2014年1月27日 星期一

RFC4747 -- NAT 的行為要求(UDP)

RFC4747 : Network Address Translation (NAT) Behavioral Requirements for Unicast UDP

此篇 RFC 提供了一些方法,說明當應用程式遇到不同類型的 NAT 時,應該如何處理UDP封包,才比較容易在NAT環境下運作無誤(NAT打洞容易成功)。例如線上遊戲或是視訊會議等應用程式。
The goals of this document are to define a set of common terminology for describing the behavior of NATs and to produce a set of requirements on a specific set of behaviors for NATs.



此規範中所定義的 NAT 同時是 "Basic NAT" 與 "Network Address/Port Translator (NAPT)".

  • Basic NAT 就是只替換 ip address 
  • NAPT 就是同時替換 ip address and port,此方法即 Port Restricted Cone

In this specification, the term "NAT" refers to both "Basic NAT" and "Network Address/Port Translator (NAPT)".

此規範建議不要再使用 RFC3489 定義的 NAT 分類,以免定義混淆。主要是以下四個名詞

  • "Full Cone"
  • "Restricted Cone"
  • "Port Restricted Cone"
  • "Symmetric"


並且定義新的 NAT 分類為以下三種

  • Endpoint-Independent Mapping:
  • Address-Dependent Mapping:
  • Address and Port-Dependent Mapping:


假設 NAT 環境的基本架構圖如下
The key behavior to describe is the criteria for reuse of a mapping for new sessions to external endpoints, after establishing a first mapping between an internal X:x address and port and an external Y1:y1 address tuple.  Let's assume that the internal IP address and port X:x are mapped to X1':x1' for this first session.  The endpoint then sends from X:x to an external address Y2:y2 and gets a mapping of X2':x2' on the NAT.  The relationship between X1':x1' and X2':x2' for various combinations of the relationship between Y1:y1 and Y2:y2 is critical for describing the NAT behavior.  This arrangement is illustrated in the following diagram:


此規範定義的三種 NAT,其定義如下
Endpoint-Independent Mapping: (Internal ip + Internal port)
The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port (X:x) to any external IP address and port.  Specifically, X1':x1' equals X2':x2' for all values of Y2:y2.
       
Address-Dependent Mapping: (Internal ip + Internal port + external ip)
The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port (X:x) to the same external IP address, regardless of the external port. Specifically, X1':x1' equals X2':x2' if and only if, Y2 equals Y1.
       
Address and Port-Dependent Mapping:  (Internal ip + Internal port + external ip + external port)
The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port (X:x) to the same external IP address and port while the mapping is still active. Specifically, X1':x1' equals X2':x2' if and only if, Y2:y2 equals Y1:y1.

對於 NAT 的行為要求共有14條,列舉如下:

REQ-1:
A NAT MUST have an "Endpoint-Independent Mapping" behavior.

REQ-2:
It is RECOMMENDED that a NAT have an "IP address pooling" behavior of "Paired".  Note that this requirement is not applicable to NATs that do not support IP address pooling.
(在 linux 下,conntrack 模組會建立這些映射關係)

REQ-3:
A NAT MUST NOT have a "Port assignment" behavior of "Port overloading". 
a) If the host's source port was in the range 0-1023, it is RECOMMENDED the NAT's source port be in the same range.  If the  host's source port was in the range 1024-65535, it is    RECOMMENDED that the NAT's source port be in that range.

REQ-4:
It is RECOMMENDED that a NAT have a "Port parity preservation" behavior of "Yes".

REQ-5:
A NAT UDP mapping timer MUST NOT expire in less than two minutes, unless REQ-5a applies. 
a) For specific destination ports in the well-known port range (ports 0-1023), a NAT MAY have shorter UDP mapping timers that are specific to the IANA-registered application running over that specific destination port. 
b) The value of the NAT UDP mapping timer MAY be configurable. 
c) A default value of five minutes or more for the NAT UDP mapping timer is RECOMMENDED.
(每筆映射關係都應該保存超過兩分鐘,以利 UDP Hole punching)
 
REQ-6:
The NAT mapping Refresh Direction MUST have a "NAT Outbound refresh behavior" of "True". 
a) The NAT mapping Refresh Direction MAY have a "NAT Inbound refresh behavior" of "True".
(內網對外或是外網對內的行為,都應該要更新映射關係)
 
 
REQ-7
A NAT device whose external IP interface can be configured dynamically MUST either (1) Automatically ensure that its internal network uses IP addresses that do not conflict with its external network, or (2) Be able to translate and forward traffic between all internal nodes and all external nodes whose IP addresses
numerically conflict with the internal network.

REQ-8:
If application transparency is most important, it is RECOMMENDED that a NAT have "Endpoint-Independent Filtering" behavior.  If a more stringent filtering behavior is most important, it is RECOMMENDED that a NAT have "Address-Dependent Filtering" behavior. 
a) The filtering behavior MAY be an option configurable by the  administrator of the NAT.

REQ-9:
A NAT MUST support "Hairpinning". 
a) A NAT Hairpinning behavior MUST be "External source IP address and port".

REQ-10:
To eliminate interference with UNSAF NAT traversal mechanisms and allow integrity protection of UDP communications, NAT ALGs for UDP-based protocols SHOULD be turned off.  Future standards track specifications that define an ALG can update this to recommend the ALGs on which they define default. 
a) If a NAT includes ALGs, it is RECOMMENDED that the NAT allow
   the NAT administrator to enable or disable each ALG separately.
(不要開啟ALGs的功能)


REQ-11:
A NAT MUST have deterministic behavior, i.e., it MUST NOT change the NAT translation (Section 4) or the Filtering (Section 5) Behavior at any point in time, or under any particular conditions.
(NAT的轉換與封包過濾一定要即時)

REQ-12:
Receipt of any sort of ICMP message MUST NOT terminate the NAT mapping. 
a) The NAT's default configuration SHOULD NOT filter ICMP messages based on their source IP address. 
b) It is RECOMMENDED that a NAT support ICMP Destination Unreachable messages.
   
REQ-13
If the packet received on an internal IP address has DF=1, the NAT MUST send back an ICMP message "Fragmentation needed and DF set" to the host, as described in [RFC0792]. 
a) If the packet has DF=0, the NAT MUST fragment the packet and SHOULD send the fragments in order.

REQ-14:
A NAT MUST support receiving in-order and out-of-order fragments, so it MUST have "Received Fragment Out of Order" behavior. 
a) A NAT's out-of-order fragment processing mechanism MUST be designed so that fragmentation-based DoS attacks do not compromise the NAT's ability to process in-order and unfragmented IP packets.