450 likes | 767 Views
Dynamic Host Configuration Protocol (DHCP) Network Address Translation (NAT). CS491G: Computer Networking Lab V . Arun. Slides adapted from Liebeherr and El Zarki , Kurose and Ross, IBM, P. Kermani. Dynamic Host Configuration Protocol (DHCP). Dynamic Assignment of IP addresses.
E N D
Dynamic Host Configuration Protocol (DHCP) Network Address Translation (NAT) CS491G: Computer Networking Lab V. Arun Slides adapted from Liebeherr and El Zarki, Kurose and Ross, IBM, P. Kermani
Dynamic Assignment of IP addresses • Dynamic assignment of IP addresses desirable for • On-demand IP address assignment • Avoiding manual IP configuration • Supporting mobility, e.g., laptops or smartphones
Dynamic IP addresses assignment solutions • Reverse Address Resolution Protocol (RARP) • Works similar to ARP, but broadcasts request for the IP address associated with a given MAC address • RARP server responds with an IP address • Only assigns IP address (not default router, netmask)
BOOTP • BOOTstrap Protocol (BOOTP) • From 1985 • Host can configure its IP parameters at boot time. • 3 main services • Assigning IP address • Detecting IP address of a serving machine. • Name of executable boot file name • Can also assign default router, network mask, etc. • Sent as UDP messages (port 67:server and 68:host) • Use limited broadcast address (255.255.255.255)
BOOTP Interaction • BOOTP can be used for downloading memory image for diskless PCs (network boot) • Static assignment of IP addresses to hosts (b) (a) (c)
DHCP • Dynamic Host Configuration Protocol (DHCP) • From 1993 • Extension of BOOTP, same port numbers, interoperable • Extensions: • Supports temporary “leases” of IP addresses • DHCP client can acquire all IP configuration parameters needed to operate • DHCP is the preferred mechanism for dynamic assignment of IP addresses
DHCP discover src : 0.0.0.0, 68 dest.: 255.255.255.255,67 yiaddr: 0.0.0.0 transaction ID: 654 Typical DHCP client-server scenario DHCP server: 223.1.2.5 arriving client DHCP offer src: 223.1.2.5, 67 dest: 255.255.255.255, 68 yiaddrr: 223.1.2.4 transaction ID: 654 lifetime: 3600 secs DHCP request src: 0.0.0.0, 68 dest:: 255.255.255.255, 67 yiaddrr: 223.1.2.4 transaction ID: 655 lifetime: 3600 secs DHCP ACK src: 223.1.2.5, 67 dest: 255.255.255.255, 68 yiaddrr: 223.1.2.4 transaction ID: 655 lifetime: 3600 secs Network Layer
BOOTP/DHCP Message Format (There are >100 different options)
DHCP Message Type • Message type sent as option
Other options (selection) • Other DHCP information that can be sent as an option: Subnet Mask, Name Server, Hostname, Domain Name, Forward On/Off, Default IP TTL, Broadcast Address, Static Route, Ethernet Encapsulation, X Window Manager, X Window Font, DHCP Msg Type, DHCP Renewal Time, DHCP Rebinding, Time SMTP-Server, SMTP-Server, Client FQDN, Printer Name, …
Private Network • Private IP network : not directly connected to the Internet • IP addresses in a private network can be assigned arbitrarily. • Not registered and not guaranteed to be globally unique • Designated private address ranges: • 10.0.0.0 – 10.255.255.255 • 172.16.0.0 – 172.31.255.255 • 192.168.0.0 – 192.168.255.255
Network Address Translation (NAT) • Router function at boundary of private network that rewrites [IP,port] fields in incoming and outgoing packets
