) addresses in WAN traffic payload

⇒ Communication becomes difficult

(15)
(16)
(17)

Simple solutions

I NATed peer initiates connection (Gnutella’s PUSH)

I Require “super peers” to not be behind NAT, limit all-to-all communication to super peers

(18)

NAT Traversal [5]

I Explicit support by the NAT (Static port forwarding, UPnP, NAT-PMP, ALG)

I NAT-behaviour based approaches (Hole punching, STUN [4]) I External data-relay (TURN [1])

(19)

DNAT / PMP / UPnP

I DNAT / port forwarding allows inbound connections

I Port Mapping Protocol (PMP) allows LAN applications to request DNAT entries and discover external IP

I UPnP is an insane protocol, that (among other things) also allows applications to request DNAT entries and determine external IP

I Both usually fail for cascaded NATs, and are often disabled for security reasons

(20)

DNAT / PMP / UPnP

I DNAT / port forwarding allows inbound connections I Port Mapping Protocol (PMP) allows LAN applications to

request DNAT entries and discover external IP

I UPnP is an insane protocol, that (among other things) also allows applications to request DNAT entries and determine external IP

I Both usually fail for cascaded NATs, and are often disabled for security reasons

(21)

DNAT / PMP / UPnP

I DNAT / port forwarding allows inbound connections I Port Mapping Protocol (PMP) allows LAN applications to

request DNAT entries and discover external IP

I UPnP is an insane protocol, that (among other things) also allows applications to request DNAT entries and determine external IP

I Both usually fail for cascaded NATs, and are often disabled for security reasons

(22)

Application Layer Gateway (ALG)

I implemented by NAT

I common protocols that include addresses: SIP, FTP, IRC I NAT may or may not support it!

Idea: use “pretend” FTP to open port for non-FTP applications! [6]

(23)

Application Layer Gateway (ALG)

I implemented by NAT

I common protocols that include addresses: SIP, FTP, IRC I NAT may or may not support it!

Idea: use “pretend” FTP to open port for non-FTP applications! [6]

(24)

Session Traversal Utilities for NAT (STUN)

I Determines external transport address (IP + port) I Lightweight client-server protocol on top of UDP

I Algorithm to discover NAT type (server needs 2 public IPs) I STUN server can also act as rendezvous point

(25)
(26)
(27)

UDP hole punching with ICMP Unreachable

H1 MB1 Hop MB2 H2

exchange endpoints through 3rd party

endpoints

UDP (lost)

ICMP port unreachable

UDP (payload)

(28)

UDP hole punching with ICMP TTL exceeded

H1 MB1 Hop MB2 H2

exchange endpoints through 3rd party

endpoints

UDP (low TTL, lost)

ICMP TTL exceeded

UDP (payload)

(29)

Example: UDP-based traversal

Given a NAT that preserves ports for UDP with external address “natIP”, this can suffice:

nat/1 $ nc -u -l -p 20000

client$ watch echo "hello" | nc -p 5000 -u natIP 20000 -w 1 nat/2 $ echo hello | nc -p 20001 -u clientIP 5000

If UDP hole punching is used, how could a STUN server launch a MitM attack?

(30)

TCP hole punching with RST

H1 MB1 Hop MB2 H2

exchange endpoints through 3rd party

endpoints TCP SYN TCP RST TCP SYN TCP SYN / ACK TCP ACK

(31)

TCP hole punching with ICMP TTL

H1 MB1 Hop MB2 H2

exchange endpoints through 3rd party

endpoints TCP SYN (low TTL) ICMP TTL exceeded TCP SYN TCP SYN / ACK TCP ACK

(32)

Autonomous NAT Traversal

ICMP Packet Type TTL EXCEEDED Source 130.253.8.41 Destination 131.159.15.231 Data ICMP Packet Type ECHO REQUEST Source 131.159.15.231 Destination 1.2.3.4 Data 12368

ICMP Packet Type ECHO REQUEST Source 192.168.1.1 Destination 1.2.3.4 Data NULL ICMP Packet

Type ECHO REQUEST Source 131.159.15.231 Destination 1.2.3.4 Data NULL 1 2 1.2.3.4 NAT Host Non-NAT Host

(33)

Autonomous NAT Traversal: discussion

Enables initiation of connections to hosts behind NAT without involving a third party at the time.

