Educause Security Discussion mailing list archives
Re: gamer clubs
From: "Sprague, Randy" <randy.sprague () CINCINNATISTATE EDU>
Date: Wed, 6 Apr 2016 15:19:48 +0000
You most likely only have one external IP assigned to the network. The issue comes up with some games consoles needing a specific TCP port to its own IP. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Wilcox Sent: Wednesday, April 6, 2016 10:38 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] gamer clubs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/04/16 17:37, Joey Rego wrote:
Question for those of you that host the gamer networks. We get some complaints from students regarding their NAT type being Strict depending on the type of gaming system. Most games seem to work but there are some that don’t from what I am told. I am not a gamer so go gently. lol 1. What method are you providing external IP addresses for gamers? One to One Nat/ one to Many Nat/PAT?
It depends. Consoles, "smart TVs", etc., get a "public" IP but they're behind a default-deny firewall. Those firewalls do sloppy state management, though, so once they connect out, anyone can connect back on that port (see Open NAT/sloppy management below). If they want a dedicated gaming server then they get a "public" IP in a DMZ area.
2. How many external IP addresses are you assigning to these gamer networks on average?
Again, it depends. Consoles and similar are in a /22. The dedicated game servers are in a /29. There are two types of things going on here. 1) the case where students wanted to run PCs dedicated to hosting games -- this is the scenario we addressed by carving out a DMZ segment. 2) companies like Microsoft assuming you're using firewalls that don't enforce state (or that you let your users change firewall policy on the fly, or that you're not using one at all). This is where the NAT Type stuff comes into play -- they expect consoles to generally do P2P. I guess it's worth a high-level dive into NAT (or NAT/PAT for the pedantic, because I know someone will hop in and say, "BUT THAT'S PAT!" ;) ). <u0:p1> <--router:p2--> <s0:p3> Proper state enforcement (closed NAT, aka Strict): User 0 makes a connection to server 0. The source port is 1 for the user. The router makes the NAT connection to the server from its own source port 2. The server sees the IP of the router and the router's port 2. If the server tries to send back to port 1 it will fail. If some other server, s1, tries to connect back to the router on any port, it will fail. This is how many-to-one NAT works. Moderate state enforcement (moderate NAT): User 0 makes a connection to server 0. The source port is 1 for the user. The router makes the NAT connection to the server from its own source port 2. The server sees the IP of the router and the router's port 2. If the server tries to send traffic to _any_ port on the IP it sees of the router, it gets passed back to u0. This is how one-to-one NAT _can_ work. Sloppy state enforcement (open NAT): User 0 makes a connection to server 0. The source port is 1 for the user. The router makes the NAT connection to the server from its own source port 2. The server sees the IP of the router and the router's port 2. If the server tries to send back to _any_ port on the IP it saw, it gets forwarded to u0. If another server tries to send to port 2 then it gets forwarded to u0 but any other ports fail. Basically, it's like this: closed - I can chat to you, you can chat to me but only on an established port tuple moderate - I can chat to you, you can chat to me on any port open - I can chat to you, anyone else can chat back to me on the same po rt Pictures make this a lot easier to describe :-) Some firewalls (like pf) do "strict" state enforcement and you need to use something like upnp (so your clients can modify your campus firewall rules on the fly!) for some game networks to function. Some firewalls do really sloppy state enforcement and anyone making an outbound connection can now become a server to the world. kmw -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAlcFHy8ACgkQsKMTOtQ3fKFA6gCgilHdUHpEK0COSH2dnGToP3nV FYUAnj65A1AhgXA5GqygFfflC7nRGtzi =xy0L -----END PGP SIGNATURE-----
Current thread:
- gamer clubs Sprague, Randy (Apr 05)
- Re: gamer clubs Kevin Wilcox (Apr 05)
- Re: gamer clubs Mandi Witkovsky (Apr 05)
- Re: gamer clubs Joey Rego (Apr 05)
- Re: gamer clubs TOOLEY, JASON C. (Apr 05)
- Re: gamer clubs T. Shayne Ghere (Apr 05)
- Re: gamer clubs Joey Rego (Apr 05)
- Re: gamer clubs Dan Oachs (Apr 05)
- Re: gamer clubs Kevin Wilcox (Apr 06)
- Re: gamer clubs Sprague, Randy (Apr 06)
- Re: gamer clubs T. Shayne Ghere (Apr 05)
- Re: gamer clubs Kevin Wilcox (Apr 05)
- Re: gamer clubs Patrick Menard (Apr 05)
- Re: gamer clubs Dexter Caldwell (Apr 05)
- Re: gamer clubs Brian W Griffith (Apr 05)
- Re: gamer clubs Glen Shere (Apr 06)
- Re: gamer clubs Doug Brooks (Apr 06)
- Re: gamer clubs Dan Oachs (Apr 06)