1 / 78

W4140 Network Laboratory Lecture 9 Nov 12 - Fall 2006 Shlomo Hershkop Columbia University

W4140 Network Laboratory Lecture 9 Nov 12 - Fall 2006 Shlomo Hershkop Columbia University. Announcements. Reminder : phase I project due end of week Lab 7 this week. Outline. Network Address Translation (NAT) Dynamic Host Configuration Protocol (DHCP) Firewalls

jeremy-boone
Download Presentation

W4140 Network Laboratory Lecture 9 Nov 12 - Fall 2006 Shlomo Hershkop Columbia University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. W4140 Network LaboratoryLecture 9Nov 12 - Fall 2006Shlomo HershkopColumbia University

  2. Announcements • Reminder : phase I project due end of week • Lab 7 this week

  3. Outline • Network Address Translation (NAT) • Dynamic Host Configuration Protocol (DHCP) • Firewalls • Typical Application and some news of a recent hacking (very sophisticated) on the cs network • Or: what you learned this semester in real life 

  4. Network Address Translation: a hack • A hack to fix the IP address depletion problem. • NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network. • Breaks the End-to-End argument. • But it became a standard: RFC 1631 - The IP Network Address Translator (NAT) • Provides a form security by acting as a firewall • home users. • Small companies. Is there any other solution to the IP address problem?

  5. Basic operation of NAT • Source • Source • Source • Source = 128.143.71.21 = 128.143.71.21 = 10.0.1.2 = 10.0.1.2 = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 • Destination • Destination • Destination • Destination = 64.236.24.4 • Source = 64.236.24.4 • Source = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 • Source • Source • Source • Source • Destination = 10.0.0.2 • Destination = 128.59.16.21 • Destination • Destination • Destination • Destination = 10.0.0.2 = 128.59.16.21 = 128.59.16.21 = 128.59.16.21 Private Public Address Address 10.0.1.1 128.59.16.21 • Private Network • Internet • NAT device stores the address and port translation tables • In the this example we mapped only addresses. • private address: 10.0.1.2 NATDevice • public address: 128.143.71.21 • Host Public Host 64.236.24.4

  6. Private Network • Private IP network is an IP network with Private IP Addresses (Can it be connected directly to the Internet?) • IP addresses in a private network can be assigned arbitrarily but they are usually picked from the reserved pool (can we use any?) • Not registered and not guaranteed to be globally unique • Question: how is public IP address assigned? • Generally, private networks use addresses from the following experimental address ranges (non-routable addresses): • 10.0.0.0 – 10.255.255.255 • 172.16.0.0 – 172.31.255.255 • 192.168.0.0 – 192.168.255.255

  7. Main uses of NAT • Pooling of IP addresses • Supporting migration between network service providers • IP masquerading and internal firewall • Load balancing of servers

  8. Pooling of IP addresses • Scenario: Corporate network has many hosts but only a small number of public IP addresses. • NAT solution: • Corporate network is managed with a private address space. • NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses. • When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host.

  9. Pooling of IP addresses • Source • Source • Source • Source = 128.143.71.21 = 128.143.71.21 = 10.0.1.2 = 10.0.1.2 = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 • Destination • Destination • Destination • Destination Public Host Private Public 64.236.24.4 Address Address 10.0.1.2 128.59.16.21 • Private Network • Internet • private address: 10.0.1.2 NATDevice • public address: 128.143.71.21 • Host

  10. Supporting migration between network service providers • Scenario: In practice (using CIDR), the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network. • NAT solution: • Assign private addresses to the hosts of the corporate network • NAT device has address translation entries which bind the private address of a host to the public address. • Migration to a new network service provider merely requires an update of the NAT device. The migration is not noticeable to the hosts on the network.

