Vol. 52 No. 9 1234 1243 (Sep. 2011) NAT 1, 1 1 1 IPsec DPRP Dynamic Process Resolution Protocol DPRP NAT Network Address Translation NAT-f NAT-free protocol NAT DPRP NAT DPRP NAT FreeBSD DPRP DPRP 12% Proposal of Closed Communication Groups over NATs and its Evaluation Yuji Goto, 1, 1 Hidekazu Suzuki 1 and Akira Watanabe 1 For the security measures against threats such as illegal access, etc. it is useful to define and form closed communication groups in order to make communication secure. IPsec is not appropriate in the case where system configurations frequently change like intranets, because the management loads of the network manager are quite large. To solve this problem, we have been proposing Dynamic Process Resolution Protocol (DPRP), by which devices in the network learn changes of system configurations automatically, and maintain the closed communication groups. However, the conventional DPRP was not applicable when a Network Address Translation (NAT) device exists on the way of the communication path. In this paper, we propose Extended DPRP that can traverse NATs, merging DPRP with NAT-f, one of NAT traversal technologies, considering multiple NATs. By this method, it is ready to make closed communication groups stretching over global address and private address areas. We have implemented Extended DPRP, and confirmed its effectiveness. 1. CCG Closed Communication Group CCG CCG CCG CCG CCG CCG NAT Network Address Translation IPv4 NAT IPv4 NAT NAT 1 Graduate School of Science and Technology, Meijo University 1 Presently with Hitachi Information Systems, Ltd. 1234 c 2011 Information Processing Society of Japan
1235 NAT IPv4 IPv6 NAT IPv4 IPv6 IPv6 IPv4 NAT NAT CCG NAT CCG CCG VPN IPsec 1) IPsec CCG CCG CCG IPsec/IKE 1 1 n CCG n 2 IPsec CCG IP IKE IPsec/ESP NAT CCG IPsec DPRP Dynamic Process Resolution Protocol 2) DPRP CCG 1 1 IP CCG DPRP CCG CCG CCG DPRP NAT IP NAT NAT NAT CCG NAT NAT NAT STUN 3) TURN 4) UPnP 5) 4+4 6) NAT-f 7) MIPNAT 8) AVES 9) NTSS 10) OS NAT NAT CCG DPRP NAT-f NAT DPRP NAT-f NAT IP NAT DPRP NAT-f DPRP CCG NAT NAT DPRP NAT NAT CCG DPRP 12% 2 DPRP NAT-f 3 DPRP 4 5 2. 2.1 DPRP DPRP Dynamic Process Resolution Protocol IP 1 DPRP CCG
1236 NAT 2 DPRP Fig. 2 DPRP Negotiation. DPRP GK CCG 1 CCG Fig. 1 Construction method of closed communication groups. DPRP GE GSCIP 1 Element GEN GE for Network GES GE realized by Software GEA GE realized by Adapter GEN Term GEN GSCIP GK Group Key GE CCG GK CCG CCG GMS Group Management Server GMS GE CCG GK GK 1 1 GK GK GK GE GK DPRP DPRP GE GE PIT Process Information Table IP PIT CID Connection ID 2 / 2 DPRP GES1 GES2 GEN GES1 GES2 IP P 1 P 2 GES1 TCP UDP IP PIT PIT IP DPRP DPRP ICMP DDE Detect Destination End-GE CID GE RGI Report GE Information GEN GE 1 GSCIP Grouping for Secure Communication for IP CCG DPRP GSCIP 2 IP / TCP/UDP
