1 / 50

COMS/CSEE 4140 Networking Laboratory Lecture 08

COMS/CSEE 4140 Networking Laboratory Lecture 08. Salman Abdul Baset Spring 2008. Announcements. Prelab 7 and Lab report 6 due next week before your lab slot Assignment 3 due next week Monday Project groups. Last time…. Interconnection devices (hub, bridge/switch, router)

nike
Download Presentation

COMS/CSEE 4140 Networking Laboratory Lecture 08

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMS/CSEE 4140 Networking LaboratoryLecture 08 Salman Abdul Baset Spring 2008

  2. Announcements • Prelab 7 and Lab report 6 due next week before your lab slot • Assignment 3 due next week Monday • Project groups

  3. Last time… • Interconnection devices (hub, bridge/switch, router) • Bridges/LAN switches vs. routers • Bridge concepts, PDU • Spanning tree algorithm • Linux packet reception

  4. Agenda • Private network and addresses • NAT (Network Address Translator) • Basic operation • Issues (binding, filtering, state maintenance) • Main uses of NAT • Dynamic Host Configuration Protocol (DHCP)

  5. Private Network • Private IP network is an IP network with private IP addresses • IP addresses in a private network can be assigned arbitrarily but they are usually picked from the reserved pool (can we use any?) • Not registered and not guaranteed to be globally unique • Generally, private networks use addresses from the following experimental address ranges (non-routable addresses): • 10.0.0.0 – 10.255.255.255 • 172.16.0.0 – 172.31.255.255 • 192.168.0.0 – 192.168.255.255

  6. Private Addresses

  7. Network Address Translator • A hack to fix the IP address depletion problem. • NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network. • Breaks the End-to-End argument. • RFC 1631 - The IP Network Address Translator (NAT) • Not an Internet standard (RFC 3700) but… • Provides a form of security by acting as a firewall • Home users • Small companies Other solutions to the IP address problem are?

  8. Source • Source • Source • Source = 128.143.71.21 = 128.143.71.21 = 10.0.1.2 = 10.0.1.2 = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 • Destination • Destination • Destination • Destination = 64.236.24.4 • Source = 64.236.24.4 • Source = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 • Source • Source • Source • Source • Destination = 10.0.0.2 • Destination = 128.59.16.21 • Destination • Destination • Destination • Destination = 128.59.16.21 = 128.59.16.21 = 128.59.16.21 = 10.0.0.2 Private Public Address Address 10.0.1.1 128.59.16.21 Basic Operation of NAT • NAT device stores the address and port translation tables (Binding) • In the this example we mapped only addresses. • NAT devices filters incoming traffic (Filtering) • Private Network • Internet • private address: 10.0.1.2 NATDevice • public address: 128.143.71.21 • Host Public Host 64.236.24.4

  9. NAT Issues • Private-to-public address mapping • Static NAT • Dynamic NAT • Overloading (NAPT or PAT) • State maintenance • Linux: /proc/net/ip_conntrack • Binding and Filtering Behavior • Binding: endpoint-independent, address dependent, address and port-dependent • Filtering: endpoint-independent filtering, address dependent filtering, address and port-dependent filtering.

  10. Static mapping Dynamic mapping NAPT/PAT

  11. Binding: Endpoint-independent

  12. Binding: Address-dependent

  13. Binding: Address and port dependent

  14. Filtering: Endpoint-independent

  15. Filtering: Address-dependent

  16. Filtering: Address and port dependent

  17. NAT Issues • Port preserving • Hair pinning • Discovering binding lifetime

  18. Main uses of NAT • Pooling of IP addresses • Supporting migration between network service providers • IP masquerading and internal firewall • Load balancing of servers

  19. Pooling of IP addresses • Scenario: Corporate network has many hosts but only a small number of public IP addresses. • NAT solution: • Corporate network is managed with a private address space. • NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses. • When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host.

  20. Source • Source • Source • Source = 128.143.71.21 = 128.143.71.21 = 10.0.1.2 = 10.0.1.2 = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 = 64.236.24.4 • Destination • Destination • Destination • Destination Public Host Private Public 64.236.24.4 Address Address 10.0.1.2 128.59.16.21 Pooling of IP addresses • Private Network • Internet • private address: 10.0.1.2 NATDevice • public address: 128.143.71.21 • Host

  21. Supporting migration between network service providers • Scenario: In practice (using CIDR), the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network. • NAT solution: • Assign private addresses to the hosts of the corporate network • NAT device has address translation entries which bind the private address of a host to the public address. • Migration to a new network service provider merely requires an update of the NAT device. The migration is not noticeable to the hosts on the network.

  22. Supporting migration between network service providers

  23. Supporting migration between network service providers

  24. IP masquerading • Also called: Network address and port translation (NAPT), port address translation (PAT). • Scenario: Single public IP address is mapped to multiple hosts in a private network. • NAT solution: • Assign private addresses to the hosts of the corporate network • NAT device modifies the port numbers for outgoing traffic

  25. IP masquerading

  26. Load balancing of servers • Scenario: Balance the load on a set of identical servers, which are accessible from a single IP address • NAT solution: • Here, the servers are assigned private addresses • NAT device acts as a proxy for requests to the server from the public network • The NAT device changes the destination IP address of arriving packets to one of the private addresses for a server • A sensible strategy for balancing the load of the servers is to assign the addresses of the servers in a round-robin fashion.

