傳統網路中的網際網路閘道器裝置協定(IGD)為區域網路內的端點提供了在路由設備上設定NAT路由的能力，讓端點即使處於NAT網路中也能輕鬆地與外部網路的其他端點進行P2P類型的通訊，抑或者是架設伺服器供外部端點存取。該協定的一大特色便是其基於通用隨插即拔協定(UPnP)來溝通，使得區網中的端點可以自動找到支援IGD功能的設備，而無須人為介入。該協定帶來的強大方便性使得眾多品牌的網路設備中皆有相關的支援。
而軟體定義網路技術在近年來逐漸成熟，成為許多企業建構資料中心或服務網路時的首選之一。相對於傳統網路技術，SDN擁有軟體化的控制層邏輯、集中式的架構等特點，這些特點使得企業的網路可以擺脫多餘不需要的網路功能及協定，企業可以專心在規劃自己的控制層策略，擁有更多的控制權及彈性在塑造自己理想的網路上。隨著5G、物聯網及雲端等技術越加成熟及流行，SDN的應用也會越來越廣泛。
截至論文撰寫為止，我們尚未發現其它將IGD協定實作在軟體定義網路中的研究，而有鑑於該協定提供的方便性及功能，我們認為在軟體定義網路中也會有相關的應用情境。因此，在本論文中，我們試著透過SDN技術實作支援IGD協定的功能，以相關開源專案Miniupnpd的成果為基礎，將其程式內部的NAT相關功能抽出並移植至SDN的控制器上，並在Miniupnpd與控制器間增加一個http介面，讓Miniupnpd能將來自客戶端的NAT請求轉送至控制器。本論文除提供一套實作方法外，也會在最後提供通訊延遲相關的數據來驗證其可行性。
此外，IGD雖提供強大的方便性，但這也使得其擁有許多安全性問題。例如，NAT功能容易遭惡意使用者濫用、可能被利用成為放大DDoS攻擊流量的跳板等，近年來也有出現過不少針對協定漏洞的網路攻擊事件，像是BCMUPNP_HUNTER及CallStranger等，有些是來自於其缺少適當驗證程序的問題，有些則是來自網路管理員不當的服務設定，還有許多其他問題。因此在本篇論文中，我們試著針對一些問題進行改善。第一個是UPnP協定的發現過程中，容易被偽造來源IP的封包欺騙而產生並放大DDoS流量的部分，針對此問題我們提出了一套基於過濾封包的防禦機制，期望能在阻擋攻擊的條件下，也不影響到正常的通訊；第二個則是提出了一套基於Json-Web-Token的認證程序，試圖在不帶來過多額外延遲的情況下，為支援IGD功能的服務提供一套可行且具有彈性的認證機制。同樣地，我們也將在最後提供相關數據來驗證上述的實驗目標。

The Internet Gateway Device Protocol (IGD) is a protocol widely utilized in the traditional network, and it provides the endpoints inside the local area network (LAN) with the ability to set up DNAT rules on the specific routing device. Therefore, even if the endpoints are behind a NAT device, they can still easily establish communications like P2P with the outside world, or even set up a server in LAN for people from WAN to access. A major feature of the protocol is that it utilizes the Universal Plug and Play Protocol (UPnP) to take charge of the communication part between endpoints, so that endpoints in LAN can automatically find devices supporting IGD without any human intervention. Because of these powerful conveniences brought by the IGD protocol, many network equipment produced by well-known brands all have related IGD support.
The technology of software-defined network (SDN) has gradually matured in recent years and has now become one of the first choices for many enterprises when considering building a data center or service network. Compared with traditional network technology, SDN has software-based control layer logic and centralized architecture. These features enable the enterprise network to get rid of unnecessary network functions and protocols, and therefore the enterprise can put more attention on planning their own network control strategies, have more control and flexibility in shaping the network into their ideal condition. As 5G, Internet of Things, and cloud technologies become more mature and popular, the adoption of SDN technology will become more and more widespread.