1237 NAT CCG RGI DDE CID GE RGI / PIT MPIT Make Process Information Table GES1 GE MPIT GES2 MPIT GEN GES2 PIT CDN Complete DPRP Negotiation GES2 PIT CDN DPRP GES1 GEN GES1 CDN PIT GE PIT 2 PIT CID IP P 1 : s P 2 : d P 1 : s P 2 : d s d 2 GES1 GES2 CCG GK GES1 GES2 / GEN PCCOM Practical Cipher COMmunication 11) GES1 PIT PIT PIT CCG IP IP DPRP PIT CCG 2) DPRP GE DPRP DPRP CID PIT NAT CID PIT PCCOM NAT NAT CCG 2.2 NAT-f NAT-f NAT-free protocol NAT NAT-f NAT DPRP IP NAT 3 NAT-f Fig. 3 Behavior of NAT-f. GA NAT PA NAT NAPT Network Address Port Translation 3 NAT-f NAT-f NAT-f NAT-f EN External Node IN Internal Node EN NAT-f IP G1 G3 IN IP P 2 DDNS Dynamic DNS IN FQDN Fully Qualified Domain Name alice.home.example.net NAT-f IP G3 NAT-f IN alice IP P 2 ( 1 ) EN IN IN DDNS NAT-f IP G3 EN DNS G3 3 ( 2 ) EN G3 IP DNS IP G3 IP V 2 IP NAT-f IN
1238 NAT IP ( 3 ) EN IP V 2 EN ( 4 ) EN NAT-f NAT-f NAT NAT-f CID ( 5 ) NAT-f alice IP P 2 CID NAT G1 : s {G3 : m P 2 : d} (1) / alice d NAT-f m ( 6 ) NAT-f G2 : m CID NAT EN ( 7 ) EN IP NAT-f IP VAT: Virtual Address Translation table IP G1 : s {V 2 : d G3 : m} (2) ( 8 ) VAT EN IN VAT NAT / EN NAT-f CID / EN NAT-f IN NAT-f NAT NAT NAT 3. PA GA NAT 3.1 DPRP CCG CCG IP CCG IP CCG NAT CCG 1 NAT PIT DPRP CID PIT NAT CID PIT CID PIT 2 CCG NAT NAT DPRP DPRP NAT DPRP / 3 NAT NAT-f NAT NAT-f 4 NAT CCG NAT NAT-f 5 NAT DPRP NAT 3.2 APIT DPRP GA PA GNAT GE with NAT. GNAT GEN NAT-f
1239 NAT GES1 GES2 IP *1 *2 NAT *3 *4 * P G P G DDNS GES2 FQDN alice.home.example.net GNAT G3 GNAT GES2 alice IP P 2 GES1 GES2 CCG GK DPRP PIT APIT Adapted PIT APIT GE APIT GNAT GNAT APIT GNAT APIT GA PA NAT APIT GA GNAT APIT 3.3 PA GA PA GA DPRP 4 3.1 1 GES1 DDE GES2 GNAT DDE CID P 1 : s, G2 : d TCP/UDP NAT {P 1 : s G3 : m} G2 : d (3) DDE ICMP ICMP NAT NAT GNAT DDE CID G3 : m GES2 GES2 DDE CID APIT RGI GNAT GNAT RGI CID APIT RGI P 1 GES1 MPIT CDN DPRP GE APIT 4 APIT GNAT GES1 NAT APIT GES2 4 DPRP PA GA Fig. 4 Extended DPRP negotiation (from PA area to GA area). APIT NAT 3.4 GA PA 5 GA PA DPRP 3.1 1 3 GA NAT GES1 GES2 FQDN alice.home.example.net DDNS DDNS IP GNAT IP G3 GES1 DNS IP G3 IP V 2 V 2 DPRP NAT-f DPRP DPRP DDE GNAT IP G3 DDE CID alice GNAT DDE G1 CID V 2 alice IP P 2 GES2 DDE APIT RGI GES2
1240 NAT 6 NAT DPRP Fig. 6 Multistage NAT (from GA area to PA area). 5 DPRP GA PA Fig. 5 Extended DPRP negotiation (from GA area to PA area). GNAT RGI CID TCP/UDP NAT G1 : s {G3 : m P 2 : d} (4) GNAT RGI CID G3 : m GES1 GES1 GES2 IP / V 2 : d GNAT IP / G3 : m VAT G1 : s {V 2 : d G3 : m} (5) MPIT CDN CID DPRP APIT GES1 VAT APIT APIT VAT 3.5 NAT NAT DPRP NAT DPRP GNAT GNAT 6 NAT GA PA 3.1 4 DDNS 5 GNAT2 3.4 PA GES2 alice IP P 2 GNAT2 GNAT1 GES2 alice GNAT2 IP P 4 GES1 DDE GNAT1 GNAT1 alice GNAT2 IP P 4 GNAT2 DDE GNAT2 IP P 2 GES2 GES2 DDE CID APIT RGI RGI GNAT2 NAT P 4 : m RGI CID