NAT: network address translation motivation: local network uses just one IP address as far as outside world is concerned: • range of addresses not needed from ISP: just one IP address for all devices • can change addresses of devices in local network without notifying outside world • can change ISP without changing addresses of devices in local network • can use translation for load balancing • devices inside local net not explicitly addressable, visible by outside world (a security plus) Network Layer
NAT: network address translation rest of Internet local network (e.g., home network) 10.0.0/24 10.0.0.1 10.0.0.4 10.0.0.2 138.76.29.7 10.0.0.3 datagrams with source or destination in this network have 10.0.0/24 address for source, destination (as usual) alldatagrams leaving local network have same single source NAT IP address: 138.76.29.7,different source port numbers Network Layer
NAT: network address translation implementation: NAT router must: • outgoing datagrams:replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #) . . . remote clients/servers will respond using (NAT IP address, new port #) as destination addr • remember (in NAT translation table)every (source IP address, port #) to (NAT IP address, new port #) translation pair • incoming datagrams:replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table Network Layer
3 1 2 4 S: 10.0.0.1, 3345 D: 128.119.40.186, 80 S: 138.76.29.7, 5001 D: 128.119.40.186, 80 1:host 10.0.0.1 sends datagram to 128.119.40.186, 80 2:NAT router changes datagram source addr from 10.0.0.1, 3345 to 138.76.29.7, 5001, updates table S: 128.119.40.186, 80 D: 10.0.0.1, 3345 S: 128.119.40.186, 80 D: 138.76.29.7, 5001 NAT: network address translation NAT translation table WAN side addr LAN side addr 138.76.29.7, 5001 10.0.0.1, 3345 …… …… 10.0.0.1 10.0.0.4 10.0.0.2 138.76.29.7 10.0.0.3 4:NAT router changes datagram destaddr from 138.76.29.7, 5001 to 10.0.0.1, 3345 3:reply arrives dest. address: 138.76.29.7, 5001 Network Layer
Number of ways of using NAT • Static NAT: Translate each private IP address to a specific IP address • Dynamic NAT: Pool of inside global addresses and matching criteria • Port forwarding: redirecting incoming packets on specific ports to specific internal machine • Overloading: Using a small number of global addresses for much larger number of local addresses • Load balancing: Map same source [IP,port] in incoming packets to different internal servers Network Layer
Configuring NAT in Linux • Linux uses the netfilter/iptable package to add filtering rules to the IP module
Configuring NAT with iptable • First example:iptables –t nat –A POSTROUTING –s 10.0.1.2 –j SNAT --to-source 128.143.71.21 • Pooling of IP addresses:iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.128.71.0–128.143.71.30 • ISP migration: iptables –t nat –R POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.195.4.0–128.195.4.254 • IP masquerading: iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –o eth1 –j MASQUERADE • Load balancing: iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4
NATmultiplexing limits • 16-bit port-number field: • ~65K simultaneous connections with a single LAN-side address! • Possible to have ~65K connections to each WAN-side destination Network Layer
NAT drawbacks/controversies • routers should only process up to layer 3, address shortage ought to be solved by IPv6 • violates end-to-end argument • NAT possibility must be taken into account by app designers, e.g., P2P applications • Two private network machines can not communicate directly without third-party support • Performance: checksums need to be recomputed in transport and IP headers • IP fragmentation needs careful handling • Breaks apps that embed IP addresses (FTP) Network Layer