As of the writing of this paper, we have not found other implementations of functions supporting IGD protocol in software-defined network. Because of the convenience and benefits provided by the protocol, we believe that there will be related demands in software-defined network in the future. Therefore, in this paper, we try to propose a framework to fulfill the support of the IGD protocol in SDN. Based on the related open source project Miniupnpd, we remove the NAT- related functions from the original program, and implement it on the SDN controller instead. In order to make Miniupnpd be able to relay a NAT request to the controller properly, a http interface is added between Miniupnpd and the controller. In this paper, we not only provide a set of implementation methods to support our framework, we also provide latency-related data at the end of the paper to verify the feasibility of our framework.
In addition, although IGD provides great convenience, this also brings many security problems and therefore makes it vulnerable. For example, the NAT functions could be easily abused by malicious users, or the Device Discovery functions could be utilized as an amplifier(also proxy) to conduct a DDoS attack. In recent years, these vulnerabilities have been exploited in many network attacks, such as BCMUPNP_HUNTER, CallStranger and more, some of which are caused by the lack of proper verification procedures, some are caused by improper service settings by the network administrators, and there are still many other problems. Therefore, in this paper, we try to improve some security issues. The first one is the discovery process of the UPnP protocol, which could be easily deceived by forged source-IP packets and then send a bunch of responses to an innocent host. In order to mitigate this problem, we have proposed a defense mechanism based on filtering packets. We expect the defense would only block forged packets so that normal communication could still carry on as usual. The second issue is the lack of authentication. To solve this one, we propose an authentication procedure based on Json-Web-Token. This procedure should provide services supporting IGD with a feasible and flexible authentication mechanism and should not cause too much additional processing delay. Similarly, in this paper, we also provide relevant implementation and experiment data to verify the above experiment goals.

[1]“IPv4 Address Report”, Available at: https://www.potaroo.net/tools/ipv4/
[2] [RFC1631] Egevang, K. and P. Francis,“The IP Network Address Translator (NAT)”, IETF, RFC 1631, May 1994, Available at: https://datatracker.ietf.org/doc/html/rfc1631
[3] [RFC2460] Deering, S. and R. Hinden, “Internet Protocol, Version 6 (IPv6)“, IETF, RFC 2640,December 1998, Available at: https://datatracker.ietf.org/doc/html/rfc2460
[4] [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy,“STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)”, IETF, RFC 3489, March 2003, Available at: https://datatracker.ietf.org/doc/html/rfc3489
[5] [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg,”Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)”,IETF,RFC 5766,April 2010, Available at: https://datatracker.ietf.org/doc/html/rfc5766
[6]“Internet Gateway Device (IGD) V 2.0“, Available at:
https://web.archive.org/web/20110312014718/http://upnp.org/specs/gw/igd2/
[7]“OCF - UPnP Standard & Architecture”, Available at: https://openconnectivity.org/developer/specifications/upnp-resources/upnp/
[8] Hui, Wang and RootKitter,“BCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to Email Spammers”, 7 November 2018, Available at: https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/
[9]“CVE-2020-12695: CallStranger Vulnerability in Universal Plug and Play (UPnP) Puts Billions of Devices At Risk”, 8 June 2020, Available at:
