Network Address and Port Translation (NAT) models
Short description: Implementing a solid working NAT model for the NS3 framework taking into account the different behavior that NAT exhibits in a network equipping the node to act as a successful network edge device, also giving way for further security(firewall) implementations. This would include reusing Netfilter implementation on NS3 to facilitate NAT and then implement NAT itself. This would mimc the Linux NAT model and have added extensions.
Name: Sindhuja Venkatesh
Country of Citizenship: India
University:State University of New York, University at Buffalo
Networking has been my area of interest and specialization for some time now. I have done projects in networking and also worked as a Technical Services Engineer in the Network Security team at Cisco Systems Inc. at India.
After deciding to pursue my Masters I quit my job to join the SUNY Buffalo Masters in Computer Science program. Here I have done projects in networking specifically using network simulator (NS-2) to implement and evaluate a wireless MAC (Medium Access Control) protocol for sensor networks.
I have two years of work experience in the field of Data networking. As part of the training at the job I obtained the following certifications:
· Cisco Certified Network Associate (CCNA) – Routing and Switching
· Cisco Certified Network Associate (CCNA) – Security
· Cisco Certified Security Professional (CCSP)
· Cisco Certified Adaptive Security Appliance (ASA) Specialist
· Cisco Certified Intrusion Prevention System (IPS/IDS) Specialist
· Cisco Firewall Security Specialist
· Cisco IOS Security Specialist
· Cisco VPN Security Specialist
I have spoken in C and C++ since my high school days. I have a number of projects that I have implemented in C++. I have a very basic knowledge of Python.
I am currently working on a ‘Hacking the Kernel’ project. It is OS/161 an instructional operating system developed at Harvard, a stripped-down BSD-style kernel to implement the key operating systems concepts such as
(1) Synchronization primitives
(2) System calls and
(3) The virtual memory subsystem.
This project involves a deep understanding of the working of the system and hacking the kernel. It also introduces the use of open source code base tools such as Git and Gdb.
I am currently pursuing my Master of Science in Computer Science at the State University of New York at Buffalo. Here I am specializing in networking, distributed systems and systems programming. I started my Masters course in Fall 2011
At my previous job at Cisco I gained two years of professional experience in the field of network security. Experienced in implementing, configuring, testing and troubleshooting Cisco enterprise security solutions. Advanced skills in live troubleshooting. Well versed in routing, switching and network security protocols. Provided guidance in network configuration and disaster recovery best practices to Fortune 100 companies.
I was a key person in reporting software bugs and facilitated resolution by developing test plans and simulating/recreating customer's environment in the lab. I also led the development of lab support strategy that increased team productivity by streamlining workflow between the support and test teams.
This is my first time into the field of open source.
I am working on doing a supervised research project at my college the next semester on an enhanced Message Digest (MD5) version.
When it comes to the field of Computer Science I love to expand my horizons and learn about all the technologies. Recently I have taken some interest in Systems Programming. Apart from that I am a trained singer and dancer in Indian classical dance and music.
Network Address and Port Translation (NAT) models. This is the project I find extremely interesting and would love to work on during the summer.
The project essentially consists of implementing a NAT model for ns-3 taking into account the different types of NATS and the effects they have on many protocols while being used.
This Nat model would also mimic the existing Linux Nat structure.
Network Address Translation is one of the most fundamental topics of network and security aspect. Having worked with the network security team most of my time in the two years has gone into looking at NAT configuration and the different types of NATs that can be applied to the different scenarios. Also deal with issues related to NAT sensitive protocols.
Considering that I have a solid understanding of NAT functions in industry level I would be able to come up with specific ideas and evaluate their viability. I would also not require time to learn about NAT. My focus would be more on implementation part on the code.
I consider GSoc as an excellent start to my stepping into the world of open source. I would certainly continue to be a part of the NS3 developers’ community. Having successfully implemented the NAT model in NS3 through this project I would like to work on the firewall module and also look into the sea of enhancements in the area of IPV6.
The work will primarily be divided in two main parts:
A. Implementing the NAT Framework in NS3 (using hooks and chaining as in Netfilter)
For the first part I am considering working off of the existing model that was proposed for performing a Netfilter and suiting it to the current ns3 version.
1. This would have 5 hooks
2. Callback chaining
With this implementation I can set the priority for the different NAT translations that are there and check for existing connections.
3. Connection tracking
To maintain the state of the connection making the node one that is stateful.
B. Implementing the main NAT models that are key to including all types of network traffic.
1. Network Address Translation Models
Nat will still follow the backbone Source NAT and Destination NAT as in netfilter for chaining. However it will try and implement the following features
-Static one-one (Full Cone)
-Static network to network (Full Cone)
-Static Port Mapping (Port-Restricted-Cone NAT)
- Dynamic Port-Translating NAT (timed nat table entry)
-Nat Exemption (In the case of IPSec type protocols) and Selective Natting based on source and destination policies.