NAT traversal problem/solutions • client wants to connect to server with address 10.0.0.1 • server address 10.0.0.1 local to LAN (client can’t use it as destination addr) • only one externally visible NATed address: 138.76.29.7 • solution1: statically configure NAT to forward incoming connection requests at given port to server • e.g., (123.76.29.7, port 2500) always forwarded to 10.0.0.1 port 25000 10.0.0.1 client ? 10.0.0.4 138.76.29.7 NAT router Network Layer
10.0.0.1 IGD NAT router NAT traversal problem/solutions • solution 2: Universal Plug and Play (UPnP) Internet Gateway Device (IGD) Protocol. Allows NATed host to: • learn public IP address (138.76.29.7) • add/remove port mappings (with lease times) i.e., automate static NAT port map configuration Network Layer
10.0.0.1 NAT router NAT traversal problem/solutions • solution 3: relaying (used in Skype) • NATed client establishes connection to relay • external client connects to relay • relay bridges packets between to connections 2. connection to relay initiated by client 1. connection to relay initiated by NATed host 3. relaying established client 138.76.29.7 Network Layer
Lab 6- Exercise 5C Root Bridge 000d.56ef.267a 0002.e31c.7969 1 0 PC2 PC1 DP Note the path from PC1 to PC4 DP 0 0 0 RP RP 0009.437a.3560 RP 0009.433b.9400 0 0009.437a.3160 R3 R2 R1 1 1 1 009.437a.3561 0009.437a.3161 0009.433b.9401 DP DP 0009.433b.8bc0 0 0 PC4 R4 PC3 RP 1 0 0009.433b.5bc1
Root Bridge Lab 6- Exercise 6A 000d.56ef.267a 0002.e31c.7969 1 0 PC2 PC1 DP 0 DP 0 RP 0009.437a.3560 0009.433b.9400 0 0009.437a.3160 RP 0 R3 R2 R1 1 1 1 009.437a.3561 0009.437a.3161 0009.433b.9401 RP DP DP RP 0009.433b.8bc0 0 0 PC4 R4 PC3 1 0 0009.433b.5bc1 RP
Lab 6- Exercise 6B 000d.56ef.267a 0002.e31c.7969 1 0 PC2 PC1 RP 0 DP 0 DP 0009.437a.3560 0009.433b.9400 0 0009.437a.3160 0 R3 R2 R1 RP 1 1 1 009.437a.3561 0009.437a.3161 0009.433b.9401 DP RP Root Bridge 0009.433b.8bc0 DP 0 0 PC4 R4 PC3 RP 1 0 0009.433b.5bc1
10.0.0.0/16 10.0.1.0/24 PC1 10.0.1.11/24 RT1 (Br) 10.0.1.2/24 Broadcast Domains RT2 10.0.3.0/24 10.0.4.0/24 PC3 10.0.4.31/24 10.0.3.2/24 RT4 (Br) RT3 10.0.3.3/24 10.0.4.3/24 PC2 10.0.3.21/24 PC4 10.0.4.41/16
10.0.0.0/16 10.0.1.0/24 PC1 10.0.1.11/24 RT1 (Br) 10.0.1.2/24 RT2 10.0.3.0/24 10.0.4.0/24 PC3 10.0.4.31/24 10.0.3.2/24 RT4 (Br) RT3 10.0.3.3/24 10.0.4.3/24 PC2 10.0.3.21/24 PC4 10.0.4.41/16
10.0.0.0/16 10.0.1.0/24 PC1 10.0.1.11/24 PC1 PC3 RT1 (Br) Ping succeeds 10.0.1.2/24 RT2 10.0.3.0/24 10.0.4.0/24 PC3 10.0.4.31/24 10.0.3.2/24 RT4 (Br) RT3 10.0.3.3/24 10.0.4.3/24 PC2 10.0.3.21/24 PC4 10.0.4.41/16
10.0.0.0/16 10.0.1.0/24 PC1 10.0.1.11/24 PC1 PC4 RT1 (Br) Ping fails 10.0.1.2/24 RT2 10.0.3.0/24 10.0.4.0/24 PC3 10.0.4.31/24 10.0.3.2/24 RT4 (Br) RT3 10.0.3.3/24 10.0.4.3/24 PC2 10.0.3.21/24 PC4 10.0.4.41/16
10.0.0.0/16 10.0.1.0/24 PC1 10.0.1.11/24 PC4 PC1 RT1 (Br) Ping succeeds 10.0.1.2/24 RT2 10.0.3.0/24 10.0.4.0/24 PC3 10.0.4.31/24 10.0.3.2/24 RT4 (Br) RT3 10.0.3.3/24 10.0.4.3/24 PC2 10.0.3.21/24 PC4 10.0.4.41/16
10.0.0.0/16 10.0.1.0/24 PC1 10.0.1.11/24 PC1 PC2 RT1 (Br) Ping succeeds 10.0.1.2/24 RT2 10.0.3.0/24 10.0.4.0/24 PC3 10.0.4.31/24 10.0.3.2/24 RT4 (Br) RT3 10.0.3.3/24 10.0.4.3/24 PC2 10.0.3.21/24 PC4 10.0.4.41/16