+ Simpler to implement

+ Efficient, completely distributed method

+ Third party can not observe connections

+ Works well for UDP and TCP

(34)

Using UDP instead of ICMP ECHO REQUEST

+ No RAW sockets required for sending periodic requests

+ Might help punch hole

- Slightly bigger messages

- Smaller response payload (32 bits only)

(35)

NAT Traversal Summary

There are many non-trivial methods for NAT traversal:

I Explicit support by the NAT (Static port forwarding, UPnP, NAT-PMP, ALG)

I NAT-behaviour based approaches (Hole punching, STUN) I External data-relay (TURN)

I Autonomous NAT Traversal

None of these is perfect, NAT traversal usually uses a combination of techniques (see ICE [3]).

(36)

Network Neutrality

Phone system design:

I Quality-of-service for voice (provisioned bandwidth) I Payment models:

I charges based on source and destination (country, mobile / landline / service numbers)

I caller-pays

I callee-pays

I everybody-pays: {roaming-, per-call-, monthly service-, directory listing-, phone number-, caller-ID-, billing-...} charges Internet design:

I “best-effort” IP forwarding, agnostic to source, destination and payload

(37)

Network Neutrality

Phone system design:

I Quality-of-service for voice (provisioned bandwidth) I Payment models:

I charges based on source and destination (country, mobile / landline / service numbers)

I caller-pays

I callee-pays

I everybody-pays: {roaming-, per-call-, monthly service-, directory listing-, phone number-, caller-ID-, billing-...} charges Internet design:

I “best-effort” IP forwarding, agnostic to source, destination and payload

(38)

Network Neutrality

Phone system design:

I Quality-of-service for voice (provisioned bandwidth) I Payment models:

I charges based on source and destination (country, mobile / landline / service numbers)

I caller-pays

I callee-pays

I everybody-pays: {roaming-, per-call-, monthly service-, directory listing-, phone number-, caller-ID-, billing-...} charges

Internet design:

I “best-effort” IP forwarding, agnostic to source, destination and payload

(39)

Network Neutrality

Phone system design:

I Quality-of-service for voice (provisioned bandwidth) I Payment models:

I charges based on source and destination (country, mobile / landline / service numbers)

I caller-pays

I callee-pays

I everybody-pays: {roaming-, per-call-, monthly service-, directory listing-, phone number-, caller-ID-, billing-...} charges Internet design:

I “best-effort” IP forwarding, agnostic to source, destination and payload

(40)

Network Neutrality

Phone system design:

I Quality-of-service for voice (provisioned bandwidth) I Payment models:

I charges based on source and destination (country, mobile / landline / service numbers)

I caller-pays

I callee-pays

I everybody-pays: {roaming-, per-call-, monthly service-, directory listing-, phone number-, caller-ID-, billing-...} charges Internet design:

I “best-effort” IP forwarding, agnostic to source, destination and payload

(41)

Paradoxes in Phones Systems

I Alice can call Bob for free (flatrate), but Bob pays to call Alice (“call me back, please?”)

I Calling mobile phones in the US costs the callee, but calling mobile phones in Europe costs the caller

Phone companies charge where they can, not where it makes technical sense!

(42)

Paradoxes in Phones Systems

I Alice can call Bob for free (flatrate), but Bob pays to call Alice (“call me back, please?”)

I Calling mobile phones in the US costs the callee, but calling mobile phones in Europe costs the caller

Phone companies charge where they can, not where it makes technical sense!

(43)

Paradoxes in Phones Systems

I Alice can call Bob for free (flatrate), but Bob pays to call Alice (“call me back, please?”)

I Calling mobile phones in the US costs the callee, but calling mobile phones in Europe costs the caller

Phone companies charge where they can, not where it makes technical sense!

