1 / 15

tymann

tymann.us. Have Road Runner Unhappy about reports of constant probes of machines Policy decision I want to prevent unauthorized probes/connection attempts on my machines Mechanism Purchase some sort of firewall for my home network. Configuration. Grumpy. Cable Modem. Router. Reiker.

nicolelowe
Download Presentation

tymann

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. tymann.us • Have Road Runner • Unhappy about reports of constant probes of machines • Policy decision • I want to prevent unauthorized probes/connection attempts on my machines • Mechanism • Purchase some sort of firewall for my home network Home Networking

  2. Configuration Grumpy Cable Modem Router Reiker Internet Desktops Home Networking

  3. Private IP Addresses • The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (RFC1597): • 10.0.0.0 - 10.255.255.255 (class A) • 172.16.0.0 - 172.31.255.255 (class B) • 192.168.0.0 - 192.168.255.255 (class C) • These addresses are not routable • Meaning that they will not be routed by an ISP Home Networking

  4. Address Management 192.168.1.254 Grumpy Assigned via DHCP (RR) 66.67.3.170 192.168.1.1 Cable Modem Router Reiker Internet 192.168.1.2 Desktops Assigned via DHCP (grumpy) (192.168.0.100 – 192.168.0.200) Home Networking

  5. How Does This Help? Grumpy 192.168.1.1 Cable Modem Router Reiker Internet 192.168.1.2 Desktops Because these use private addresses cannot be used beyond the router Can’t get in or out!!! Assigned via DHCP (grumpy) (192.168.0.100 – 192.168.0.200) Home Networking

  6. Mystery • Mouse opens a TCP connection to the CS department’s web server • Grumpy’s address is 192.168.1.1 • Destination is 129.21.30.29 • The packet arrives at RIT • RIT responds – but 192.168.1.1 is a private address and will not be routed through the Internet • How does Grumpy communicate with the outside world? Home Networking

  7. Network Address Translation • Network Address Translation (NAT) makes this all possible (RFC2663 & RFC2766) • Private traffic for the Internet arrives at the router (sometimes called a NAT box) • The router changes the source IP address to the “real” IP address • Packet is sent as usual • Reply arrives at router • Now what? How do we know what private address to route it to? Home Networking

  8. A Little TCP Dest: 129.21.30.29 :1024 Src: 192.168.1.1:2024 129.21.30.29 :1024 192.168.1.1:2004 Dest: 192.168.1.1:2024 Src: 129.21.30.29 :1024 Both endpoints, together, uniquely define a TCP connection (192.168.1.1,2024, 129.21.30.29,1024) Home Networking

  9. Address Translation Dest: 129.21.30.29:80 Src: 192.168.1.1:2024 Dest: 129.21.30.29 :80 Src: 66.67.3.170:2024 129.21.30.29 :1024 NAT Box 192.168.1.1:2004 Dest: 66.67.3.170:2024 Src: 129.21.30.29:80 Dest: 192.168.1.1:2024 Src: 129.21.30.29:80 Home Networking

  10. How to Route? • If a NAT box is managing several TCP connections, how does it know who to route incoming packets to? • Key is port numbers • (IPsrc, Portsrc, IPdest, Portdest) • Create map • Key  (Portsrc, IPdest, Portdest) • Value  (IPsrc) • Why have Portsrc in the key? Home Networking

  11. Problem Dest: 129.21.30.29 :80 Src: 66.67.3.170:1024 Dest: 129.21.30.29:80 Src: 192.168.1.1:2024 129.21.30.29 :80 192.168.1.1:2004 NAT Box Dest: 129.21.30.29:80 Src: 192.168.1.2:2024 Dest: 129.21.30.29:80 Src: 66.67.3.170:1024 192.168.1.2:2004 Home Networking

  12. NAPT • Includes port numbers in the translation • Client actually opens connection with NAT box (thus has unique end points) • NAT box in turn open connection with real server (again unique end points) • Now when packet arrives from server has NAT assigned port as destination • The term NAT is often used in place of NAPT Home Networking

  13. NAPT Translation Table Home Networking

  14. NAPT Translation Dest: 129.21.30.29 :80 Src: 66.67.3.170:14003 Dest: 129.21.30.29:80 Src: 192.168.1.1:2024 129.21.30.29 :80 192.168.1.1:2004 NAT Box Dest: 129.21.30.29:80 Src: 192.168.1.1:2024 Dest: 129.21.30.29:80 Src: 66.67.3.170:14004 192.168.1.2:2004 Home Networking

  15. Common Characteristics • All flavors of NAT devices should share the following characteristics. • Transparent Address assignment. • Transparent routing through address translation. (routing here refers to forwarding packets, and not exchanging routing information) • ICMP error packet payload translation. Home Networking

More Related