Once these are defined I would like to assign a priority associated with each type of NAT model that this mentioned. This way the order of checking and precedence can be set
I would like to follow a modular method in my working. Divide the work into clear modules and identify what level of testing can be done at each phase to check the working the module at that level. These tests can vary from simple print statements to actual network simulations depending on the module detail. And these will be completed and reported at each level. While writing these tests at each level can be an added workload it is an excellent method of avoiding large design errors at the end.
I am planning to implement the Nat functionality in two major classes:
-Ipv4NatBase- this would act as the base nat class that would deal with the nat priority and work with co-existence of the nats.
-Ipv4NatModels- This would be the class that has the methods for each of the nat types:
These classes would interact with :
The key to my approach is that I am isolating the Connection Tracking and Nat of the device. This way Nat types can be implemented as well as efficiency of maintaining existing connections would be introduced.
I plan to reuse the 7-Tuple in the Ipv4Netfilter and add another 8-Tuple for NAT specifics. This would be our very own Nat Table. This way we can maintain the type of NAT and also avoid having to process through the NAT translation every time the packet from that connection passes through. In the case of dynamic entries once the connection is finished the entry is flushed. However for static entries the connection remains until explicitly deleted.
The 8 Tuple would look like:
- uint16_t m_l3Protocol;
- uint16_t m_l4Source;
- Ipv4Address m_l3Destination;
- uint16_t m_l4Destination;
- uint8_t m_protocolNumber;
- uint8_t m_direction;
- uint8_t nat_type;
This nat_type field would have integers assigned for the type of nat we wish to add. When a connection is terminated the source and destination of the Nat table are compared with that of connection tracking and based on the type of nat the entry is either kept or removed. The reason for implementing this rather than adding a field to the 7-Tuple is because it can maintain the Nat Type Model for static translations.
Here I would use the
NetfilterConntrackL3Protocol using virtual functions PacketToTuple and InvertTuple to add the packets to the Connection table. However the Nat table is a configurable one which for now would be hard coded and would extend into user configurations.
The packet flow for the Nat Part as I see it after adding the Nat module:
Pre routing connection entry lookup
Process to L3
pre routing nat lookup on table.
Post routing connection entry lookup
Process to send
post routing nat lookup on table.
process to L4
pre routing nat lookup on table.
Post routing connection entry lookup
Process to recv
post routing nat lookup on table.
For starters the project would be on the level of simulating the features and looking at some behavior of hardcoded network configurations. However I would like to continue working on implementing the Userspace aspect of the project where I would be able to let users configure rules. This as of now is not part of the project 10-week scope however on good progress this can be worked on and I would like to continue working on this even after GSOC.
The testing would be done in units in each of the cases.
A base simulation would be used
where n2 is the nat device with n1 on the private network and n3 is out on the internet.
The simulations used to testing netfilter module will be reused here however on the inside operations the nat will also be incorporated.
The success would be on receiving the packets with the correct nat lookup.
1. Adapt the existing Netfilter code to the current NS3 and test
2. Nat Full Cone implementation (2 types) and test.
3. Port-Restricted-Nat Cone Implementation and test.
4. Dynamic Port-Translating NAT and test.
5. Nat Exemption and Selective natting (policy based nat) and test.
6. Final integration, test cases and Documentation.
At each level I also will consider the co-existence of the nat model that was implemented prior to the one being implemented. This would mean working with the priority of which nat would take precedence.
· Week 1: (22/05-29/05) Adapt the existing Netfilter code to the current NS3
· Week 2: (30/05-06/06) Test the adaptation for the Netfilter code to current NS3
· Week 3: (07/06-14/06) Nat Full Cone implementation
· Week 4: (15/06-22/06) Test the Nat Full cone implementations.
· Week 5: (23/06-30/06) Port-Restricted-Nat Cone Implementation
· Week 6: (01/07-08/07) Test the Port-Restricted-Nat cone implementation.
· 09/07- Midterm evaluation submission
· Week 7: (10/07-17/07) Dynamic Port-Translating NAT implementation
· Week 8: (18/07-25/07) Testing the Dynamic Port-Translating NAT implementation.
· Week 9: (26/07-02/08) Nat Exemption and Selective natting (policy based nat) and test
· Week 10: (03/08-10/08) Test case for Nat Exemption and Selective Natting and provide integrated examples for the nat operations demonstrating the different behavior.
· Aug 13 Suggested Pencils Down Date.
· 11/08-19/08: Documentation and Integration of the project
· 20/08 - Final Evaluation and Submission.
Typically my expected work hours are 13:00 hrs to 23:00 hrs UTC but I am willing to push or pull either way depending on the mentor’s availability.
My physical location this summer would be Buffalo, New York in USA.
I do not have any work commitments over the summer. I plan to give all my time to working on the project.