A Multi-perspective Analysis of Carrier-Grade NAT Deployment

As ISPs face IPv4 address scarcity they increasingly turn to network address translation (NAT) to accommodate the address needs of their customers. Recently, ISPs have moved beyond employing NATs only directly at individual customers and instead begun deploying Carrier-Grade NATs (CGNs) to apply address translation to many independent and disparate endpoints spanning physical locations, a phenomenon that so far has received little in the way of empirical assessment. In this work we present a broad and systematic study of the deployment and behavior of these middleboxes. We develop a methodology to detect the existence of hosts behind CGNs by extracting non-routable IP addresses from peer lists we obtain by crawling the BitTorrent DHT. We complement this approach with improvements to our Netalyzr troubleshooting service, enabling us to determine a range of indicators of CGN presence as well as detailed insights into key properties of CGNs. Combining the two data sources we illustrate the scope of CGN deployment on today's Internet, and report on characteristics of commonly deployed CGNs and their effect on end users

Security Mechanisms for a Cooperative Firewall

The growing number of mobile users and mobile broadband subscriptions around the world calls for support of mobility in the Internet and also demands more addresses from the already depleting IP address space. The deployment of Network Address Translation (NAT) at network edges to extend the lifetime of IPv4 address space introduced the reachability problem in the Internet. While various NAT traversal proposals have attempted to solve the reachability problem, no perfect solution for mobile devices has been proposed. A solution is proposed at COMNET department of Aalto University, which is called Customer Edge Switching and it has resulted in a prototype called Customer Edge Switches (CES). While it addresses many of the current Internet issues i.e. reachability problem, IPv4 address space depletion, so far security has generally been considered out of scope. This thesis aims at identifying the security vulnerabilities present within the CES architecture. The architecture is secured against various network attacks by presenting a set of security models. The evaluation and performance analysis of these security models proves that the CES architecture is secured against various network attacks only by introducing minimal delay in connection establishment. The delay introduced does not affect the normal communication pattern and the sending host does not notice a difference compared to the current situation. For legacy interworking a CES can have the Private Realm Gateway (PRGW) function. The security mechanisms for PRGW also generate promising results in terms of security. The thesis further contributes towards security by discussing a set of deployment models for PRGW and CES-to-CES communication

Addressing Devices in Mobile Networks

Mobiilterminalide arengust tingitud vhenenud energiakulu, sisseehitatud sensorite kasutusvimalus, suurenenud ttlusjudlus ja mlumaht vimaldavad mobiilide laialdase kasutuse erinevates domeenides nagu mobiilne sotsiaalvrgustik, mobiilne pilvandmettlus ja Internet of Things (IoT). Selleks, et antud seadmeid oleks vimalik edukalt informatsiooni pakkumise ja ttlemise vahenditena kasutada, on vaja identitseerimiseks ja adresseerimiseks lesandele kohaseid vahendeid, mis vimaldaksid ligipsu seadmetele ja teenustele ka vljaspool mobiilsidevrku. Enamuse ajast, kui kasutajad kasutavad Internetiga hendamiseks mobiilivrke, paiknevad kasutajate seadmed tulemride ja vrguaadressi translaatorite (NAT ehk Network Address Translator) taga, mis takistavad otsese henduse loomist. Kasutajate hendamist mobiilsetes vrkudes on aastaid phjalikult uuritud ja selle tulemusena on leitud mitmeid lahendusi. IP-aadress, mis on levinuim adresseerimise mehhanism Internetis, on htlasi laialdaselt kasutusel mobiilivrkudes (3G/4G), kuid sellel on omad piirangud: ajutine kttesaadavus, piiratud kasutus ainult mobiilioperaatorite vrkudes ja vrguaadresside tlkimine (NAT). Nende piirangute krvaldamiseks pakume vlja mned teistsugused lhenemised: Session Initiation Protocol (SIP), Rendezvous serveri toel toimiv UDP/TCP Hole Punching ja UDP/TCP Relaying. Neidsaab kasutada erinevate mobiilsidevrkude tpide puhul. Kesolevas magistrits ksitletakse praktilist paigaldust, testide tulemusi ja iga lhenemise nrku ning tugevaid klgi.The emergence of mobile terminals with enhanced features like high processing power, more memory, inbuilt sensors, low power consumption, etc. have led to their extensive usage in different domains like mobile social networking, mobile cloud and Internet of Things (IoT). However, to successfully utilize these devices as information providing/processing entities, we need proper means of identification and addressing, so that the devices and their offered data/services are accessible also from outside the mobile network. But most of the times, when the peers connecting to the internet through cellular networks, peer devices locate behind the common components like firewalls and Network Address Translators (NATs) that prevent establishing direct connections. Setting up connection between peers in mobile networks has been examined extensively over the years and there are several solutions one can conceive. However, the most popular and widely used addressing mechanism for internet, IP address, is also being extensively used in mobile data networks (3G/4G) but ends up with barriers like their temporarily availability, known only within the mobile operators network, Network Address Translation (NAT) etc. To address such kind of limitations we proposed few different approaches such as Session Initiation Protocol (SIP), UDP/TCP hole punching with help from the Rendezvous server and UDP/TCP Relaying those can be applied to different types of mobile networks. In this thesis we discuss practical implementation, test results and evaluation of strengths and limitations of each approach