(44)

Ideas for Internet Surcharges

I Global IP address (IPv4, IPv6) I Incoming connections

I non-HTTP traffic I Using Voice-over-IP I Downloading videos

I Accessing Google (advanced search) in addition to Bing (basic search)

I Accessing non-European service providers I Using UDP

(45)

Ideas for Internet Surcharges

I Global IP address (IPv4, IPv6)

I Incoming connections I non-HTTP traffic I Using Voice-over-IP I Downloading videos

I Accessing Google (advanced search) in addition to Bing (basic search)

I Accessing non-European service providers I Using UDP

(46)

Ideas for Internet Surcharges

I Global IP address (IPv4, IPv6) I Incoming connections

I non-HTTP traffic I Using Voice-over-IP I Downloading videos

I Accessing Google (advanced search) in addition to Bing (basic search)

I Accessing non-European service providers I Using UDP

(47)

Ideas for Internet Surcharges

I Global IP address (IPv4, IPv6) I Incoming connections

I non-HTTP traffic

I Using Voice-over-IP I Downloading videos

I Accessing Google (advanced search) in addition to Bing (basic search)

I Accessing non-European service providers I Using UDP

(48)

Ideas for Internet Surcharges

I Global IP address (IPv4, IPv6) I Incoming connections

I non-HTTP traffic I Using Voice-over-IP

I Downloading videos

I Accessing Google (advanced search) in addition to Bing (basic search)

I Accessing non-European service providers I Using UDP

(49)

Ideas for Internet Surcharges

I Global IP address (IPv4, IPv6) I Incoming connections

I non-HTTP traffic I Using Voice-over-IP I Downloading videos

I Accessing Google (advanced search) in addition to Bing (basic search)

I Accessing non-European service providers I Using UDP

(50)

Ideas for Internet Surcharges

I Global IP address (IPv4, IPv6) I Incoming connections

I non-HTTP traffic I Using Voice-over-IP I Downloading videos

I Accessing Google (advanced search) in addition to Bing (basic search)

I Accessing non-European service providers I Using UDP

(51)

Ideas for Internet Surcharges

I Global IP address (IPv4, IPv6) I Incoming connections

I non-HTTP traffic I Using Voice-over-IP I Downloading videos

I Accessing Google (advanced search) in addition to Bing (basic search)

I Accessing non-European service providers

I Using UDP

(52)

Ideas for Internet Surcharges

I Global IP address (IPv4, IPv6) I Incoming connections

I non-HTTP traffic I Using Voice-over-IP I Downloading videos

I Accessing Google (advanced search) in addition to Bing (basic search)

I Accessing non-European service providers I Using UDP

(53)

Ideas for Internet Surcharges

I Global IP address (IPv4, IPv6) I Incoming connections

I non-HTTP traffic I Using Voice-over-IP I Downloading videos

I Accessing Google (advanced search) in addition to Bing (basic search)

I Accessing non-European service providers I Using UDP

(54)

Ideas for Internet Surcharges

I Global IP address (IPv4, IPv6) I Incoming connections

I non-HTTP traffic I Using Voice-over-IP I Downloading videos

I Accessing Google (advanced search) in addition to Bing (basic search)

I Accessing non-European service providers I Using UDP

(55)

Have you read your ISP’s terms of service?

Would your friends understand such restrictions?

Would enough of them care to switch providers?

Can they switch providers?

(56)

Have you read your ISP’s terms of service?

Would your friends understand such restrictions?

Would enough of them care to switch providers?

Can they switch providers?

(57)

Have you read your ISP’s terms of service?

Would your friends understand such restrictions?

Would enough of them care to switch providers?

Can they switch providers?

(58)

Have you read your ISP’s terms of service?

Would your friends understand such restrictions?

Would enough of them care to switch providers?

Can they switch providers?

(59)

Have you read your ISP’s terms of service?

Would your friends understand such restrictions?

Would enough of them care to switch providers?

Can they switch providers?

