Docstoc

08

Document Sample
08 Powered By Docstoc
					  COMS/CSEE 4140
Networking Laboratory
     Lecture 08


     Salman Abdul Baset
        Spring 2008
Announcements
 Prelab 7 and Lab report 6 due next week before
  your lab slot
 Assignment 3 due next week Monday
 Project groups




                                                   2
Last time…
 Interconnection devices (hub, bridge/switch,
  router)
 Bridges/LAN switches vs. routers
 Bridge concepts, PDU
 Spanning tree algorithm
 Linux packet reception




                                                 3
Agenda
 Private network and addresses
 NAT (Network Address Translator)
       Basic operation
       Issues (binding, filtering, state maintenance)
       Main uses of NAT
   Dynamic Host Configuration Protocol (DHCP)




                                                         4
Private Network
   Private IP network is an IP network with private IP
    addresses

   IP addresses in a private network can be assigned
    arbitrarily but they are usually picked from the reserved
    pool (can we use any?)
       Not registered and not guaranteed to be globally unique


   Generally, private networks use addresses from the
    following experimental address ranges (non-routable
    addresses):
       10.0.0.0 – 10.255.255.255
       172.16.0.0 – 172.31.255.255
       192.168.0.0 – 192.168.255.255                             5
Private Addresses

   H1                H2                                                                 H3               H4




     10.0.1.2         10.0.1.3                                                            10.0.1.2        10.0.1.3


                     10.0.1.1                                                        10.0.1.1
 Private network 1                                                                              Private network 1
                                                 Internet
                          R1     128.195.4.119                       128.143.71.21      R2


                                                     213.168.112.3




                                                  H5




                                                                                                                     6
Network Address Translator
   A hack to fix the IP address depletion problem.
       NAT is a router function where IP addresses (and possibly port
        numbers) of IP datagrams are replaced at the boundary of a private
        network.
   Breaks the End-to-End argument.
       RFC 1631 - The IP Network Address Translator (NAT)
       Not an Internet standard (RFC 3700) but…
   Provides a form of security by acting as a firewall
       Home users
       Small companies

Other solutions to the IP address problem are?
                                                                        7
    Basic Operation of NAT
                                              •Private Network         •Internet




              •Source        = 10.0.1.2             •Source          128.143.71.21
                                                                   = 10.0.1.2          •Source        = 128.143.71.21
              •Destination   = 64.236.24.4          •Destination   = 64.236.24.4       •Destination   = 64.236.24.4

             •private address: 10.0.1.2                                  NAT
             •public address: 128.143.71.21                             Device
     •Host
              •Source      = 64.236.24.4            •Source      = 64.236.24.4       •Source      = 64.236.24.4     Public Host
              •Destination = 10.0.0.2               •Destination = 128.59.16.21
                                                                   10.0.0.2          •Destination = 128.59.16.21        64.236.24.4


                                                      Private           Public
                                                      Address          Address
                                                      10.0.1.1      128.59.16.21




   NAT device stores the address and port translation tables
    (Binding)
       In the this example we mapped only addresses.                                                                     8

   NAT devices filters incoming traffic (Filtering)
NAT Issues
   Private-to-public address mapping
       Static NAT
       Dynamic NAT
       Overloading (NAPT or PAT)
   State maintenance
       Linux: /proc/net/ip_conntrack
   Binding and Filtering Behavior
       Binding: endpoint-independent, address dependent,
        address and port-dependent
       Filtering: endpoint-independent filtering, address
        dependent filtering, address and port-dependent
        filtering.                                           9
Static mapping




Dynamic mapping




NAPT/PAT

                  10
Binding: Endpoint-independent
                                          IPaddr: Y1




               IPaddr: X1




              X1:x1 Y1:y1
              X1:x1 Y1:y2
              X1:x1 Z1:z1
              X1:x1 Z1:z2                 IPaddr: Z1
                              NAT
                            N1:n1Y1:y1
   Endpoint-independent
                            N1:n1 Y1:y2
   mapping
                            N1:n1 Z1:z1
                            N1:n1 Z1:z2