De-ossifying the Internet Transport Layer : A Survey and Future Perspectives

ACKNOWLEDGMENT The authors would like to thank the anonymous reviewers for their useful suggestions and comments.Peer reviewedPublisher PD

Structured Peer-to-Peer Overlays for NATed Churn Intensive Networks

The wide-spread coverage and ubiquitous presence of mobile networks has propelled the usage and adoption of mobile phones to an unprecedented level around the globe. The computing capabilities of these mobile phones have improved considerably, supporting a vast range of third party applications. Simultaneously, Peer-to-Peer (P2P) overlay networks have experienced a tremendous growth in terms of usage as well as popularity in recent years particularly in fixed wired networks. In particular, Distributed Hash Table (DHT) based Structured P2P overlay networks offer major advantages to users of mobile devices and networks such as scalable, fault tolerant and self-managing infrastructure which does not exhibit single points of failure. Integrating P2P overlays on the mobile network seems a logical progression; considering the popularities of both technologies. However, it imposes several challenges that need to be handled, such as the limited hardware capabilities of mobile phones and churn (i.e. the frequent join and leave of nodes within a network) intensive mobile networks offering limited yet expensive bandwidth availability. This thesis investigates the feasibility of extending P2P to mobile networks so that users can take advantage of both these technologies: P2P and mobile networks. This thesis utilises OverSim, a P2P simulator, to experiment with the performance of various P2P overlays, considering high churn and bandwidth consumption which are the two most crucial constraints of mobile networks. The experiment results show that Kademlia and EpiChord are the two most appropriate P2P overlays that could be implemented in mobile networks. Furthermore, Network Address Translation (NAT) is a major barrier to the adoption of P2P overlays in mobile networks. Integrating NAT traversal approaches with P2P overlays is a crucial step for P2P overlays to operate successfully on mobile networks. This thesis presents a general approach of NAT traversal for ring based overlays without the use of a single dedicated server which is then implemented in OverSim. Several experiments have been performed under NATs to determine the suitability of the chosen P2P overlays under NATed environments. The results show that the performance of these overlays is comparable in terms of successful lookups in both NATed and non-NATed environments; with Kademlia and EpiChord exhibiting the best performance. The presence of NATs and also the level of churn in a network influence the routing techniques used in P2P overlays. Recursive routing is more resilient to IP connectivity restrictions posed by NATs but not very robust in high churn environments, whereas iterative routing is more suitable to high churn networks, but difficult to use in NATed environments. Kademlia supports both these routing schemes whereas EpiChord only supports the iterating routing. This undermines the usefulness of EpiChord in NATed environments. In order to harness the advantages of both routing schemes, this thesis presents an adaptive routing scheme, called Churn Aware Routing Protocol (ChARP), combining recursive and iterative lookups where nodes can switch between recursive and iterative routing depending on their lifetimes. The proposed approach has been implemented in OverSim and several experiments have been carried out. The experiment results indicate an improved performance which in turn validates the applicability and suitability of ChARP in NATed environments

Agent-based approach for cross-subnet communication

Projecte realitzat mitjançant programa de mobilitat. TECHNISCHE UNIVERSITÄT BERLIN. FAKULTÄT IV - ELEKTROTECHNIK UND INFORMATIKThe establishment of point-to-point connections between hosts behind NAT boxes have been always a problem due to the problem with the private IP addresses and NAT rewalls. To solve this problem, there are di erent techniques to make possible that hosts behind NAT boxes can establish a point-to-point connection rounding NAT rewalls and using solutions to exchange their IPs. The goal of this thesis is to present an implementation of a communication protocol which establishes a communication between agents that are behind NAT boxes avoiding all the problems that could occur during the communication, such as duplicated IP addresses or host unreachable errors and introduce to the reader some related work about NAT traversal. There is also in this thesis a little introduction to the existing techniques used to round a NAT rewall and the explanation of why we use NAT boxes even though they sometimes are a problem

IPv4 address sharing mechanism classification and tradeoff analysis

The growth of the Internet has made IPv4 addresses a scarce resource. Due to slow IPv6 deployment, IANA-level IPv4 address exhaustion was reached before the world could transition to an IPv6-only Internet. The continuing need for IPv4 reachability will only be supported by IPv4 address sharing. This paper reviews ISP-level address sharing mechanisms, which allow Internet service providers to connect multiple customers who share a single IPv4 address. Some mechanisms come with severe and unpredicted consequences, and all of them come with tradeoffs. We propose a novel classification, which we apply to existing mechanisms such as NAT444 and DS-Lite and proposals such as 4rd, MAP, etc. Our tradeoff analysis reveals insights into many problems including: abuse attribution, performance degradation, address and port usage efficiency, direct intercustomer communication, and availability