Educause Security Discussion mailing list archives

Re: gamer clubs

From: "Sprague, Randy" <randy.sprague () CINCINNATISTATE EDU>
Date: Wed, 6 Apr 2016 15:19:48 +0000

You most likely only have one external IP assigned to the network. The issue comes up with some games consoles needing 
a specific TCP port to its own IP.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
Wilcox
Sent: Wednesday, April 6, 2016 10:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] gamer clubs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/04/16 17:37, Joey Rego wrote:

Question for those of you that host the gamer networks.  We get some 
complaints from students regarding their NAT type being Strict 
depending on the type of gaming system.  Most games seem to work but 
there are some that don’t from what I am told.  I am not a gamer so go 
gently.  lol


1.       What method are you providing external IP addresses for 
gamers?  One to One Nat/ one to Many Nat/PAT?


It depends. Consoles, "smart TVs", etc., get a "public" IP but they're behind a default-deny firewall. Those firewalls 
do sloppy state management, though, so once they connect out, anyone can connect back on that port (see Open NAT/sloppy 
management below).

If they want a dedicated gaming server then they get a "public" IP in a DMZ area.

2.       How many external IP addresses are you assigning to these 
gamer networks on average?

Again, it depends. Consoles and similar are in a /22. The dedicated game servers are in a /29.

There are two types of things going on here.

1) the case where students wanted to run PCs dedicated to hosting games -- this is the scenario we addressed by carving
out a DMZ segment.

2) companies like Microsoft assuming you're using firewalls that don't enforce state (or that you let your users change
firewall policy on the fly, or that you're not using one at all). This is where the NAT Type stuff comes into play --
they expect consoles to generally do P2P.

I guess it's worth a high-level dive into NAT (or NAT/PAT for the pedantic, because I know someone will hop in and say,
"BUT THAT'S PAT!" ;) ).

<u0:p1> <--router:p2--> <s0:p3>

Proper state enforcement (closed NAT, aka Strict):

User 0 makes a connection to server 0. The source port is 1 for the user. The router makes the NAT connection to the
server from its own source port 2. The server sees the IP of the router and the router's port 2. If the server tries to
send back to port 1 it will fail. If some other server, s1, tries to connect back to the router on any port, it will
fail. This is how many-to-one NAT works.

Moderate state enforcement (moderate NAT):

User 0 makes a connection to server 0. The source port is 1 for the user. The router makes the NAT connection to the
server from its own source port 2. The server sees the IP of the router and the router's port 2. If the server tries to
send traffic to _any_ port on the IP it sees of the router, it gets passed back to u0. This is how one-to-one NAT _can_
work.

Sloppy state enforcement (open NAT):

User 0 makes a connection to server 0. The source port is 1 for the user. The router makes the NAT connection to the
server from its own source port 2. The server sees the IP of the router and the router's port 2. If the server tries to
send back to _any_ port on the IP it saw, it gets forwarded to u0. If another server tries to send to port
2 then it gets forwarded to u0 but any other ports fail.

Basically, it's like this:

closed - I can chat to you, you can chat to me but only on an established port tuple

moderate - I can chat to you, you can chat to me on any port

open - I can chat to you, anyone else can chat back to me on the same po rt

Pictures make this a lot easier to describe :-)

Some firewalls (like pf) do "strict" state enforcement and you need to use something like upnp (so your clients can
modify your campus firewall rules on the fly!) for some game networks to function. Some firewalls do really sloppy
state enforcement and anyone making an outbound connection can now become a server to the world.

kmw
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlcFHy8ACgkQsKMTOtQ3fKFA6gCgilHdUHpEK0COSH2dnGToP3nV
FYUAnj65A1AhgXA5GqygFfflC7nRGtzi
=xy0L
-----END PGP SIGNATURE-----

Current thread:

gamer clubs Sprague, Randy (Apr 05)
- Re: gamer clubs Kevin Wilcox (Apr 05)
  - Re: gamer clubs Mandi Witkovsky (Apr 05)
- Re: gamer clubs Joey Rego (Apr 05)
- Re: gamer clubs TOOLEY, JASON C. (Apr 05)
  - Re: gamer clubs T. Shayne Ghere (Apr 05)
    - Re: gamer clubs Joey Rego (Apr 05)
    - Re: gamer clubs Dan Oachs (Apr 05)
    - Re: gamer clubs Kevin Wilcox (Apr 06)
    - Re: gamer clubs Sprague, Randy (Apr 06)
- Re: gamer clubs Dan Oachs (Apr 05)
  - Re: gamer clubs Patrick Menard (Apr 05)
- Re: gamer clubs Mike Iglesias (Apr 05)
  - Re: gamer clubs Dexter Caldwell (Apr 05)
- Re: gamer clubs Parker, Ron (Apr 05)
  - Re: gamer clubs Brian W Griffith (Apr 05)
- Re: gamer clubs Sprague, Randy (Apr 06)
  - Re: gamer clubs Glen Shere (Apr 06)
  - Re: gamer clubs Doug Brooks (Apr 06)
  - Re: gamer clubs Dan Oachs (Apr 06)