                                                       11
Binding: Address-dependent
                                        IPaddr: Y1




             IPaddr: X1




           X1:x1 Y1:y1
           X1:x1 Y1:y2
           X1:x1 Z1:z1
           X1:x1 Z1:z2                  IPaddr: Z1
                          NAT
   Address-dependent      N1:n1 Y1:y1
   mapping                N1:n1 Y1:y2
                          N1:n2 Z1:z1
                          N1:n2 Z1:z2

                                                     12
Binding: Address and port dependent
                                      IPaddr: Y1




           IPaddr: X1




         X1:x1 Y1:y1
         X1:x1 Y1:y2
         X1:x1 Z1:z1
         X1:x1 Z1:z2
                                      IPaddr: Z1
                        NAT

     Address and port   N1:n1 Y1:y1
     dependent          N1:n2 Y1:y2
                        N1:n3 Z1:z1
                        N1:n4 Z1:z2

                                                   13
Filtering: Endpoint-independent
                                       IPaddr: Y1
                  X1:x1 N1:n1 Y1:y1



     IPaddr: X1
                               Y1:y2 N1:n1


                               Z1:z1 N1:n1




                                       IPaddr: Z1
                         NAT
                                                    14
Filtering: Address-dependent
                                      IPaddr: Y1
              (1) X1:x1 N1:n1 Y1:y1



     IPaddr: X1
                                 Y1:y2 N1:n1

                                 Z1:z1 N1:n1




                                      IPaddr: Z1
                        NAT
                                                   15
Filtering: Address and port dependent
                                       IPaddr: Y1
              (1) X1:x1 N1:n1 Y1:y1



     IPaddr: X1              Y1:y1 N1:n1
                                           Y1:y2 N1:n1
                                  Z1:z1 N1:n1




                                      IPaddr: Z1
                       NAT
                                                         16
NAT Issues
   Port preserving
   Hair pinning
          IPaddr: X1




         IPaddr: X2
                       NAT


   Discovering binding
    lifetime
                             17
Main uses of NAT
 Pooling   of IP addresses

 Supporting migration between network
 service providers

 IP   masquerading and internal firewall

 Load   balancing of servers
                                            18
Pooling of IP addresses
   Scenario: Corporate network has many hosts but only a
    small number of public IP addresses.

   NAT solution:
       Corporate network is managed with a private address space.

       NAT device, located at the boundary between the corporate
        network and the public Internet, manages a pool of public IP
        addresses.

       When a host from the corporate network sends an IP datagram
        to a host in the public Internet, the NAT device picks a public IP
        address from the address pool, and binds this address to the
        private address of the host.                                         19
Pooling of IP addresses
                                          •Private Network         •Internet




          •Source        = 10.0.1.2             •Source          128.143.71.21
                                                               = 10.0.1.2        •Source        = 128.143.71.21
          •Destination   = 64.236.24.4          •Destination   = 64.236.24.4     •Destination   = 64.236.24.4

         •private address: 10.0.1.2                                  NAT
         •public address: 128.143.71.21                             Device
 •Host
                                                                                                            Public Host
                                                  Private           Public
                                                  Address          Address                                  64.236.24.4

                                                  10.0.1.2      128.59.16.21




                                                                                                                  20
Supporting migration between network
service providers
   Scenario: In practice (using CIDR), the IP addresses in
    a corporate network are obtained from the service
    provider. Changing the service provider requires
    changing all IP addresses in the network.

   NAT solution:
       Assign private addresses to the hosts of the corporate network
       NAT device has address translation entries which bind the
        private address of a host to the public address.
       Migration to a new network service provider merely requires an
        update of the NAT device. The migration is not noticeable to the
        hosts on the network.

