a question about ipv4 multicast and NAT

a question about ipv4 multicast and NAT

[Samuele Giovanni Tonon]

hi,
after some research on iptables and how to make work igmp through 
nat i came to the conclusion that there isn't still an implementation
of how to NAT multicast connection from private networks to multicast
sessions.
that's because there isn't a way (or simply i couldn't find one) 
with iptables to nat igmp request (e.g. ADD_MEMBERSHIP) and to 
keep track on received data packets .
I would like to know if you are planning to do add this feature , 
because i think that many people could be happy to have this.

regards
Samuele 


-- 
While various networks have become deeply rooted, and thoughts have been sent
out as light and electrons in a singular direction, this era has yet to 
digitize/computerize to the degree necessary for individuals to become 
a singular complex entity.
  KOUKAKU KIDOUTAI Stand Alone Complex

Re: a question about ipv4 multicast and NAT

[Patrick Schaaf]

On Mon, Aug 25, 2003 at 10:21:34AM +0200, Samuele Giovanni Tonon wrote:
> after some research on iptables and how to make work igmp through 
> nat i came to the conclusion that there isn't still an implementation
> of how to NAT multicast connection from private networks to multicast
> sessions.

Did you find earlier discussion on this topic?

> I would like to know if you are planning to do add this feature , 
> because i think that many people could be happy to have this.

Can you please outline what such an implementation would entail?
Please be very specific.

best regards
  Patrick

Re: a question about ipv4 multicast and NAT

[Samuele Giovanni Tonon]

sorry i sent only to Patrick rather than to the list . 

On Mon, Aug 25, 2003 at 10:32:13AM +0200, Patrick Schaaf wrote:
> On Mon, Aug 25, 2003 at 10:21:34AM +0200, Samuele Giovanni Tonon wrote:
> > after some research on iptables and how to make work igmp through 
> > nat i came to the conclusion that there isn't still an implementation
> > of how to NAT multicast connection from private networks to multicast
> > sessions.
> Did you find earlier discussion on this topic?
well i find a lot of mail on netfilter-users  asking how to handle the problem 
to allow igmp between multiple interface while having NAT but none ever
replyed .
However with "ya old ipchains" i was able to do that without problem

> > I would like to know if you are planning to do add this feature , 
> > because i think that many people could be happy to have this.
> Can you please outline what such an implementation would entail?
> Please be very specific.

i'll try to be as clear as possible however tell me if there's 
something you don't understand my english is not so fluent:

Linux GW (act as NAT box for a Private IP Network, say 192.168.0/24 )
People in 192.168.0/24 can set up internal "Multicast service", for example
a streaming video server (with an application called vic); this service
is only on the lan (multicast ttl=1) so it's like a broadcast .

Suppose now that these people are connected to a "Multicast Capable" ISP,
that is an ISP that sends video stream to all his customers.
Now these people would like to join that video stream: they just know 
the multicast ip and port to connect to (with vlc you can do that) , 
or they just want to browse all the available multicast service 
( with sdr or any session director you can do that) .
However they are inside a LAaN, so their request have to be "natted"
from the linux gw to the outside (because the outside doesn't want to
know anything about traffic coming from 192.168.0.0/16 ) .
e.g.


 src 192.168.0.1  ---> dst 224.22.3.2 (igmp IP_ADD_MEMBERSHIP)

should be natted by the linux GW as follow

 src CUSTOMER_ISP_IP ---> dst 224.22.3.2 (igmp IP_ADD_MEMBERSHIP)

After the request is accepted the linux box should know that all
the incoming traffic "from 224.22.3.2 to CUSTOMER_ISP_IP" should
be allowed to enter the LAN; to continue the example :


 src VIDEO_STREAM_SENDER ---> 224.22.3.2  

has to be allowed to enter the LAN 

the same thing should be possible if people from 192.168/24 wants to send
their video stream to the outside, but in this case things could be a bit more
complicated because you have to "nat" the outgoing stream and announce.

In this manner, with an isp that is multicast capable people can use multicast
for conferencing or just for fun .

Please tell me if something is not clear, or if i haven't answered correctly
to your question.

Regards
Samuele 


-- 
While various networks have become deeply rooted, and thoughts have been sent
out as light and electrons in a singular direction, this era has yet to 
digitize/computerize to the degree necessary for individuals to become 
a singular complex entity.
  KOUKAKU KIDOUTAI Stand Alone Complex

Re: a question about ipv4 multicast and NAT

[Patrick Schaaf]

(my reply to the last message from Samuele)

Hello Samuele,

> i'll try to be as clear as possible however tell me if there's 
> something you don't understand my english is not so fluent:

Most of the readers/writers here, are afflicted with that problem.
We'll understand you.

