The Dynamic Port Reservation Protocol

1
The Dynamic Port Reservation Protocol

• Andrew Reitz (ajr9_at_po.cwru.edu)
• Advisor Robin Kravets (rhk_at_cs.uiuc.edu)

2
The Internet Today

• Much to the chagrin of the technical community,
  the Internet is still based on IPv4.
• Technologies like Network Address Translation
  have gained prominence, lengthening the life of
  IPv4.
• Rate of adoption for IPv6 is slow.

3
Network Address Translation

• Allows one valid public IP address to be shared
  by many machines, via a gateway that dynamically
  modifies source and destination IP address and
  port numbers of packets that traverse it.
• Breaks the one-to-one IP address to Internet host
  model.
• Establishes the notion of public versus private
  hosts.

4
The Benefits of NAT

• In general, NAT works well for the most prevalent
  Internet applications
• Web, E-mail, FTP (passive mode), streaming
  audio/video, etc.
• Security is increased, because unsolicited
  in-bound connections are not permitted to private
  hosts, and because the presence of private hosts
  is occluded.

5
The Problem With NAT

• In the last several years, there has been a large
  growth in applications that demand unsolicited
  in-bound connectivity
• All peer-to-peer applications (file sharing,
  instant messaging, personal video conferencing,
  multiplayer games, etc.).
• Security protocols, like IPsec.
• Prominence from Napster Bubble.

6
Potential Solutions

• This problem has been solved, in various ways,
  by several other people/groups
• Dan Kegel published a UDP Hack
• The IETF is working on Realm-Specific IP
• Eugene Ng (CMU) created the Address
  Virtualization Enabling Service (AVES).

7
Dan Kegels UDP Hack

• Relies upon UDPs connectionless nature, and NAT
  gateways ability to preserve port numbers.
• Private hosts learn of each others public IP
  address and port via 3rd party.
• Each host begins sending UDP datagrams to each
  others public IP, forging enough state in each
  NAT gateway for connection.

8
(No Transcript)
9
Pros and Cons of UDP Hack

• Pros
• Minimal set of changes to existing Internet
  infrastructure.
• Can be added by application developers on an
  as-needed basis.
• Cons
• Fails when NAT gateway must translate ports.
• Only works with UDP.

10
Realm-Specific IP

• A new IETF draft, which aims to restore complete
  connectivity to private hosts.
• An RSIP-enabled host can obtain a lease on a
  public IP address from an RSIP-enabled gateway.
• Host builds public packets, passes to gateway
  via tunnel, which injects the packets into the
  network.

11
(No Transcript)
12
Pros and Cons of RSIP

• Pros
• Restores complete connectivity for private hosts
  even IPsec works.
• Cons
• Requires extensive infrastructure modifications
  private host IP stack, NAT gateway, application
  modification.
• Public IP address pool weakens NAT address
  conservation gains.

13
AVES

• Connectivity for NAT-friendly applications.
• Private hosts are enumerated in DNS.
• DNS server works in conjunction with waypoint
  server, to establish a private to public address
  mapping.
• Waypoint server tunnels traffic bound for private
  host to NAT gateway.

14
(No Transcript)
15
Pros and Cons of AVES

• Pros
• Transparent to existing hosts.
• Supports public servers behind NAT.
• Cons
• DNS maintenance adds complexity.
• Public IP pool exhaustion is DoS.
• Ingress filtering at edge router requires all
  traffic to be forwarded through waypoint.

16
Room For A Better Method

• The ideal solution makes it easy to support the
  widespread of applications (P2P).
• Must support TCP and UDP.
• In order to be deployable, cannot modify host IP
  stack or Internet routers.
• Shouldnt require extra infrastructure, such as
  proxies that dont scale or can fail.

17
Enter DPRP

• Aim is to make the port forwarding functionality
  of most NAT gateways more accessible.
• Develop protocol, so that applications can signal
  NAT gateway to reserve port.
• Apply DHCP techniques for managing reserved ports.

18
More Explanation

• DPRP allows end-users to reserve specific TCP or
  UDP ports on the NAT gateway.
• Unsolicited in-bound packets to reserved port are
  redirected to private host.
• Port reservation takes form of lease.
• Address/Port can be advertised through normal
  channels (URL, P2P registry, etc).

19
(No Transcript)
20
Sample Implementation

• Client and server were written in Java.
• GUI client allows end-users to reserve ports for
  legacy applications (web servers, etc).
• Java Napster client, XNap, was modified to
  include DPRP client functionality.
• Java DPRP server interacted with NAT gateway via
  iptables commands.

21
Security Implications

• DPRP doesnt poke any new holes in NAT gateway,
  it simply moves port forwarding from
  administrator to user control.
• Only as secure as applications.
• Adminstrator has controls over DPRP use.
• DPRP-enabled worms could pose problems.

22
Microsoft Stole My Idea

• It appears as if a new technology called
  Universal Plug n Play incorporates all of these
  ideas.
• UPnP is a network service discovery platform.
• Network elements can query each other, in order
  to disseminate capabilities.

23
UPnP NAT Traversal Solution

• A subset of UPnP, that purports to provide the
  following services
• Discovery of public IP address.
• Enumeration of existing port mappings.
• Addition and removal of port mappings.
• Assignment of lease times to port mappings.
• Goes the last mile, and takes care of the
  transparency problems that DPRP had.

24
Conclusion

• DPRP accomplished initial goals, in terms of
  application support (TCP UDP) and
  deployability.
• Further technical analysis of UPnP needed.
• Will IPv6 ever see mass-acceptance?