Notes on Switzerland and NAT Firewalls
Does Switzerland work with NAT Firewalls? Short answer: Yes, and no, and sometimes. Switzerland knows how to correct for basic Network Address Translation(NAT) firewalls. But many firewall/router boxes make undocumented modifications to the traffic passing through them beyond the minimum changes that NAT requires. Switzerland will detect these modifications and raise an alarm. If you want to test an ISP, rather than a firewall, you may have to disconnect the firewall. Long answer: There were some interesting challenges in building Switzerland. The biggest of these comes in the form of NAT firewalls/routers, which most people have on their home broadband connections. These devices modify the packets traveling through them — NAT stands for "network address translation", and it involves modifying the source and destination information inside IP packets so that multiple computers can be online simultaneously while sharing a single public IP address. Our code knows about NAT, and avoids misconstruing these basic address changes as interference with the underlying traffic. Where things get blurrier is that many consumer oriented NAT firewalls make other kinds of modifications to packets. Often, these changes are inane or benevolent. Sometimes they are malfunctions, and cause disruption to applications (one such malfunction caused quite a stir when some graduate students at the University of Colorado thought that Comcast might have been responsible for it — in fact, it was a NAT router). Sometimes, a modification made by a router could have benevolent intent, but bugs in the implementation mean that it causes problems. For example, we've seen some NAT routers that modify/forge TCP ACK packets (aggressively acknowledging packets that the router has seen but the recipient computer has not). This may be okay if the router reliably retransmits the packets if the client drops them, we've also heard about situations where load balancing devices try to do this and get it wrong. Aside from modifying TCP ACK numbers, we've seen firewalls that:
- Turn off the IP do-no-fragment bit
- Retransmit ACK packets on the client's behalf
- Change the IP Maximum Segment Size (MSS)
- Reorder the blocks in TCP SACK options fields
- Change the IP type-of-service field
Switzerland Version Zero is configured to silently ignore those last two modifications, but the others will raise alarms. The upshot of all of this is that if you want to use the current version of switzerland to test an ISP, it's best to bypass your NAT router and plug a PC directly into a cable/DSL modem (in situations where these two functions are performed by a single device, you can often configure it not to act as a NAT router). If you test with a NAT router in place, you are testing the router too. Some NATs are fairly well behaved; for instance, we haven't seen modifications from routers using DD-WRT firwmare (no promises, of course :). If you have one of those, you can probably test your ISP through the NAT, and would only need to get a direct connection to confirm that any spoofed or modified were actually being caused by an intermediary. A long-term development goal for switzerland may be to characterize and study the kinds of modifications that crazy NATs make to packets, and find a way to see past them. For some of the changes we've seen (such as TCP SACK field reordering, MSS changes, and disabling the DNF flag), this is a fairly easy task. The problem is that you can't just ignore something like a forged ACK number, since ACK number modifications could be a sneaky way to interfere with traffic. There may be some ways to work around this, but they were too complicated for our first release.