Peer-to-Peer Communication Across Network Address Translators

Network Address Translation (NAT) causes well-known difficulties for peer-to-peer (P2P) communication, since the peers involved may not be reachable at any globally valid IP address. Several NAT traversal techniques are known, but their documentation is slim, and data about their robustness or relative merits is slimmer. This paper documents and analyzes one of the simplest but most robust and practical NAT traversal techniques, commonly known as "hole punching." Hole punching is moderately well-understood for UDP communication, but we show how it can be reliably used to set up peer-to-peer TCP streams as well. After gathering data on the reliability of this technique on a wide variety of deployed NATs, we find that about 82% of the NATs tested support hole punching for UDP, and about 64% support hole punching for TCP streams. As NAT vendors become increasingly conscious of the needs of important P2P applications such as Voice over IP and online gaming protocols, support for hole punching is likely to increase in the future.Comment: 8 figures, 1 tabl

Duplicate detection methodology for IP network traffic analysis

Network traffic monitoring systems have to deal with a challenging problem: the traffic capturing process almost invariably produces duplicate packets. In spite of this, and in contrast with other fields, there is no scientific literature addressing it. This paper establishes the theoretical background concerning data duplication in network traffic analysis: generating mechanisms, types of duplicates and their characteristics are described. On this basis, a duplicate detection and removal methodology is proposed. Moreover, an analytical and experimental study is presented, whose results provide a dimensioning rule for this methodology.Comment: 7 pages, 8 figures. For the GitHub project, see https://github.com/Enchufa2/nantool

Evaluating the Effectiveness of IP Hopping via an Address Routing Gateway

This thesis explores the viability of using Internet Protocol (IP) address hopping in front of a network as a defensive measure. This research presents a custom gateway-based IP hopping solution called Address Routing Gateway (ARG) that acts as a transparent IP address hopping gateway. This thesis tests the overall stability of ARG, the accuracy of its classifications, the maximum throughput it can support, and the maximum rate at which it can change IPs and still communicate reliably. This research is accomplished on a physical test network with nodes representing the types of hosts found on a typical, corporate-style network. Direct measurement is used to obtain all results for each factor level. Tests demonstrate ARG classifies traffic correctly, with no false negatives and less than a 0.15% false positive rate on average. The test environment conservatively shows this to be true as long as the IP address change interval exceeds two times the network\u27s round-trip latency; real-world deployments may allow for more frequent hopping. Results show ARG capably handles traffic of at least four megabits per second with no impact on packet loss. Fuzz testing validates the stability of ARG itself, although additional packet loss of around 23% appears when under attack

Mobile IP Address Efficiency

In future wireless networks, Mobile IP will be widely deployed as a general mobility protocol. Currently, in the protocol each mobile node (MN) should have one public home address to identify itself when it is away from home. Unlike the stationary host, the MN cannot simply use private addresses when NAT (Network Address Translation) is enabled. How to assign public addresses among mobile nodes is important to save the already limited IPv4 addresses. Even though Mobile IPv6 can provide a large address space, when communicating with IPv4 based hosts, the MN still needs to use one public IPv4 address. Protocol translation can map between IPv6 and IPv4 addresses; however, it is a NAT-based approach and breaks end-to end communications. From a new perspective, we propose an address-sharing mechanism that allows a large number of MNs to share only one IPv4 public address while avoiding most of the drawbacks of NAT

ENAT-PT: An Enhanced NAT-PT Model

NAT-PT would allow IPv4 nodes to communicate with IPv6 nodes transparently by translating the IPv6 address into a registered V4 address. However, NAT-PT would fall flat when the pool of V4 addresses is exhausted. NAPT-PT multiplexes the registered address’ ports and will allow for a maximum of 63K outbound TCP and 63K UDP sessions per IPv4 address, but it is unidirectional. We present in this paper a novel solution ENAT-PT（an enhanced NAT-PT），which will allow for a great number of inbound sessions by using a single V4 address. By using ENAT-PT, we can visit V6 networks from a V4 network with a small address pool

Mobile Communication with Virtual Network Address Translation

Virtual Network Address Translation (VNAT) is a novel architecture that allows transparent migration of end-to-end live network connections associated with various computation units. Such computation units can be either a single process, or a group of processes of an application, or an entire host. VNAT virtualizes network connections perceived by transport protocols so that identification of network connections is decoupled from stationary hosts. Such virtual connections are then remapped into physical connections to be carried on the physical network using network address translation. VNAT requires no modification to existing applications, operating systems, or protocol stacks. Furthermore, it is fully compatible with the existing communication infrastructure; virtual and normal connections can coexist without interfering each other. VNAT functions entirely within end systems and requires no third party proxies. We have implemented a VNAT prototype with the Linux 2.4 kernel and demonstrated its functionality on a wide range of popular real-world network applications. Our performance results show that VNAT has essentially no overhead except when connections are migrated, in which case the overhead of our Linux prototype is less than 7 percent

TUKAB: An Efficient NAT Traversal Scheme on Security of VoIP Network System Based on Session Initiation Protocol

Voice over Internet Protocol (VoIP) is subject to many security threats unique to both telephony and traditional Internet data transmission. As adoption of Session Initiation Protocol (SIP) based telephony increases, concerns are rising over risks to system confidentiality, integrity and availability. Currently, several VoIP security tools are available to detect vulnerabilities and protect against attacks. In this paper we present various issues concerning the security of VoIP. A brief discussion of the SIP protocol is presented based on its operating principle. Finally we proposed a solution for the Network Address Translation (NAT) traversal problem of SIP based networks. This solution supports all types of NAT and maintains the current VoIP architecture. Based on our experiment, we examined the latency, buffer size and voice packet loss under various network conditions. We found that it is possible to establish a call from outside the NAT to inside maintaining the quality issues of VoIP call. With this approach it is possible to use the current network architecture with having few changes in the registrar server. Hence we evaluate our model showing the QoS conditions that achieves both high efficiency and secure voice transmission. Sufficient simulation results are presented to verify our model