Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Of knights-and-drawbridges-nat-behaviour
1. Of Knights and Drawbridges
Auro Tripathy
auro@shatterline.com
A halt-who-goes-there medieval story about the modern
mystery of NAT Traversal
2. 2
Using an Analogy to explain NATs
NAT NAT NAT NAT
+-+ +-+ +-+ +-+
+----+ | | | | | | | | +----+
|EP-a|---+ +...+ +---((Public Network))---+ +...+ +---|EP-b|
+----+ | | | | | | | | +----+
+-+ +-+ +-+ +-+
EP = End Point
NAT = Network Address Translation
Source : https://tools.ietf.org/html/draft-takeda-symmetric-nat-traversal-00
3. 3
Imagine…
The fortress (your home) is a private
network
The tenant is an end-point device (e.g.
PC, network attached storage, wireless
thermostat, wireless smoke-alarm, IoT
device)
The NAT is the “moat”, to defend the fort.
A tenant can send out a packet by
lowering the drawbridge
Until a tenant sends a packet out of the
fort, the fort is locked-down; there are no
drawbridges
4. 4
Fortifying your defenses with a Moat
Lowering the drawbridge is an opportunity for
unintended “knight” to come in
The bridge must be defended against uninvited knights.
The rules of the drawbridge define the Moat
Full-Cone NAT (least restrictive crossing)
Restricted-Cone NAT
Port-restricted cone NAT
Symmetric NAT (most restrictive crossing)
5. 5
Full-Cone NAT
When the tenant (end-point) in the
fort sends a knight (packet) out, a
drawbridge will be lowered with a
guard to determine who can come-in
using that drawbridge.
For an in-coming knight (packet), the
guard checks:
Are you, Sire, visiting the tenant who
created this drawbridge?
If yes, go on in.
The guard does not check
where the knight (packet) came from(could be any end-point).
Whether the knight had an invitation
6. 6
The Invitation Letter
The trick to traverse a NAT with UDP is to utilize the
'invitation letter” (packet).
The invitation packet is not necessarily a 'special'
invitation packet. The first part of outgoing data
transmission works as an invitation because it lowers a
drawbridge assigns a guard for incoming knights.
7. 7
Restricted-Cone NAT
A drawbridge will be lowered when a tenant(endpoint) in the fort sends
an invitation letter (a packet) for the first time to another fort.
The guard on the drawbridge will check if the in-coming knight (packet) is
visiting the tenant who lowered this drawbridge.
The guard also checks if the knight came from the fort that received the
invitation letter from the tenant.
The guard does not check the invitation letter, just the fort name to which
the invitation was sent.
8. 8
Port-restricted-Cone NAT
A drawbridge will be lowered when a tenant(endpoint) in a fort
sends an invitation letter (a packet) for the first time to a tenant in
another fort.
The guard will check if each knight (packet) trying to enter (via the
drawbridge) is visiting the tenant who lowered the drawbridge.
The guard checks if the knight came from the fort that received the
invitation letter from the tenant.
The guard also checks if the knight has received the invitation
letter from the tenant.
You came from the correct
fort, do you have the
invitation?
9. 9
Symmetric-Cone NAT
In the case of non-symmetric NATS, the same
drawbridge will be used whenever the same tenant in a
fort sends an invitation packet to a different destination.
In a symmetric NAT, a new drawbridge will be always
lowered every time the tenant in the fort sends an
“invitation” packet.
Fort
Moat
Drawbridge
Tenant
Each invitation has it own
drawbridge
The drawbridge for a
knight to enter from one
fort is not the same for
other knights to enter from
other forts
10. 10
Summary
NAT-Type Intended for
Tenant who
lowered the
Drawbridge?
Invitation to Fort F2
and coming from
Fort F2?
Has the
Invitation
Letter?
Coming-in on the
same drawbridge
that the invitation
went out on?
Full
Cone
Yes,
Go-on in
Not Checked Not Checked Not-Checked
Restricted Cone Yes and… Yes, go-on in Not Checked Not Checked
Port-Restricted Cone Yes and … Yes, and … Yes, go-on in Not Checked
Symmetric
Cone*
Yes Yes, and… Yes, and Yes, go-on in
F2
11. 11
Applying the Analogy
In this analogy, a 'tenant' represents local UDP port.
Several tenants comprise a device. Each device has an
IP address.
A fort protects multiple devices with a NAT (the moat)
A drawbridge is a mapping and a rule for incoming
packets.