  11. Supporting migration between network service providers

  12. Supporting migration between network service providers

  13. IP masquerading • Also called: Network address and port translation (NAPT), port address translation (PAT). • Scenario: Single public IP address is mapped to multiple hosts in a private network. • NAT solution: • Assign private addresses to the hosts of the corporate network • NAT device modifies the port numbers for outgoing traffic

  14. IP masquerading

  15. Load balancing of servers • Scenario: Balance the load on a set of identical servers, which are accessible from a single IP address • NAT solution: • Here, the servers are assigned private addresses • NAT device acts as a proxy for requests to the server from the public network • The NAT device changes the destination IP address of arriving packets to one of the private addresses for a server • A sensible strategy for balancing the load of the servers is to assign the addresses of the servers in a round-robin fashion.

  16. Load balancing of servers

  17. Concerns about NAT • Performance: • Modifying the IP header by changing the IP address requires that NAT boxes recalculate the IP header checksum. • Modifying port number requires that NAT boxes recalculate TCP checksum. • Fragmentation • Care must be taken that a datagram that is fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments.

  18. Concerns about NAT • End-to-end connectivity: • NAT destroys universal end-to-end reachability of hosts on the Internet. • A host in the public Internet often cannot initiate communication to a host in a private network. • The problem is worse, when two hosts that are in a private network need to communicate with each other. • Example: bittorrent, where each client is also a server….

  19. NAT and FTP • Normal FTP operation

  20. NAT and FTP • NAT device with FTP support

  21. NAT and FTP • FTP in passive mode and NAT.

  22. Configuring NAT in Linux • Linux uses the Netfilter/iptable Kernel package

  23. Configuring NAT with iptable • First example:iptables –t nat –A POSTROUTING –s 10.0.1.2 –j SNAT --to-source 128.16.71.21 • Pooling of IP addresses:iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.16.71.0–128.16.71.30 • IP masquerading: iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –o eth1 –j MASQUERADE • Load balancing: iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4

  24. Dynamic Host Configuration Protocol(DHCP)

  25. Dynamic Assignment of IP addresses • Dynamic assignment of IP addresses is desirable for several reasons: • IP addresses are assigned on-demand • Avoid manual IP configuration • Support mobility of laptops • Wireless networking and Home NATs • No static IP means that we have to depend on DNS for the packet routing • Use of a DDNS (Dynamic DNS entry) • Free sites for that service in the internet

  26. Dynamic Host Configuration Protocol (DHCP) • Designed in 1993 • Requires a server and free IP address space • Supports temporary allocation (“leases”) of IP addresses • DHCP client can acquire all IP configuration parameters • Any potential security risks? • Can we use something that can prevent unauthorized users?

  27. DHCP Interaction (simplified)

  28. DHCP Message Format (There are >100 different options)

  29. DHCP • OpCode: 1 (Request), 2(Reply) Note: DHCP message type is sent in an option • Hardware Type: 1 (for Ethernet) • Hardware address length: 6 (for Ethernet) • Hop count: set to 0 by client • Transaction ID: Integer (used to match reply to response) • Seconds:number of seconds since the client started to boot • Client IP address, Your IP address, server IP address, Gateway IP address, client hardware address, server host name, boot file name:client fills in the information that it has, leaves rest blank

  30. DHCP Message Type • Message type is sent as an option.

  31. DHCP operations Src: 0.0.0.0, 68 Dest: 255.255.255.255, 67 DHCPDISCOVERY Yiaddr: 0.0.0.0 Transaction ID: 654 Src:128.195.31.1, 67 Dest: 255.255.255.255, 68 DHCPOFFER Yiaddr: 128.59.20.147 Transaction ID: 654 Server ID: 128.59.18.1 Lifetime: 3600 secs

  32. DHCP operations Src: 0.0.0.0, 68 Dest: 255.255.255.255, 67 DHCPREQUEST Yiaddr: 128.59.20.147 Transaction ID: 655 server ID: 128.195.31.1 Lifetime: 3600 secs Src:128.59.18.1, 67 Dest: 255.255.255.255, 68 DHCPACK Yiaddr: 128.59.20.147 Transaction ID: 655 Server ID: 128.59.18.1 Lifetime: 3600 secs