                                                                           21
Supporting migration between network
service providers
                                                               Source      = 128.14.71.21           ISP 1
                                                               Destination = 213.168.112.3   allocates address
             Source      = 10.0.1.2                                                                block
             Destination = 213.168.112.3                                                     128.14.71.0/24 to
                                                                                              private network:
         private address:   10.0.1.2
         public address:    128.14.71.21
                                                128.14.71.21
  Host
                                                        NAT
                Private network                       device



                                           Private          Public
                                           Address         Address
                                           10.0.1.2      128.14.71.21




                                                                                                            22
Supporting migration between network
service providers
                                                                                                        ISP 1
                                                                                                 allocates address
             Source      = 10.0.1.2                                                                     block
             Destination = 213.168.112.3                                                         128.14.71.0/24 to

         private address:   10.0.1.2
                                                   128.14.71.21
                                                 150.140.4.120                X                   private network:

         public address:    128.14.71.21
                            150.140.4.120
  Host
                                                         NAT                                             ISP 2
                Private network                        device                                 allocates address block
                                                                Source      = 150.140.4.120       150.140.4.0/24 to
                                                                Destination = 213.168.112.3        private network:

                                            Private          Public
                                            Address         Address
                                                          128.14.71.21
                                            10.0.1.2
                                                          150.140.4.120




                                                                                                                 23
IP masquerading
 Also called: Network address and port
  translation (NAPT), port address
  translation (PAT).
 Scenario: Single public IP address is mapped
  to multiple hosts in a private network.

   NAT solution:
       Assign private addresses to the hosts of the corporate
        network
       NAT device modifies the port numbers for outgoing
        traffic                                                24
IP masquerading

           Source      = 10.0.1.2                         Source      = 128.59.71.21
           Source port = 2001                             Source port = 80


          private address: 10.0.1.2
                                                      NAT device
 Host 2                                                                                Internet
                                           10.0.0.1   128.16.71.21
          private address: 10.0.1.3

 Host 1   Source      = 10.0.1.3                          Source      = 128.59.71.21
          Source port = 3020                              Destination = 4444

                 Private network

                                        Private            Public
                                        Address           Address
                                      10.0.1.2/2001    128.143.71.21/80
                                      10.0.1.3/3020   128.143.71.21/4444




                                                                                                  25
Load balancing of servers
 Scenario: Balance the load on a set of identical
  servers, which are accessible from a single IP
  address
 NAT solution:
       Here, the servers are assigned private addresses
       NAT device acts as a proxy for requests to the server
        from the public network
       The NAT device changes the destination IP address of
        arriving packets to one of the private addresses for a
        server
       A sensible strategy for balancing the load of the
        servers is to assign the addresses of the servers in a
        round-robin fashion.                                   26
Load balancing of servers

                      Sou
                     Des rce
                        tina
                             tion = 64.
          10.0.1.2                = 10 30.4.1                        Source      = 64.30.4.120
                                      .0.1    20                     Destination = 128.16.71.21
     S1                                    .2

                                                                     Source      = 101.248.22.3
                                                                     Destination = 128.16.71.21
                                                                                                     Internet
                                                                    128.59.71.21
          10.0.1.3
                                                            NAT
                                                           device
     S2                                           2.3
                                              8.2
                                       01 .24
                                    = 1 .0.1.4
          10.0.1.4                      0
                         rce    n    =1
                     Sou tinatio
                      De s
                                                            Inside network         Outside network
                                                        Private        Public          Public
     S3                                                 Address       Address         Address
              Private network                           10.0.1.2    128.59.71.21    64.30.4.120
                                                        10.0.1.4    128.59.71.21    101.248.22.3




    When does this work?
    When does this fail?                                                                                        27
Concerns about NAT
   Performance
       Modifying the IP header by changing the IP address
        requires that NAT boxes recalculate the IP header
        checksum.
       Modifying port number requires that NAT boxes
        recalculate TCP checksum.


   Fragmentation
       Care must be taken that a datagram that is
        fragmented before it reaches the NAT device, is not
        assigned a different IP address or different port
        numbers for each of the fragments.                    28
Concerns about NAT
 End-to-end           connectivity
       NAT destroys universal end-to-end reachability of
        hosts on the Internet.
       A host in the public Internet often cannot initiate
        communication to a host in a private network.
       The problem is worse, when two hosts that are in a
        private network need to communicate with each
        other.
   NAT and applications
       NAT break applications such as file transfer, VoIP

                                                             29
NAT and FTP




   Normal FTP operation
                           30
NAT and FTP

                                 Private network      Internet

          FTP client                               NAT                                   FTP server
                  private address: 10.0.1.3       device
                  public address: 128.143.72.21