https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of
[10] Sahrish Khan, Munam Ali Shah, Omair Khan and Abdul Wahab Ahmed,“Software Defined Network (SDN) Based Internet of Things (IoT): A Road Ahead,”in Proceedings of the International Conference on Future Networks and Distributed Systems, pp.1-8, July 2017, doi: 10.1145/3102304.3102319. Available At:
https://www.researchgate.net/publication/319602888_Software_Defined_Network_SDN_Based_Internet_of_Things_IoT_A_Road_Ahead
[11] MiniUPnP Project, Available at: http://miniupnp.free.fr/
[12] JSON Web Tokens, Available at: https://jwt.io/
[13] WANIPConnection:2 Service, 10 September 2010, Available at:
http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf
[14] Martín Casado, Nick McKeown and Scott Shenker, “From Ethane to SDN and Beyond”, ACM SIGCOMM Comput. Commun. Rev. 2019, 49, 92-95, Available at:
https://dl.acm.org/doi/10.1145/3371934.3371963
[15] Chloe Ma,“SDN secrets of Amazon and Google”, 7 May 2014, Available at:
https://www.infoworld.com/article/2608106/sdn-secrets-of-amazon-and-google.html
[16]“ONOS”, Available at: https://wiki.onosproject.org/display/ONOS/ONOS
[17] Golam Kayas, Mahmud Hossain, Jamie Payton and S. M. Riazul Islam,“An Overview of UPnP-based IoT Security: Threats, Vulnerabilities, and Prospective Solutions,”in Proceedings of 2020 11th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), pp. 0452–0460, IEEE, Vancouver,Canada, November 2020, Available at: https://arxiv.org/abs/2011.02587
[18] Chad Seaman,“UPNPROXY: ETERNALSILENCE”,28 November 2018, Available at:
https://blogs.akamai.com/sitr/2018/11/upnproxy-eternalsilence.html
[19] Eric Haszlakiewicz(2004), JSON-C[Source Code], Available at: https://github.com/json-c/json-c
[20] Cesanta Software Limited(2004), Mongoose[Source Code], Available at: https://github.com/cesanta/mongoose
[21] ONOS Reactive Forwarding, Available at: https://github.com/opennetworkinglab/onos/tree/master/apps/fwd
[22]“How Fast is Real-time? Human Perception and Technology”, February 2015, Available at: https://www.pubnub.com/blog/how-fast-is-realtime-human-perception-and-technology/
[23] qwee123(2021), Miniupnpd-sdn, Available at: https://github.com/qwee123/miniupnpd-sdn
[24] qwee123(2021), IGDNAT, Available at: https://github.com/qwee123/onos-igd
[25] OPEN CONNECTIVITY FOUNDATION, Available At: https://openconnectivity.org
[26] 5kyc0d3r(2019), UPnPy[Source Code], Available At: https://github.com/5kyc0d3r/upnpy
[27] Pallets(2010), Flask[Source Code], Available At: https://github.com/pallets/flask/
[28] Kenneth Reitz, Nate Prewitt and Seth M. Larson(2004), Requests[Source Code], Available At: https://github.com/psf/requests
[29] T. -Y. Lin et al., "Mitigating SYN flooding Attack and ARP Spoofing in SDN Data Plane," 2020 21st Asia-Pacific Network Operations and Management Symposium (APNOMS), 2020, pp. 114-119, doi: 10.23919/APNOMS50412.2020.9236951. Available At: https://ieeexplore.ieee.org/document/9236951
[30] K. Kalkan, L. Altay, G. Gür and F. Alagöz, "JESS: Joint Entropy-Based DDoS Defense Scheme in SDN," in IEEE Journal on Selected Areas in Communications, vol. 36, no. 10, pp. 2358-2372, Oct. 2018, doi: 10.1109/JSAC.2018.2869997. Available At: https://ieeexplore.ieee.org/document/8466805
[31] H. Wang, C. Chen and S. Lu, "An SDN-based NAT Traversal Mechanism for End-to-end IoT Networking," 2019 20th Asia-Pacific Network Operations and Management Symposium (APNOMS), 2019, pp. 1-4, doi: 10.23919/APNOMS.2019.8893008, Available At: https://ieeexplore.ieee.org/document/8893008
[32] G. Kim, J. Kim and S. Lee, "An SDN based fully distributed NAT traversal scheme for IoT global connectivity," 2015 International Conference on Information and Communication Technology Convergence (ICTC), 2015, pp. 807-809, doi: 10.1109/ICTC.2015.7354671. Available At: https://ieeexplore.ieee.org/abstract/document/7354671