NatT protocol

From EMule Wiki
Revision as of 07:42, 17 July 2007 by DavidXanatos (Talk | contribs)
Jump to: navigation, search

THIS IS NOT FINAL... If you have any suggestions please post them on the discussion page

Contents

Introduction

NAT (Network Address Translation) Traversal allows Low ID to Low ID connections. There are different techniques to achieve this, like STUN (Simple Traversal of UDP through NATs), or TURN (Traversal Using Relay NAT). For obvious reasons TURN is not suitable for any kind of file sharing applications. The NatT for eMule uses there for STUN, as well as a attempt to become a High ID by reusing the Listening port for outgoing connections, if the NAT device is a Full Cone this technique will make the client fully connectable, but it works only in a few cases. The main implementation using STUN can connect even through hardware firewalls, it only fails on Symmetric NAT’s, there are as well methods to penetrate these but they require to much overhead and are there fore like TURN not suitable for file sharing.

Protocol

The implementation is separated in 2 main segments: the Nat Traversal itself and a reliable streaming connection called User Mode TCP.

NAT Tunneling

To establish a communication tunnel from Alice to Bob through a NAT or a firewall Alice (A) sends first an call-back request to Carlo (C) witch records Alice’s UDP port and IP and relays them together with the request to Bob (B). At this point Bob knows all he needs but Alice does not know enough (she does not know his UDP port). Now Bob tries to contact Alice directly over UDP (now his NAT/FW is open for messages form Alice) if she is behind a Full Cone Nat, she will get the message and will be able to reply. If she don’t answers after a short time Bob sends an own call-back request to Carlo or Dave (this depends on the later described different call-back relay schemes), he does the same as before and tells Alice the UDP port and IP of Bob. Now she can send him messages and he will receive them (this fails only if one of the two have a symmetric NAT, see the appendix for explanation). If everything works they now have a working tunnel, to not loose it they exchange ping messages every few seconds as long as they need the tunnel.

A                       C                 B
Callback Req    ----->      ----->        
     [BLOCKED] <-----------------         ping [OPENED]
               <-----      <-----         Callback Req
ping [OPENED]   ----------------->        
               <-----------------         ping
handshake       ................

Keep alive ping is sent from one of the 2 connection participants and contains a flag that determines weather the ping should be answered or not, it also contains additional informations used for connection establishment, and for obfuscation. The packet may be sent completely empty if no answer is requested and no data are appended.

[uint8] pOPS   // bit Field
               // 4 reserved
               // 3 IdKind
               // 1 req answer
[ID]           // variable length determined by the Ping Options above
[Obfiscation]  // uint8    obfuSetings
               // hash128  userHash

Callback Methods

eServer (Lugdunum)

The eserver call-back is supported since eserver 17.15, it requires booth clients to be on the same server. The call-back is sent to the server from the client’s UDP socket for client to client communication (not from the regular one for client to servers communication), the packet must be obfuscated the server way otherwise it won’t be accepted, the reason why this is done over the client socket is that the server have to see the UDP port of the socket used for NatT. The eserver usually forwards the request from Alice to Bob over his TCP connection with the server this may be delayed up to 12 seconds (to send more requests in one TCP frame), but if the eserver knows a very recent client UDP port of Bob (he may have issued a request to some one seconds ago) than he forwards the call-back request imminently using UDP to Bob. The packet arrives on the client socket but is obfuscated as well the server way (not for simplicity but in order to allow Bob to verify that the packet really was sent by his server) so Bob have to look on the packet’s source IP and direct it to the server UDP socket processing function. The eserver may not forward the ID of Alice to Bob instead he sends a call-back request as if it would come from Bob to Alice telling her Bob’s UDP port that way and saving one UDP frame from Bob (Bob have to check if requester ID is 0 and if it is don’t issue an own call-back request to Alice if the ping fails).

The client advertises his support of NatT by setting the flag SRVCAP_NATTRAVERSAL in the server login tag CT_SERVER_FLAGS. The server notifies his support by the SRV_TCPFLG_NATTRAVERSAL and SRV_UDPFLG_NATTRAVERSAL flags.