             H1                                                                             H2
                   PORT 10.0.1.3/1027                      PORT 128.143.72.21/1027


                   200 PORT command successful             200 PORT command successful


                   RETR myfile                             RETR myfile


                                                           150 Opening data connection




   NAT device without FTP support                                                                    31
NAT and FTP
                            Private network     Internet

    FTP client                               NAT                                   FTP server
            private address: 10.0.1.3       device
            public address: 128.143.72.21

       H1                                                                             H2
             PORT 10.0.1.3/1027                      PORT 128.143.72.21/1027


             200 PORT command successful             200 PORT command successful


             RETR myfile                             RETR myfile


             150 Opening data connection             150 Opening data connection


             establish data connection               establish data connection




   NAT device with FTP support                                                                 32
Configuring NAT/firewall in Linux
 iptables
 Table (queue)
       Filter, NAT, Mangle
   Chain
       Place within the table where firewall/NAT rules are
        placed.
       Packets pass through chains where tables are looked
        up and a decision per packet is made.



                                                              33
Configuring NAT/firewall in Linux
Queue Type   Queue              Packet transformation   Chain Function
             Function           chain
Filter       Packet filtering   FORWARD                 Packets being forwarded

                                INPUT                   Packets destined for firewall

                                OUTPUT                  Packets originating from
                                                        firewall
NAT          Network            PREROUTING              Address translation occurs
             address                                    before routing (DNAT)
             translation        POSTROUTING             Address translation occurs after
                                                        routing (SNAT)
                                OUTPUT                  Address translation for packets
                                                        generated by firewall
Mangle       TCP header         PREROUTING              Modification of TCP quality of
             modification       POSTROUTING             service bits before routing
                                OUTPUT INPUT
                                                                                         34
                                FORWARD
                                                                         35
Source: http://www.linuxhomenetworking.com/wiki/index.php/Q
uick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#What_Is_iptables.3F
Configuring NAT in Linux
   Linux uses the Netfilter/iptable Kernel package
           To application          From application




                filter                          nat
               INPUT                          OUTPUT


                     Yes                       filter
                                              OUTPUT
              Destination   No     filter
               is local?         FORWARD



                nat                              nat
            PREROUTING                      POSTROUTING
              (DNAT)                           (SNAT)



                                                            36
          Incoming                               Outgoing
          datagram                               datagram
Configuring NAT with iptables
   First example:
    iptables –t nat –A POSTROUTING –s 10.0.1.2
              –j SNAT --to-source 128.16.71.21

   Pooling of IP addresses:
    iptables –t nat –A POSTROUTING –s 10.0.1.0/24
               –j SNAT --to-source 128.16.71.0–128.16.71.30

   IP masquerading:
    iptables –t nat –A POSTROUTING –s 10.0.1.0/24
             –o eth1 –j MASQUERADE

   Load balancing:
    iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-
    destination 10.0.1.2-10.0.1.4                     37
Agenda
 Private network and addresses
 NAT (Network Address Translator)
       Basic operation
       Issues (binding, filtering, state maintenance)
       Main uses of NAT
   Dynamic Host Configuration Protocol (DHCP)




                                                         38
Dynamic Assignment of IP
addresses
   Dynamic assignment of IP addresses is desirable
    for several reasons:
       IP addresses are assigned on-demand
       Avoid manual IP configuration
       Support mobility of laptops / handheld WiFi devices




                                                              39
Solutions for dynamic assignment of
IP addresses
   Reverse Address Resolution Protocol
    (RARP)
       Works similar to ARP
       Broadcast a request for the IP address associated
        with a given MAC address
       RARP server responds with an IP address
       Only assigns IP address (not the default router
        and subnet mask)

                            ARP        Ethernet MAC
             IP address
                                          address
               (32 bit)
                                           (48 bit)
                             RARP                           40