  27. Load balancing of servers When does this work? When does this fail?

  28. Concerns about NAT • Performance • Modifying the IP header by changing the IP address requires that NAT boxes recalculate the IP header checksum. • Modifying port number requires that NAT boxes recalculate TCP checksum. • Fragmentation • Care must be taken that a datagram that is fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments.

  29. Concerns about NAT • End-to-end connectivity • NAT destroys universal end-to-end reachability of hosts on the Internet. • A host in the public Internet often cannot initiate communication to a host in a private network. • The problem is worse, when two hosts that are in a private network need to communicate with each other. • NAT and applications • NAT break applications such as file transfer, VoIP

  30. NAT and FTP • Normal FTP operation

  31. NAT and FTP • NAT device without FTP support

  32. NAT and FTP • NAT device with FTP support

  33. Configuring NAT/firewall in Linux • iptables • Table (queue) • Filter, NAT, Mangle • Chain • Place within the table where firewall/NAT rules are placed. • Packets pass through chains where tables are looked up and a decision per packet is made.

  34. Configuring NAT/firewall in Linux

  35. Source: http://www.linuxhomenetworking.com/wiki/index.php/Q uick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#What_Is_iptables.3F

  36. Configuring NAT in Linux • Linux uses the Netfilter/iptable Kernel package

  37. Configuring NAT with iptables • First example:iptables –t nat –A POSTROUTING –s 10.0.1.2 –j SNAT --to-source 128.16.71.21 • Pooling of IP addresses:iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.16.71.0–128.16.71.30 • IP masquerading: iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –o eth1 –j MASQUERADE • Load balancing: iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4

  38. Agenda • Private network and addresses • NAT (Network Address Translator) • Basic operation • Issues (binding, filtering, state maintenance) • Main uses of NAT • Dynamic Host Configuration Protocol (DHCP)

  39. Dynamic Assignment of IP addresses • Dynamic assignment of IP addresses is desirable for several reasons: • IP addresses are assigned on-demand • Avoid manual IP configuration • Support mobility of laptops / handheld WiFi devices

  40. Solutions for dynamic assignment of IP addresses • Reverse Address Resolution Protocol (RARP) • Works similar to ARP • Broadcast a request for the IP address associated with a given MAC address • RARP server responds with an IP address • Only assigns IP address (not the default router and subnet mask) Why not a good solution?

  41. BOOTP (RFC 951) • BOOTstrap Protocol (BOOTP) • Predecessor of DHCP • Host can configure its IP parameters at boot time. • Three services • IP address assignment. • Detection of the IP address for a serving machine. • The name of a file to be loaded and executed by the client machine (boot file name) • Not only assign IP address, but also default router, network mask, etc. • Sent as UDP messages (UDP Port 67 (server) and 68 (host)) • Use limited broadcast address (255.255.255.255): • These addresses are never forwarded

  42. DHCP • Dynamic Host Configuration Protocol (DHCP) • From 1993 • An extension of BOOTP, very similar to DHCP • Same port numbers as BOOTP • Extensions: • Supports temporary allocation (“leases”) of IP addresses • DHCP client can acquire all IP configuration parameters needed to operate • DHCP is the preferred mechanism for dynamic assignment of IP addresses • DHCP can interoperate with BOOTP clients.

  43. DHCP Interaction (simplified)

  44. BOOTP/DHCP Message Format (There are >100 different options !!!)

  45. BOOTP/DHCP • OpCode: 1 (Request), 2(Reply) Note: DHCP message type is sent in an option • Hardware Type: 1 (for Ethernet) • Hardware address length: 6 (for Ethernet) • Hop count: set to 0 by client • Transaction ID: Integer (used to match reply to response) • Seconds:number of seconds since the client started to boot • Client IP address, Your IP address, server IP address, Gateway IP address, client hardware address, server host name, boot file name:client fills in the information that it has, leaves rest blank

  46. DHCP Message Type • Message type is sent as an option.

  47. Other options (selection) • Other DHCP information that is sent as an option: Subnet Mask, Name Server, Hostname, Domain Name, Forward On/Off, Default IP TTL, Broadcast Address, Static Route, Ethernet Encapsulation, X Window Manager, X Window Font, DHCP Msg Type, DHCP Renewal Time, DHCP Rebinding, Time SMTP-Server, SMTP-Server, Client FQDN, Printer Name, …

  48. DHCP DISCOVER DHCP Operation • DHCP OFFER

  49. DHCP Operation • DHCP DISCOVER At this time, the DHCP client can start to use the IP address • Renewing a Lease (sent when 50% of lease has expired) If DHCP server sends DHCPNACK, then address is released.

  50. DHCP Operation • DCHP RELEASE At this time, the DHCP client has released the IP address

More Related