> However they are inside a LAaN, so their request have to be "natted"
> from the linux gw to the outside

Really? Note that I'm not awfully proficient in things multicast,
but it was my impression that the first router in front of MC
clients, would speak IGMP with the clients, and talk to the
network accordingly; thus, I would expect that a proper multicast
router setup on the linux gw, would provide everything you need,
no NAT needed at all.

Did you try going that mroute?

> the same thing should be possible if people from 192.168/24 wants to send
> their video stream to the outside, but in this case things could be a bit
> more complicated because you have to "nat" the outgoing stream and announce.

I imagine this is a _completely_ different scenario. I'd even question
the sanity of an ISP _permitting_ you to do that.

> In this manner, with an isp that is multicast capable people can use multicast
> for conferencing or just for fun .
> 
> Please tell me if something is not clear, or if i haven't answered correctly
> to your question.

I fear that I'm too naive about multicast to be of more help. You have
described your "use case" pretty well, I think - maybe somebody else can
jump in now and enlighten us?

best regards
  Patrick

Re: a question about ipv4 multicast and NAT

[Samuele Giovanni Tonon]

On Mon, Aug 25, 2003 at 01:00:56PM +0200, Patrick Schaaf wrote:
> (my reply to the last message from Samuele)
> 
> Hello Samuele,
> 
> > i'll try to be as clear as possible however tell me if there's 
> > something you don't understand my english is not so fluent:
> 
> Most of the readers/writers here, are afflicted with that problem.
> We'll understand you.
we should switch to italian it could be easier for me :-)

> > However they are inside a LAaN, so their request have to be "natted"
> > from the linux gw to the outside
> 
> Really? Note that I'm not awfully proficient in things multicast,
> but it was my impression that the first router in front of MC
> clients, would speak IGMP with the clients, and talk to the
> network accordingly; thus, I would expect that a proper multicast
> router setup on the linux gw, would provide everything you need,
> no NAT needed at all.
yes, that's right but only if you have public ip, if you try to send 
multicast packets from private ip, obviously they will go out 
with src setted to that ip (e.g. 192.168/24) but these packets on
the internet should be dropped by "big" routers (if i remember correctly).

> Did you try going that mroute?
did you mean mrouted ? yes, in tunnel mode (i tried to set up
an "mbone link" from university to home, and in normal mode to see
multicast session inside the MAN of one of my isp (just allowing to forward
multicast traffic because my two isp are multicast enable ) but it didn't
worked. 
 
> > the same thing should be possible if people from 192.168/24 wants to send
> > their video stream to the outside, but in this case things could be a bit
> > more complicated because you have to "nat" the outgoing stream and announce.
> 
> I imagine this is a _completely_ different scenario. I'd even question
> the sanity of an ISP _permitting_ you to do that.
:-)
well, for example one of my two isp is selling T1 natted lines :
you have 10Mbps but you can't accept incoming connection from "the internet"
'cause you're nat.
However you can see all the other customer of the isp (we have private ip
of 10.0/4 class ) so it's a MAN.
The isp sends us mpeg2 video streams over RTP/multicast (of course you'd 
have to pay to see them however they seem not aware that vlc let see them
without paying :-))  ) .
I also were able to make video conferencing session with a friend of mine 
which is in the same isp (we both were running linux without netfilter nat module) . 
Of course i can't make a videoconferencing with my university (they drop
multicast outside their backbone) but i'd like just to see the one in the MAN.

> 
> > In this manner, with an isp that is multicast capable people can use multicast
> > for conferencing or just for fun .
> > 
> > Please tell me if something is not clear, or if i haven't answered correctly
> > to your question.
> 
> I fear that I'm too naive about multicast to be of more help. 
well, developing a multicast capable application it's a piece
of cake, the problems come with routing and nat .

Some times ago i found on the internet some very interesting papers
on multicast under ipv4 and some possible implementation of correct 
NAT router/firewall for it, obviously i cannot find them again 
(Murphy's law) but i'll search for them.

regards
Samuele 

-- 
While various networks have become deeply rooted, and thoughts have been sent
out as light and electrons in a singular direction, this era has yet to 
digitize/computerize to the degree necessary for individuals to become 
a singular complex entity.
  KOUKAKU KIDOUTAI Stand Alone Complex