(60)

Creative Methods

I Sell “low-latency” plan to service providers

⇒ Micosoft pays for 50 ms Bing, Google gets 5s penalty latency I Give customers illusion of speed

⇒ Prefer traffic to URLs with “speedtest” in them I Reduce quality of VoiP calls via artifical drops

⇒ Force customers to pay extra for voice service I Reduce bandwidth for P2P traffic

(61)

Creative Methods

I Sell “low-latency” plan to service providers

⇒ Micosoft pays for 50 ms Bing, Google gets 5s penalty latency

I Give customers illusion of speed

⇒ Prefer traffic to URLs with “speedtest” in them I Reduce quality of VoiP calls via artifical drops

⇒ Force customers to pay extra for voice service I Reduce bandwidth for P2P traffic

(62)

Creative Methods

I Sell “low-latency” plan to service providers

⇒ Micosoft pays for 50 ms Bing, Google gets 5s penalty latency I Give customers illusion of speed

⇒ Prefer traffic to URLs with “speedtest” in them

I Reduce quality of VoiP calls via artifical drops

⇒ Force customers to pay extra for voice service I Reduce bandwidth for P2P traffic

(63)

Creative Methods

I Sell “low-latency” plan to service providers

⇒ Micosoft pays for 50 ms Bing, Google gets 5s penalty latency I Give customers illusion of speed

⇒ Prefer traffic to URLs with “speedtest” in them I Reduce quality of VoiP calls via artifical drops

⇒ Force customers to pay extra for voice service

I Reduce bandwidth for P2P traffic

(64)

Creative Methods

I Sell “low-latency” plan to service providers

⇒ Micosoft pays for 50 ms Bing, Google gets 5s penalty latency I Give customers illusion of speed

⇒ Prefer traffic to URLs with “speedtest” in them I Reduce quality of VoiP calls via artifical drops

⇒ Force customers to pay extra for voice service I Reduce bandwidth for P2P traffic

(65)

Can we detect such creative methods?

How can we circumvent them?

Can enough of society understand the problem?

(66)

Can we detect such creative methods?

How can we circumvent them?

Can enough of society understand the problem?

(67)

Can we detect such creative methods?

How can we circumvent them?

Can enough of society understand the problem?

(68)

Can we detect such creative methods?

How can we circumvent them?

Can enough of society understand the problem?

(69)

Questions?

?

“Just as we are beginning to see the power that free resources produce, changes in the architecture of the Internet–both legal and

technical–are sapping the Internet of this power. Fueled by bias in favor of control, pushed by those whose financial interest favor control, our social and political institutions are ratifying changes in the Internet that will reestablish control, in turn, reduce innovation

(70)

References

R. Mahy, P. Matthews, and J. Rosenberg.

Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN).

RFC 5766 (Proposed Standard), April 2010.

Andreas M¨uller, Nathan Evans, Christian Grothoff, and Samy Kamkar.

Autonomous nat traversal.

In 10th IEEE International Conference on Peer-to-Peer Computing (IEEE P2P 2010), pages 61–64, 2010.

J. Rosenberg.

Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols.

RFC 5245 (Proposed Standard), April 2010. Updated by RFC 6336.

J. Rosenberg, R. Mahy, P. Matthews, and D. Wing.

Session Traversal Utilities for NAT (STUN).

RFC 5389 (Proposed Standard), October 2008.

P. Srisuresh, B. Ford, and D. Kegel.

State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs).

RFC 5128 (Informational), March 2008.

M. Wander, S. Holzapfel, A. Wacker, and T. Weis.

Ntalg - tcp nat traversal with application-level gateways.

References

Related documents

This attack deals twice as much Intelligence damage and heals the cerebric cyst of twice as much damage if the victim can cast psychic spells (including by virtue of possessing

and confirmed my main reasons for attending the seminar: teaching the subject of the Holocaust in a way that would make it something of personal significance

PCB-might baaorw a rerioucr

We describe a pyrolytic procedure that via a citrate synthesis allowed us to obtain very fine grained YBCO powders that, after a first furnace thermal treatment in ozone,

The Environmental Research Group Oxford was commissioned in 1988 by Oxfam United Kingdom to conduct a two-season aerial survey of livestock, human population, vegetation and

(c) The registrant shall ensure that individual performing quality control tests described in Table 3, Computed Tomography Quality Control Requirements, above is either a licensed

The mission planning required for the successlul achievement of this desired mlssion w l l l be the decldlng factor i n suct~ design aspects 8s payload cspabilites

The  structure  of  the  religious  community  has  an  ambivalent  influence  on  possible