Hi. I’m going to create NAT - network address translator - driver.
What kind of driver model should I use, NDIS or TDI? Is there some
usefull sources?
Thanks.
- MB
Create a NDIS filter IM driver based on the PASSTHRU model.
Bryan S. Burgin
xxxxx@microsoft.com
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Stanislav Kraev
Sent: Saturday, November 22, 2003 1:41 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] NAT driver
Hi. I’m going to create NAT - network address translator - driver.
What kind of driver model should I use, NDIS or TDI? Is there some
usefull sources?
Thanks.
- MB
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
NDIS IM for sure, NDIS IM is by far simple then TDI filter and has a sane
sample from which you can learn.
Also note FTP translation - the PORT command prints the client’s IP address
as a payload, it must be translated by the NAT. This - and some more protocols
which do the similar - are the main complexity for a NAT.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Stanislav Kraev”
To: “Windows System Software Devs Interest List”
Sent: Sunday, November 23, 2003 12:41 AM
Subject: [ntdev] NAT driver
> Hi. I’m going to create NAT - network address translator - driver.
> What kind of driver model should I use, NDIS or TDI? Is there some
> usefull sources?
> Thanks.
>
> - MB
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Yeah. It doesn’t take long to get basic NAT functionality. However, be
aware – if you choose to implement a NAT, you will learn more about
random application protocols than you ever, ever wanted to learn. You
will easily spend 75%+ of your project time implementing these
protocols.
Basically, any protocol which contains network or transport addresses
(ports) will probably break when using a NAT. (It depends on the
direction that the address is sent, which is why you can use the PASV
FTP option to work-around NATs.) This includes:
* FTP
* Conferencing protocols (SIP and H.323)
* nearly all games
* all P2P apps
* IM clients (MSN Messenger, AOL/AIM, etc.)
* thousands of others
I was the dev lead for the team at Microsoft that implemented the H.323
NAT module for Windows 2000 and ISA (Microsoft’s proxy server). It took
us several man-years to build a decent proxy – and that was just for
H.323. (H.323 is a very complex family of protocols.) Writing filters
for other protocols will require time, too, depending on how complex the
protocol is.
If you want to implement a NAT, uhhhhh, feel free. Just be aware that
it is a thankless job. This is because so many good NAT implementations
already exist, and since they took years to build, and because most are
basically free. And most important of all, if you don’t support a
particular protocol, or your support is broken, then you will prevent
that particular protocol/application from working. In other words,
you’ll be fielding endless calls and emails saying “Mech Commander 9 is
broken, and it’s your NAT’s fault!”
Trust me, I’ve been there. NATs are a nightmare. And there is
absolutely no money in building new ones.
– arlie
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Saturday, November 22, 2003 9:17 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: NAT driver
NDIS IM for sure, NDIS IM is by far simple then TDI filter and has a
sane sample from which you can learn.
Also note FTP translation - the PORT command prints the client’s IP
address as a payload, it must be translated by the NAT. This - and some
more protocols which do the similar - are the main complexity for a NAT.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Stanislav Kraev”
To: “Windows System Software Devs Interest List”
Sent: Sunday, November 23, 2003 12:41 AM
Subject: [ntdev] NAT driver
> Hi. I’m going to create NAT - network address translator - driver.
> What kind of driver model should I use, NDIS or TDI? Is there some
> usefull sources? Thanks.
>
> - MB
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@sublinear.org To
unsubscribe send a blank email to xxxxx@lists.osr.com
Yes, any app-level protocol which passes the IP addresses in the payload is
NAT-incompatible, unless the NAT has a support module for it.
Also IPSec is NAT-incompatible. At all. Thus L2TP is NAT-incompatible too,
only PPTP is compatible.
* FTP
In active mode only, PASV passes the server address in the data stream and thus
is NAT compatible.
* all P2P apps
Running Kazaa Media Desktop over the NAT (ZyXEL Prestige’s firmware). All is
fine.
* IM clients (MSN Messenger, AOL/AIM, etc.)
MSN runs fine from under the NAT, and even allows file transfers. ICQ is the
same, though it is more fragile in terms of networking requirement, especially
with direct file transfers.
These apps are vulnerable if the firewall (not NAT) blocks some ports and
especially listeners on >1024 ports on desktops, but they are fine in terms of
NAT which is properly set up.
I was the dev lead for the team at Microsoft that implemented the H.323
NAT module for Windows 2000 and ISA (Microsoft’s proxy server).
Is it incorporated to IPNAT.SYS?
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> > * FTP
In active mode only, PASV passes the server
address in the data stream and thus is NAT compatible.
Did you ignore the part of my previous message where I addressed exactly
this? FTP is a trivial protocol, compared to many of the protocols that
NATs have to support. H.323 was by far one of the most difficult
protocols to get right. That, and we even had to intercept and
coordinate LDAP to get NetMeeting working correctly.
You are correct that some/many apps do run correctly over NATs, but it
has been a horrible experience for application developers, who have had
to resort to lots of hacks to get things to work correctly. In some
cases, the application developers can get away with it because they have
a “friendly” external server (this is how many games work, and some
impure P2P applications, that actually use a central server to
coordinate communication before finding peers). In many other cases,
though, the application was written long before NATs were in common use,
and so the NAT implementors had to write all sorts of special-case code
in order to get each application working.
The Windows 2000 (and up) NAT (ICS or Internet Connection Sharing) has
many user-mode filters. These filters issue requests to IPNAT.SYS,
requesting that they handle all traffic for a particular protocol tuple
(protocol source-ip source-port dest-ip dest-port). The user-mode code
then intercepts this traffic, rewrites it as necessary (usually
maintaining some state, such as address translation tables), then sends
the traffic on its way. We had to do this for a long list of protocols
– way too long to list in this message. The ISA guys had to do it all
over again, because their pluggable filter architecture is different
(which is reasonable – ISA provides all sorts of management functions,
that the W2K ICS doesn’t). However, both products use the same core NAT
module, IPNAT.SYS.
All of this is public knowledge, in MSDN articles and such. There is no
proprietary information in this message.
Again, as someone who has had to actually work on the beasts, NATs are
no fun. Original poster: If you are doing this for fun, go ahead. But
if you are doing this to meet some professional need, ask yourself (or
rather, your boss) – can’t we use an existing, mature product to do
this? There are lots of cheap, mature NATs.
– arlie
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Sunday, November 23, 2003 1:10 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: NAT driver
Yes, any app-level protocol which passes the IP addresses in the
payload is NAT-incompatible, unless the NAT has a support module for it.
Also IPSec is NAT-incompatible. At all. Thus L2TP is
NAT-incompatible too, only PPTP is compatible.
* FTP
In active mode only, PASV passes the server address in the data stream
and thus is NAT compatible.
* all P2P apps
Running Kazaa Media Desktop over the NAT (ZyXEL Prestige’s firmware).
All is fine.
* IM clients (MSN Messenger, AOL/AIM, etc.)
MSN runs fine from under the NAT, and even allows file transfers. ICQ is
the same, though it is more fragile in terms of networking requirement,
especially with direct file transfers.
These apps are vulnerable if the firewall (not NAT) blocks some ports
and especially listeners on >1024 ports on desktops, but they are fine
in terms of NAT which is properly set up.
I was the dev lead for the team at Microsoft that implemented the
H.323 NAT module for Windows 2000 and ISA (Microsoft’s proxy server).
Is it incorporated to IPNAT.SYS?
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@sublinear.org To
unsubscribe send a blank email to xxxxx@lists.osr.com