The login packet OP_IDCHANGE is also slightly modified, the “Your port ” was added:

[ID 4]
[flags 4]
[Server_tcp_port 4] /* because in case of aux ports, UDP messages must still be sent on Server_tcp_port+4 only */
[Your IP 4] /* Client IP as seen by eserver */
[Server_obfuscation_TCP_port 4] /* if <>0, the TCP port where eserver listen for obfuscated connections */
[Your port 4]
/* if eserver gave you a highID : your listening port (migh be different of what was advertized by client in LOGIN frame) */
/* if eserver gave you a LOWID : the tcp port of the client as seen by eserver (if NAT : the port allocated by NAT device) */

The seen port is sent in order to support the attempt described in the top to become a HighID by reusing the listening port, the server tries the connection attempt here form a different IP than his own, this behavior is optional.


The UDP callback request packet have the following content:

[uint32] Target ID (Bob's ID)
[uint32] Requester ID (Alice's ID)

The forwarded packets the server sends over TCP or UDP have the same content:

[uint32] Seen IP
[uint16] Seen Client UDP Port
[uint32] Requester ID (Alice's ID) (may be 0)
[obfuscation]  // obtional
               // [uint8] obfuscation settings
               // [hash 128] userhast

The rest of the Client server protocol is as usual with the only one exception that Low ID clients that advertise NatT support gets in the source answer packet not only High ID sources but also Low ID sources that support NatT as well, they are to be flagged as NatT enabled.

Kad (*Unofficial*)

The Kad based call-back is not an official Kad feature, but du to a smart implementation it is 100% compatible with any normal Kad node. This callback method is to be used ONLY when no other callback method is available! The support of NatT is announced in Kad by publishing as TCP port the value 0xffff, this is for Kad a valid port and could have been also set by the user by hand, but for windows this value is usually invalid because without a registry patch ports above 5000 can not be used by applications, there for its extremely unlikely anyone will ever set 0xffff as port. For the call-back the Kad buddy relayed “file reask ping” (OP_REASKCALLBACKUDP) is used it is passed by the Kad buddy together with the seen IP and UDP port to the firewalled client.

The OP_REASKCALLBACKUDP packet send to Carlo (Bob's buddy), have the following content:

[hash128]      // Target client Kad ID (Bob)
[hash128]      // File Hash of the pinged file
// the part below is the unofficial mod part
[uint8]        // Mod Opcode (OP_NAT_CALLBACKREQUEST_KAD)
[hash128]      // Requesting client Kad ID (Alice)
[uint32]       // IP of Dave (Alice's buddy)
[uint16]       // UDP Port of Dave (D)
[obfuscation]  // obtional obfuscation of Alice
               // [uint8] obfuscation settings
               // [hash 128] userhast

The second [hash128] (File Hash of the pinged file) is filled with 0's in order to allow Bob to distinguish this packet from a normal reask ping, the 0 hash is not valid as file hash but Carlo don't looks on anything excepted the "Target client Kad ID" so no problems occur here.

Carlo modifies the packet slightly by replacing the first [hash128] with the IP and UDP Port he saw Alice used.

The packet Bob receives looks like following:

[uint32]       // IP of Alice
[uint16]       // UDP Port of Alice
[hash128]      // File Hash of the pinged file
// the part below is the unofficial mod part (unchanged)
...

XS (Neo & Co)

Text to be added

User Mode TCP

Du to the lack of reliability in UDP communication it is necessary to implement a streaming protocol that will be able to handle packet lost and retransmit missing ones. This implementation is basically a kind of self coded TCP with small modifications, it is called User Mode TCP and have almost all relevant features of the real TCP included (like congestion control).

Connection Begin

To establish a connection Alice (A) sends an NAT_SYN packet to Bob (B) over UDP. Bob answers on this request with an NAT_SYN_ACK, on the moment the Packet is received the connection is considered Established.