1241 NAT 7 GES Fig. 7 Implementation of GES. GNAT1 NAT G3 : n RGI CID GES1 3.3 APIT 6 NAT NAT CCG 4. DPRP FreeBSD 7.0-RELEASE IP NAT-f DPRP 4.1 DPRP 7 GES DPRP NAT-f IP ip_input() ip_output() DPRP DPRP NAT-f NAT-fs NAT-fs DPRP NAT VAT / PCCOM 8 GNAT GES GNAT VAT NAT NAT-fn 8 GNAT Fig. 8 Implementation of GNAT. DPRP natd NAT natd FreeBSD NAT GNAT divert natd NAT 9 NAT GNAT GE 4 DDE 5 RGI CID GE 4 P 1 : s G2 : d ip_input() ipfw divert natd natd P 1 : s G3 : m NAT NAT-fn DDE RGI natd NAT 4.2 NAT 5 GES1 GES2 FTP GES1
1242 NAT 9 Fig. 9 NAT NAT mapping method with pseudo packet. 2 DPRP Table 2 Process time of Extended DPRP. GES1 DNS DDE 20.12 µs RGI MPIT 31.13 µs CDN TCP/UDP 49.79 µs GNAT DDE DDE 18.84 µs RGI RGI 38.39 µs MPIT MPIT 15.34 µs CDN CDN 11.35 µs GES2 DDE RGI 28.83 µs MPIT CDN 18.77 µs 1 Table 1 Specifications of devices. CPU Pentium4 3.0GHz Memory 512MB NIC 100BASE-TX OS FreeBSD 7.0-RELEASE GES2 GNAT DDNS 1 GNAT NIC 2 GES1 DDNS 100BASE-TX GES2 DPRP GES1 GES2 Wireshark DPRP 10 2 DPRP DPRP TCP/UDP 49.79 µs RDTSC Read Time Stamp Counter PIT VAT 1.28 µs PCCOM 5 DPRP DNS TCP DPRP 1,144 µs DPRP 1,010 µs 2) 134 µs 12% DPRP DPRP GES1 GNAT NAT-fs/NAT-fn NAT 3.1 5 5. DPRP NAT CCG DPRP DPRP PIT CID NAT CCG CCG NAT 100BASE-TX DPRP
1243 NAT 20 1069 1) Kent, S. and Atkinson, R.: Security Architecture for the Internet Protocol, RFC 4301, IETF (2005). 2) DPRP Vol.47, No.11, pp.2976 2991 (2006). 3) Rosenberg, J., Weinberger, J., Huitema, C. and Mahy, R.: STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs), RFC 3489, IETF (2003). 4) Rosenberg, J., Mahy, R. and Huitema, C.: Traversal Using Relay NAT (TURN), Internet-draft, IETF (2005). draft-rosenberg-midcom-turn-08. 5) Forum, U.: Internet Gateway Device (IGD) Standardized Device Control Protocol V 1.0 (2001). 6) Turanyi, Z., Valko, A. and Campbell, A.: 4+4: An Architecture for Evolving the Internet Address Space Back Toward Transparency, ACM SIGCOMM Computer Communication Review, Vol.33, No.5, pp.43 54 (2003). 7) NAT NAT-f Vol.48, No.12, pp.3949 3961 (2007). 8) Levkowetz, H. and Vaarala, S.: Mobile IP Traversal of Network Address Translation (NAT) Devices, RFC 3519, IETF (2003). 9) Ng, T., Stoica, I. and H.Zhang: A Waypoint Service Approach to Connect Heterogeneous Internet Address Spaces, Proc. USENIX Annual Technical Conference, pp.319 332 (2001). 10) NAT NTSS Vol.51, pp.1234 1241 (2010). 11) NAT PCCOM Vol.47, No.7, pp.2258 2266 (2006). ( 22 11 8 ) ( 23 6 14 ) 2006 2009 2004 2006 2009 2008 2010 IEEE 1974 1976 LAN 1991 2002 IEEE