NSIS-ka
A free C++ implementation of NSIS protocols

Implementation of a GIST-aware NAT Gateway

A GIST-aware NAT gateway realizes an application layer gateway for the General Internet Signaling Transport (GIST) protocol, which enables GIST and therefore NSIS signaling messages in general to establish messaging associations even across NAT gateways.

The current implementation is split into kernel a kernel module and a user space part. The corresponding code can be found here:

svn co https://svn.ipv6.tm.uka.de/nsis/dist/nsis-ka/branches/20100602-gist-aware-nat-gw

The kernel module is based on the Linux Netfilter framework, the user space part is based on the existing NSIS-ka implementation.

Using the Kernel Module

First of all you need the linux kernel headers of your currently running kernel installed. For Ubuntu/Debian? systems it should be sufficient to install them by typing

$ sudo apt-get install linux-headers-`uname -r`

Once the headers are installed, you can build the kernel module. Change into the GaNAT/kernel directory of the branch and type

$ make

In order to install the built kernel module into the /lib/modules tree, type

$ sudo make install

Then you need to generate the modules.dep and map files

$ sudo depmod -a

After that you can easily load the nf_conntrack_gist module

$ sudo modprobe nf_conntrack_gist

And later unload it

$ sudo modprobe -r nf_conntrack_gist
$ sudo modprobe -r nf_conntrack

Using the user space part

The user space part basically consists of the files gist_aware_nat_proxy.{h,cpp}, start-nat.cpp, one Makefile and two shell scripts that can be used for convenience to start the GIST-aware NAT gateway. Currently the easiest way to get started would be to copy all files from the GaNAT/ntlp and GaNAT/protlib directories in corresponding directories of the nsis-ka implementation. Once you compiled the ntlp and protlib code you can start the GIST-aware NAT gateway by invoking the start-nat.sh shell script, e.g.:

$ pwd
/home/user/20100602-gist-aware-nat-gw
$ make
$ cd ntlp/src/
$ sudo ./start-nat eth2

Evaluation

We performed evaluations of the implementation in a testbed environment, consisting of four standard PCs, acting as routers, being interconnected in a topology as depicted below.

Evaluation Setup with two hosts communicating across two GIST-aware NAT gateways

All four routers run Ubuntu 10.04 with Linux kernel 2.6.32 and are equipped with Intel Pentium IV 2.8 GHz CPUs, 4 GB DDR-400 RAM, and four 1000TX Ethernet cards.

The two intermediate routers were configured as GIST-aware NAT gateways as described above. In order to send NSIS signaling messages from the Querying Node towards the Responding Node, both end systems were equipped with the GIST implementation of the NSIS-ka suite. A GIST instance is built and started as following:

$ svn co https://svn.ipv6.tm.uka.de/nsis/dist/gist-ka/trunk gist-ka-trunk
$ cd gist-ka-trunk
$ make
[add proper IP addresses in etc/nsis-ka.conf configuration file]
$ cd ntlp/src/
$ sudo ./gistka --echo 1 --config ../../etc/nsis-ka.conf

Once you started GIST on the Querying Node and on the Responding Node, you can use the telnet console on the Querying Node in order to initiate simple Echo-NSLP messages towards the Responding Node:

$ telnet localhost 40023
gist>set template 1 10.1.2.1 10.3.5.5 no no
gist>Msend 5 7200 0

The above command issues 5 Echo-NSLP messages with an offset of 7200ms. The Echo-NSLP is bound to NSLP-ID 1, is sent from 10.1.2.1 to 10.3.5.5 and uses neither a reliable, nor a secure transport protocol.

In order to mitigate performance delays from too much I/O transfer, the GIST instances were built without logging output (make LOGGING=0). Furthermore, we set the timeout for NAT bindings on both intermediate NAT gateways to a very small value in order to measure initial handshakes only:

$ sudo sysctl -w net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=1

Packet dumps can easily be obtained on each router via tcpdump:

$ sudo tcpdump -i any -s 0 -tttt udp port 4 or tcp port 30000 -w gist-aware-nat-gateway.pcap

Measurement Results

The measurements we performed can be found here in forms of tcpdump pcap files. In order to interpret these captures you can use our NSIS-patched Wireshark.

Complete GIST handshakes with one subsequent "Hello World" Data packet measured on the Querying Node:

Last modified 7 years ago Last modified on Jun 24, 2010, 9:35:01 AM

Attachments (1)

Download all attachments as: .zip