Review: Characterization and Measurement of TCP Traversal through NATs and Firewalls

(As discussed with Stefan, this review is _not_ for "IPNL: A
NAT-Extended Internet Architecture" as the link specifies. It is for
the paper "Characterization and Measurement of TCP Traversal through
NATs and Firewalls", which I wrote prior to the last minute change in
the paper-reading schedule.)

Paper: "Characterization and Measurement of TCP Traversal through NATs
and Firewalls"

        Nodes in a network may be behind a Network Address Translator (NAT).
When this is the case, the network address associated with a given node
on one side of the NAT is different from the network address associated
with a node on the other side of the NAT. This makes establishing
connections between two nodes that are behind different NATS difficult,
since neither knows the proper address to which it should request a
connection. Solutions have been proposed for establishing UDP based
communication between nodes in such network setups, but TCP connections
are even more problematic. The paper "Characterization and Measurement
of TCP Traversal through NATs and Firewalls" examines the situation with
respect to TCP communication across NATs, proposing potential solutions
and studying their efficacy.

        The paper begins by examining schemes that have been proposed for
establishing TCP connections across NATs. There exists some commonality
between the different schemes. In all of the proposals, both endpoints
attempt to establish a TCP connection to an address determined using a
technique called port prediction. The desired effect of this action is
to have the outbound SYN packet establish necessary state within each
node's NAT. Once the state in the NAT is established, the schemes
diverge in how they reconcile the two connection attempts into a single
TCP connection.

        The schemes discussed in the paper include STUNT, NATBlaster,
Peer-to-Peer NAT, and variants of these. None of these schemes are
full-proof, having a collection of drawbacks, including but not limited
to: the necessity of guessing a magic time-to-live (TTL) value to use
for the initial SYN packets so that the SYN packet can make it to the
outside network beyond the NAT, but not as far as the peer's NAT; the
NAT must not behave badly in the face of ICMP errors; the requirement to
do IP Address spoofing; and the necessity for superuser privileges in
the OS being used.

        The paper demonstrated an 88% average success rate establishing TCP
connections with NATs existing in the "wild" (i.e., non-lab scenario).
The paper further demonstrated a 100% success rate when certain common
types of NATs were used.

        Overall this was a good paper. Like the other paper on NATs that we
read, this one provides relevant information for NAT and firewall
vendors so that they can implement their products with an eye to
supporting peer-to-peer communication.
Received on Fri Dec 01 2006 - 15:48:32 EST