  33. More on DHCP operations • A client may receive DCHP offers from multiple servers • The DHCPREQUEST message accepts offers from one server. • Other servers who receive this message considers it as a decline • A client can use its address after receiving DHCPACK • DHCP replies can be unicast, depending on implementation

  34. DHCP relay agent Src: 128.16.41.1, 67 Src: 128.16.31.10, 67 Src: 0.0.0.0., 68 Src: 0.0.0.0., 68 Dest: 255.255.255.255, 67 Dest: 255.255.255.255, 68 Dest: 255.255.255.255, 67 Dest: 128.16.41.1, 67 Giaddr: 128.16.41.1 Giaddr: 0 Giaddr: 128.16.41.1 Giaddr: 128.16.41.1 DHCPDISCOVER DHCPOFFER …… DHCPOFFER …… DHCPDISCOVER 128.16.31.10 128.16.41.1 128.16.31.1

  35. History of DHCP • Three Protocols: • RARP (until 1985, no longer used) • BOOTP (1985-1993) • DHCP (since 1993) • Secure DHCP – not a standard yet… • Only DHCP is widely used today.

  36. Solutions for dynamic assignment of IP addresses • Reverse Address Resolution Protocol (RARP) • RARP is no longer used • Works similar to ARP • Broadcast a request for the IP address associated with a given MAC address • RARP server responds with an IP address • Only assigns IP address (not the default router and subnetmask)

  37. BOOTP • BOOTstrap Protocol (BOOTP) • Host can configure its IP parameters at boot time. • 3 services. • IP address assignment. • Detection of the IP address for a serving machine. • The name of a file to be loaded and executed by the client machine (boot file name) • Not only assigns IP address, but also default router, network mask, etc. • Sent as UDP messages (UDP Port 67 (server) and 68 (host)) • Use limited broadcast address (255.255.255.255): • These addresses are never forwarded

  38. BOOTP Interaction • BOOTP can be used for downloading memory image for diskless workstations • Assignment of IP addresses to hosts is static (b) (a) (c)

  39. Lab errata • In  Figure 7.1,  the private network interface of Router2  should be labeled with IP address "10.0.1.1/24" (instead of 10.0.0.1/24).

  40. Firewalls

  41. Firewalls • Security solution to control data connections • Some permitted • Some denied • Some proxy • Hardware based • Software based

  42. Simplest version • Software based – personal • Windows machine • Zone alarm • Application level control • Network level control • Can configure regards to host-host, group • Linux type • iptables • TCP wrappers • Specific application level control

  43. Next level • Dedicated hard based firewall • At network gateway • Between control zones

  44. State of connection • Stateful firewall • Keep track of where the connection is, and knowing the underlying protocol will allow/deny connection • Very expensive • Stateless firewall • Each packet is treated in isolation of every other • Very cheap • Example ftp opens up random port connections to pass information, which will drop the packets ?

  45. Interesting application firewall • Anyone hear of port knocking ?? • This isn’t a trick or treat thing 

  46. Rules of firewalls • Most firewalls work on hard coded rules • Interface (sometimes) presents choices to users/admins • File keeps track of the rules • Probabilistic Approaches: • Anomaly detection firewalls learn from normal traffic what should be allowed and what should be blocked

  47. This course • So what is the advantage of this course • Hands on networking • Get to break things (and not get fired) • Get to play with some theoretical tools (educational only) • Understand the problem with the following stories:

  48. CS network 1 • Problem: • Guest: Dhcp machines on the cs network were mysteriously failing to establish network connection • Any ideas ??

  49. CS network 2 • Really bad hacking success • Throw out hacker • Arp attack in revenge 

  50. Back to BGP

More Related