A                    B
SYN            --->  OnConnect(0)
OnConnect(0)  <---   SYN_ACK
OnSend(0)
[Connection Established]

Booth packets have the same content, like following:

[uint8] version
[uint32] MAXFRAGSIZE (optional)

Communication

All send data segments are equipped with a unique sequence number indicating their position in the data stream. When Bob (B) receives a NAT_DATA segment form Alice (A) he acknowledges it with an NAT_DATA_ACK, if Alice don’t get the acknowledgment she will resend the segment, she will also resend it if she gets acknowledgements for 3 segments with an higher sequence Number when the, while the a acknowledgment for the older segment is still missing (Fast retransmission).

A                    B
             ...
DATA         --->   OnRecived(0)
OnSend(0)   <---    DATA_ACK
             ...

The NAT_DATA packet have the following format:

[uint32] Sequence Nr.
[Data] (optional)

The NAT_DATA_ACK packet have the following format:

[uint32] Sequence Nr.
[uint32] Receiving Window Size 

Lost packets are handled as following:

A                    B
             ...
DATA1        --->   [LOST]
DATA2        --->   
            <---    DATA_ACK2
DATA3        --->   
            <---    DATA_ACK3
DATA4        --->   
            <---    DATA_ACK4
DATA1        --->              // fast retransmission
            <---    DATA_ACK1
DATA5        --->   
            <---    DATA_ACK5
             ...
             ...
             ...
DATAn        --->   [LOST]
           TimeOut
DATAn        --->              // regular retransmission
            <---    DATA_ACKn

Alice never sends more data segments to Bob that would fit in the last Advertised receiving Window Size of Bob. When she can not send any data she sends empty NAT_DATA packets with the Sequence Nr set to 0, as soon as Bob will have some space in his receiving buffer he will answer with an NAT_DATA_ACK with sequence Nr set to 0 and a new > 0 Window Size. Than Alice will resume, to send data segments.

Alice uses some sophisticated techniques to determine a timeout time for the data segments as well as to determine how much segments she can sent before an acknowledgement arrives, this is called congestion control and designed basing on the normal TCP implementations, for further details please look into the NatT source code.

Connection End

To close a connection in the usual way Alice (A) sends an NAT_FIN packet to Bob (B), he replies with an NAT_FIN_ACK, on the moment the Packet is received the connection is considered Closed.

A                    B
FIN           --->   OnClose(0)
OnClose(0)   <---    FIN_ACK
[Connection Closed]

Booth Packets have no content.

To terminate an errorless connection Alice (A) Sends an NAT_RST, packet and considers the connection closed, Bob (B) don’t answers on this packet and as well considers the connection closed at this point.

A               B
OnClose(err)
RST      --->   OnClose(err)
[Connection Terminated]

The packet may contain an uint32 error code that is parsed to the OnClose function.

[uint32] ErrorCode

Appendix

NAT Types

from http://www.voip-info.org/wiki-STUN

  • Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.
  • Restricted Cone: A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.
  • Port Restricted Cone: A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.
  • Symmetric: A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.

OpCodes

NAME VALUE
OP_NAT_PING '_'
OP_NAT_SYN '_'
OP_NAT_SYN_ACK '_'
OP_NAT_DATA '_'
OP_NAT_DATA_ACK '_'
OP_NAT_FIN '_'
OP_NAT_FIN_ACK '_'
OP_NAT_RST '_'
CT_EMULE_BUDDYID '_'
CT_XS_EMULE_BUDDYIP '_'
CT_XS_EMULE_BUDDYUDP '_'
OP_NAT_CALLBACKREQUEST_KAD '_'
OP_XS_BUDDY_REQ '_'
OP_XS_BUDDYPING '_'
OP_XS_MULTICALLBACKUDP '_'
OP_XS_MULTICALLBACKTCP '_'
OP_CALLBACKREQUEST_XS '_'
OP_NAT_CALLBACKREQUEST_XS '_'
OP_PUBLICPORT_REQ '_'
OP_PUBLICPORT_ANSWER '_'
Personal tools