1 / 24

VPN and NAT

Organization A’s private network. Organization B’s private network. Internet. VPN and NAT. We have been viewing the Internet as a collection of interconnected networks In reality, many organizations have private internets interconnected by the Internet. A Single-Level Internet.

mikko
Download Presentation

VPN and NAT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Organization A’s private network Organization B’s private network Internet VPN and NAT • We have been viewing the Internet as a collection of interconnected networks • In reality, many organizations have private internets interconnected by the Internet

  2. A Single-Level Internet • A collection of interconnected networks:

  3. Site 1 of Organization A Site 2 of Organization A Internet A Single-Level Internet (cont) • Problem: privacy

  4. Organization A’s private network Internet Solution #1 • A private network – an isolated TCP/IP internet separate from the Internet • Can use arbitrary IP addresses (usually private IPs)

  5. Solution #2 • A hybrid network: • Use globally valid IP addresses • Internal hosts can communicate with hosts on the Internet • Communications among internal hosts are private

  6. Site 1 of Organization A Site 2 of Organization A Internet Solution #3 • A Virtual Private Network (VPN): • Communication between any pair of computers in the VPN remains private • Virtual – uses the Internet to carry traffic from one part of the VPN to another VPN tunnel

  7. A Virtual Private Network • How it works: • Tunneling: agreement by two routers to exchange datagrams • IP-in-IP encapsulation • Encryption: the encapsulated datagram is scrambled so that intermediate hosts/routers cannot read it

  8. VPN – Addressing and Routing • A hybrid network • The VPN tunnel replaces the leased circuit

  9. VPN – Addressing and Routing (cont) • Example: a datagram from 128.10.2.0 to 128.210.0.0: • Sent to R2, then R1, then tunneled to R3, then R4

  10. Distributed Private Network • VPN can be used to create a distributed private network: • Internal hosts are isolated from Internet • Hosts can be assigned private addresses • Each site needs one globally valid IP address for tunneling

  11. Distributed Hybrid Network • Internal hosts can communicate with hosts on the Internet • Communications among internal hosts are private • How to make it work?

  12. Application Gateways • An application gateway is a program that acts as a middleman for a particular service • Typically run on multi-homed host that is the gateway between internal hosts and the Internet • Internal hosts send requests to the application gateway • Application gateway passes the request to the destination host • Destination host sends reply to the application gateway • Application gateway passes reply to originating internal host

  13. Application Gateways • Advantage: • Does not require changes to: • The network infrastructure • The addressing scheme • Disadvantage: • Not general: • Each application gateway handles a specific service • A different application gateway program is required for each different service

  14. P G Organization A’s private network NAT box Internet Network Address Translation • Network Address Translation (NAT) is software that translates addresses in incoming and outgoing datagrams • P = private address • G = globally-valid IP address

  15. NAT (cont) • The NAT box acts as a middleman between internal and external hosts: • Outgoing datagrams: • Source IP address is replaced with G • Incoming datagrams: • Destination IP address is replaced with the private IP address of the correct host • How does the NAT box know which is the “correct” host when it receives a reply from an external host?

  16. NAT Translation Table • The NAT software maintains a translation table that tells it what internal hosts are communicating with what external hosts • When a datagram arrives from 134.126.14.32 the destination adress should be translated to 10.1.0.3

  17. Translation Table Initialization • How (and when) are entries placed in the translation table? • Manually • Good: permanent mappings, connections can originate either inside or outside • Bad: difficult to maintain

  18. Translation Table Initialization (cont) • How (and when) are entries placed in the translation table? • During translation of outgoing datagrams • Good: automatic • Bad: external hosts cannot initiate connections

  19. Translation Table Initialization (cont) • How (and when) are entries placed in the translation table? • In response to an incoming name lookup • Good: • Automatic • External hosts can initiate connections • Bad • Requires modification to DNS server software • External hosts must perform a name lookup prior to sending datagrams to internal hosts

  20. Shortcoming of NAT Translation Table • What if two different internal hosts want to communicate with the same external host (134.126.24.210)? • Not clear which one to send replies to:

  21. Network Address Port Translation • Network Address Port Translation (NAPT) expands the table to include additional fields: • Note: two internal hosts (10.0.0.5 and 10.0.0.1) are both accessing port 80 on 128.10.19.20 • NAPT translates both addresses and ports to avoid ambiguity

  22. Network Address Port Translation (cont) • Note: both the IP address and the port number are translated: • Datagrams from port 21023 on 10.0.0.5 are sent to 128.10.19.20 as if they came from port 14003 on the NAT box • Replies from 128.10.19.20 to port 14003 on the NAT box are forwarded to 10.0.0.5 • Datagrams from port 386 on 10.0.0.1 are sent to 128.10.19.20 as if they came from port 14010 on the NAT box • Replies from 128.10.19.20 to port 14010 on the NAT box are forwarded to 10.0.0.1

  23. NAT (cont) • Advantages: • General: internal hosts can access an arbitrary service on an external host • Transparent to internal and external hosts • Helps conserve IP addresses • Shields internal host IP addresses • Disadvantage: • Interaction with higher-layer protocols • ICMP • FTP

  24. Summary • A Virtual Private Network (VPN) sends data across the Internet, but encrypts intersite transmissions to guarantee privacy • Network Address Translation (NAT) provides transparent IP-level access to the Internet from a host with a private address • There are variants of NAT, including Network Address Port Translation (NAPT) which translates protocol port numbers as well as IP addresses

More Related