Why not a good solution?
BOOTP (RFC 951)
   BOOTstrap Protocol (BOOTP)
       Predecessor of DHCP
       Host can configure its IP parameters at boot time.
       Three services
            IP address assignment.
            Detection of the IP address for a serving machine.
            The name of a file to be loaded and executed by the client machine
             (boot file name)
       Not only assign IP address, but also default router, network
        mask, etc.
       Sent as UDP messages (UDP Port 67 (server) and 68 (host))
       Use limited broadcast address (255.255.255.255):
            These addresses are never forwarded
                                                                                  41
DHCP
   Dynamic Host Configuration Protocol
    (DHCP)
       From 1993
       An extension of BOOTP, very similar to DHCP
       Same port numbers as BOOTP
       Extensions:
            Supports temporary allocation (“leases”) of IP addresses
            DHCP client can acquire all IP configuration parameters
             needed to operate
       DHCP is the preferred mechanism for dynamic
        assignment of IP addresses
       DHCP can interoperate with BOOTP clients.                       42
DHCP Interaction (simplified)




           Argon
     128.143.137.144
     00:a0:24:71:e4:44                                    DHCP Server
                         DHCP Response:
                         IP address: 128.143.137.144
                         Default gateway: 128.143.137.1
                         Netmask: 255.255.0.0




                                                                        43
BOOTP/DHCP Message Format
                                           Hardware Address
   OpCode        Hardware Type                                       Hop Count
                                                Length
                                                     Unused (in BOOTP)
       Number of Seconds
                                                       Flags (in DHCP)
                                 Transaction ID

                                Client IP address

                                 Your IP address

                                Server IP address

                              Gateway IP address

                     Client hardware address (16 bytes)

                           Server host name (64 bytes)

                            Boot file name (128 bytes)

                                     Options
                                                                                 44

     (There are >100 different options !!!)
BOOTP/DHCP
   OpCode: 1 (Request), 2(Reply)
              Note: DHCP message type is sent in an option
   Hardware Type: 1 (for Ethernet)
   Hardware address length: 6 (for Ethernet)
   Hop count: set to 0 by client
   Transaction ID: Integer (used to match reply to response)
   Seconds: number of seconds since the client started to boot
   Client IP address, Your IP address, server IP address,
    Gateway IP address, client hardware address, server host
    name, boot file name:
    client fills in the information that it has, leaves rest blank



                                                                     45
DHCP Message Type
   Message type is sent as an   Value    Message Type
    option.
                                   1     DHCPDISCOVER
                                   2     DHCPOFFER
                                   3     DHCPREQUEST
                                   4     DHCPDECLINE
                                   5     DHCPACK
                                   6     DHCPNAK
                                   7     DHCPRELEASE
                                  8      DHCPINFORM      46
Other options (selection)
   Other DHCP information that is sent as an
    option:

    Subnet Mask, Name Server, Hostname, Domain
    Name, Forward On/Off, Default IP TTL,
    Broadcast Address, Static Route, Ethernet
    Encapsulation, X Window Manager, X Window
    Font, DHCP Msg Type, DHCP Renewal Time,
    DHCP Rebinding, Time SMTP-Server, SMTP-
    Server, Client FQDN, Printer Name, …
                                                47
DHCP Operation
                        DHCP Client
                      00:a0:24:71:e4:44                                               DHCP Server

                                        DHCPDISCOVER
                                        Sent to 255.255.255.255


   DHCP DISCOVER

                                                                                DHCP Server




                      DHCP Client
                    00:a0:24:71:e4:44                             DHCPOFFER         DHCP Server


                                                              DHCPOFFER
   DHCP OFFER


                                                                              DHCP Server



                                                                                              48
    DHCP Operation
                                DHCP Client
                              00:a0:24:71:e4:44                       DHCP Server
                                                  DHCPREQUEST


   DHCP DISCOVER                                   DHCPACK




At this time, the DHCP                                          DHCP Server

client can start to use the
IP address
                                DHCP Client
                              00:a0:24:71:e4:44                       DHCP Server
                                                  DHCPREQUEST


  Renewing a Lease                                DHCPACK


(sent when 50% of lease
   has expired)
   If DHCP server sends                                         DHCP Server

   DHCPNACK, then                                                             49
   address is released.
    DHCP Operation
                               DHCP Client
                             00:a0:24:71:e4:44                       DHCP Server
                                                 DHCPRELEASE


   DCHP RELEASE


At this time, the DHCP                                         DHCP Server

client has released the IP
address




                                                                             50

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:2/14/2012
language:
pages:50