210 likes | 361 Views
第四章 第二節. 網路位址轉換器 NAT Network Address Translation. 動機. 解決 IP addresses 不夠的問題 IPv6 現有的網路設備需要重新設計 代價昂貴 Virtual IP Gateway(VIP Gateway) 架構於目前的 IPv4 上 更多的主機連上 Internet. NAT: Network Address Translation. rest of Internet. local network (e.g., home network) 10.0.0/24. 10.0.0.1.
E N D
第四章 第二節 網路位址轉換器 NAT Network Address Translation
動機 • 解決 IP addresses 不夠的問題 • IPv6 • 現有的網路設備需要重新設計 • 代價昂貴 • Virtual IP Gateway(VIP Gateway) • 架構於目前的IPv4上 • 更多的主機連上Internet
NAT: Network Address Translation rest of Internet local network (e.g., home network) 10.0.0/24 10.0.0.1 10.0.0.4 10.0.0.2 138.76.29.7 10.0.0.3 Datagrams with source or destination in this network have 10.0.0/24 address for source, destination (as usual) All datagrams leaving local network have same single source NAT IP address: 138.76.29.7, different source port numbers
NAT: Network Address Translation • Motivation: local network uses just one IP address as far as outside world is concerned: • range of addresses not needed from ISP: just one IP address for all devices • can change addresses of devices in local network without notifying outside world • can change ISP without changing addresses of devices in local network • devices inside local net not explicitly addressable, visible by outside world (a security plus).
NAT: Network Address Translation Implementation: NAT router must: • outgoing datagrams:replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #) . . . remote clients/servers will respond using (NAT IP address, new port #) as destination addr. • remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair • incoming datagrams:replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table
3 1 2 4 S: 10.0.0.1, 3345 D: 128.119.40.186, 80 S: 138.76.29.7, 5001 D: 128.119.40.186, 80 1: host 10.0.0.1 sends datagram to 128.119.40.186, 80 2: NAT router changes datagram source addr from 10.0.0.1, 3345 to 138.76.29.7, 5001, updates table S: 128.119.40.186, 80 D: 10.0.0.1, 3345 S: 128.119.40.186, 80 D: 138.76.29.7, 5001 NAT: Network Address Translation NAT translation table WAN side addr LAN side addr 138.76.29.7, 5001 10.0.0.1, 3345 …… …… 10.0.0.1 10.0.0.4 10.0.0.2 138.76.29.7 10.0.0.3 4: NAT router changes datagram dest addr from 138.76.29.7, 5001 to 10.0.0.1, 3345 3: Reply arrives dest. address: 138.76.29.7, 5001
NAT: Network Address Translation • 16-bit port-number field: • 60,000 simultaneous connections with a single LAN-side address! • NAT is controversial: • routers should only process up to layer 3 • violates end-to-end argument • NAT possibility must be taken into account by app designers, eg, P2P applications • address shortage should instead be solved by IPv6
NAT traversal problem • client want to connect to server with address 10.0.0.1 • server address 10.0.0.1 local to LAN (client can’t use it as destination addr) • only one externally visible NATted address: 138.76.29.7 • solution 1: statically configure NAT to forward incoming connection requests at given port to server • e.g., (123.76.29.7, port 2500) always forwarded to 10.0.0.1 port 25000 10.0.0.1 Client ? 10.0.0.4 138.76.29.7 NAT router
NAT traversal problem • solution 2: Universal Plug and Play (UPnP) Internet Gateway Device (IGD) Protocol. Allows NATted host to: • learn public IP address (138.76.29.7) • enumerate existing port mappings • add/remove port mappings (with lease times) i.e., automate static NAT port map configuration 10.0.0.1 IGD 10.0.0.4 138.76.29.7 NAT router
NAT traversal problem • solution 3: relaying (used in Skype) • NATed server establishes connection to relay • External client connects to relay • relay bridges packets between to connections 2. connection to relay initiated by client 1. connection to relay initiated by NATted host 10.0.0.1 3. relaying established Client 138.76.29.7 NAT router
NAT Gateway 可提供多少主機連上 Internet? 31 24 23 16 15 8 7 0 IPv4(class A) 0 31 24 23 16 15 8 7 0 IPv4(class B) 1 0 31 24 23 16 15 8 7 0 0 IPv4(class C) 1 1 在 IPv4下所能連上 Internet 的主機數量 平均全球每個人能分到的主機數
Address Allocation for Private Internets • RFC 1597 • IANA reserves the IP address space for the private LAN • 10.0.0.0~10.255.255.255 • 172.16.0.0~172.31.255.255 • 192.168.0.0~192.168.255.255
Client-based • 以交大資工系為例,全系分配到的IP address space 有.17,.209,.214,.215,.216,.235. 共1536個IP addresses. • 對外所提供的各種server(如mail server, ftp server, BBS server ,proxy server等等)約有十三台.因此server數量和client比起來是小很多. • Server所佔比例約百分之一.
推動 IPv6 所耗費的資金 • 美國 NGI 耗資 60 億美金,推動 IPv6 在各大學校園內試驗。 • 我國國科會亦投入 3 億美金資助美方做此項試驗。 • 預計公元 2000 年將 IPv6 商業化。 • 摘自經濟日報
IPv6 的問題 • IPv6 與 IPv4 的相容問題。 • 各層 Layer 的軟體都為必須配合 IPv6 而改寫 (TCPv6、UDPv6、……)。 • 所有現行的硬體設備如:Gateways、Routers 都必須撤換更新。 • IP header 加大,會增加資料傳輸時的 overhead。
NAT 的優點 • 避免 IP 的浪費 • 減少駭客入侵的機會 • 當主機真正要接上 Internet,不需要重新指派 IP 位址
架設 NAT 的缺點 • 購置 NAT 的成本 • 效能 • 位址轉換、重新計算 Checksum • 穩定性 • 安全性 • 限制加密編碼與身份驗證的使用