1 / 17

Private Network Interconnection

Private Network Interconnection. Chapter 20. Introduction. Privacy in an internet is a major concern Contents of datagrams that travel across the Internet may be viewed as they pass across networks owned by other organizations

yana
Download Presentation

Private Network Interconnection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Private Network Interconnection Chapter 20

  2. Introduction • Privacy in an internet is a major concern • Contents of datagrams that travel across the Internet may be viewed as they pass across networks owned by other organizations • Internal datagrams are those sent between computers within an organization • External datagrams are those sent between computers in different organizations • The goal is to keep internal datagrams private, while allowing external communication

  3. Private and Hybrid Networks • Private Networks • Use routers to connect networks at each site, and leased digital circuits to interconnect the sites • Can use arbitrary IP addresses • Are isolated from the Internet • Hybrid Networks • Use valid IP addresses , and sites are connected to the Internet • Assured of privacy when communicating internally • See the leased circuit and connections to the Internet in Figure 20.1 • Both are expensive, may lease T1 lines

  4. Virtual Private Networks • A VPN uses the Internet to connect sites • Communication between computers in the VPN is concealed from outsiders • tunneling using IP-in-IP encapsulation • datagrams are encrypted before they are encapsulated • outsiders cannot decrypt because they do not have an encryption key

  5. VPN Addressing and Routing • A VPN routes data through a tunnel • See routing table for R1 which handles tunneling in Figure 20.3 • Example • A computer on network 128.10.2.0 sends a datagram to a computer on network 128.210.0.0 • The datagram is forwarded to R2 which forwards it to R1 • R1 encrypts the datagram, encapsulates it in the data portion of an outer datagram with destination R3, and forwards the outer datagram through the local ISP and across the Internet • R3 recognizes the datagram as tunneled from R1 • R3 decrypts the data area and forwards it to R4 for delivery

  6. A VPN with Private Addresses • A VPN offers the same addressing options as a private network • If Internet connectivity is not used, arbitrary IPs can be assigned • If Internet connectivity is used, a hybrid addressing scheme can be used • But when private addressing is used, one valid IP address is needed at each site for tunneling • In Figure 20.4, site 1 uses subnet 10.1.0.0/16 and site 2 uses subnet 10.2.0.0/16 • Two valid IP addresses are required for connection to Internet

  7. A VPN with Private Addresses • How can a site provide access to the Internet without assigning each host a valid IP address? • Using an application gateway - each site has a multi-homed host connected to the Internet (IP address) and to the private network (private IP address) • This host runs a set of application programs that each handle one service • Other hosts at the site send requests to the application gateway which interacts with the Internet

  8. Network Address Translation (NAT) • Requires a site to have a single connection to the Internet and at least one valid IP address, G • Address G is assigned to a multi-homed computer that connects to the Internet and runs NAT software • called a NAT box • all datagrams pass through on the way to/from the Internet • NAT translates the addresses in the datagrams by • replacing the outgoing source address with G • replacing the incoming destination address with its private address

  9. NAT Translation Table Creation • How does NAT know the destination for an incoming datagram? • NAT maintains a translation table holding the IP address of a host on the Internet and the internal IP address of a host at the site • How is the table initialized? • Manually • Outgoing datagrams - set when datagram is sent • Incoming name lookups - set when domain names are requested

  10. NAT Translation Table Creation • Figure 20.5 shows an ISP that serves dial-up customers • The ISP assigns an IP address to a custome when the customer dials in • NAT allows the ISP to assign private addresses • 10.0.0.1, then 10.0.0.2, etc. • When a customer sends a datagram to a destination on the Internet, NAT uses the outoging datagram to initialize its translation table

  11. Multi-Address NAT • The NAT box can be allowed to hold mutiple Internet addresses • Previously we only allowed a 1-to-1 address mapping • At most one computer at the site has access to a given machine on the Internet at any time • This variation is multi-address NAT • A NAT box has a set of K valid addresses G1, G2, … Gk • When the first host accesses a destination, G1 is assigned • If another host accesses the same destination, G2 is assigned… • Thus, up to k internal hosts may access a destination at the same time

  12. Port-Mapped NAT • This variation of NAT translates TCP or UDP port numbers as well as addresses (NAPT) • The table contains the source and destination IP addresses and the source and destination protocol ports • The tables also indicates a port number used by the NAT box as shown in Figure 20.6

  13. Interaction Between NAT and ICMP • NAT must handle ICMP • Example • When ping is used, ICMP sends an echo request and an echo reply • NAT does not forward all ICMP messages from the Internet • NAT determines whether the message is to be handled locally or sent to an internal host • Before forwarding, NAT translates the ICMP message • ICMP’s destination unreachable is an example

  14. Interaction Between NAT and Applications • NAT does not work with applications that send IP addresses or protocol ports as data • unless NAT is programmed to recognize the application (like FTP) and make changes in the data • most implementations of NAT only recognize a few standard services

  15. Slirp and Masquerade • Two implementations of NAT came from UNIX • slirp • A computer with a provate address dials in • The computer starts PPP and gets access to the Internet • masquerade • Can be configured to operate like a router between two networks

  16. Summary • A VPN allows an organization to use the Internet to connect to multiple sites • It uses encryption to guarantee privacy • A VPN can be isolated or hybrid • To communicate between hosts in different address domains • application gateways • act like proxy receiving requests from a host in one domain to another in a different domain • NAT provides access to the Internet from a host with a private address

  17. For Next Time • Read Chapter 21

More Related