1 15-441 Computer Networking IPv6 and NATs Copyright ©, 2007-10 Carnegie Mellon University 2 Review: Internet Protocol (IP) • Hour Glass Model • Create abstraction layer that hides underlying technology from network application software • Make as minimal as possible • Allows range of current & future technologies • Can support many different types of applications email WWW phone..."SMTP HTTP RTP..."TCP UDP…"IP" ethernet PPP…"CSMA async sonet..." copper fiber radio..."3 Review: IP Protocol • What services does it provide? • What protocol mechanisms to implement the services? 0" 4" 8" 12" 16" 19" 24" 28" 31"ver-"sion"HLen!TOS" Length"Ident"Flags!Offset"TTL" Protocol" Checksum"Source Address"Destination Address"Options (if any)"Data"Header!IPv4 Packet!Format!4 IP Address Problem (1991) • Address space depletion • In danger of running out of classes A and B • Why? • Class C too small for most domains • Very few class A – very careful about giving them out • Class B – greatest problem • Class B sparsely populated • But people refuse to give it back • http://tech.slashdot.org/story/10/01/24/2139250/IPv4-Free-Pool-Drops-Below-10-10008-Allocated?art_pos=262 5 IP Address Utilization (‘97) http://www.caida.org/outreach/resources/learn/ipv4space/ -- broken 6 IP Address Utilization (‘06) http://xkcd.com/195/ 7 IP Address Utilization (‘06) http://www.isi.edu/ant/address/browse/index.html Outline • NAT • IPv6 • Tunneling and VPNs 83 Altering the Addressing Model • Original IP Model • Every host has a unique IP address • Implications • Any host can find any other host • Any host can communicate with any other host • Any host can act as a server • Just need to know host ID and port number • No Secrecy or Authentication • Packet traffic observable by routers and by LAN-connected hosts • Possible to forge packets • Use invalid source address 9 Private Network Accessing Public Internet • Don’t have enough IP addresses for every host in organization • Security • Don’t want every machine in organization known to outside world • Want to control or monitor traffic in / out of organization 10 Internet!Corporation X!WWWSNAT!W: Workstation!S: Server Machine!Reducing IP Addresses • Most machines within organization are used by individuals • “Workstations” • For most applications, act as clients • Small number of machines act as servers for entire organization • E.g., mail server • All traffic to outside passes through firewall 11 (Most) machines within organization donʼt need actual IP addresses!"Internet!Corporation X!WWWSNAT!W: Workstation!S: Server Machine!Network Address Translation (NAT) • Within Organization • Assign every host an unregistered IP address • IP addresses 10/8 & 192.168/16 unassigned • Route within organization by IP protocol • Firewall • Doesn’t let any packets from internal node escape • Outside world doesn’t need to know about internal addresses 12 Corporation X!WWWW: Workstation!10.1.1.1 10.2.2.2 10.3.3.3 NAT!4 NAT: Opening Client Connection • Client 10.2.2.2 wants to connect to server 198.2.4.5:80 • OS assigns ephemeral port (1000) • Connection request intercepted by firewall • Maps client to port of firewall (5000) • Creates NAT table entry 13 Internet!Corporation X!WNAT!W: Workstation!S: Server Machine!10.2.2.2:1000 S!198.2.4.5:80 243.4.4.4 Int Addr Int Port NAT Port 10.2.2.2 1000 5000 Firewall has valid IP address!NAT: Client Request • Firewall acts as proxy for client • Intercepts message from client and marks itself as sender 14 Internet!Corporation X!WNAT!W: Workstation!S: Server Machine!10.2.2.2:1000 S!198.2.4.5:80 243.4.4.4 10.5.5.5 source: !10.2.2.2 dest: !198.2.4.5 src port: 1000 dest port: 80 source: !243.4.4.4 dest: !198.2.4.5 src port: 5000 dest port: 80 Int Addr Int Port NAT Port 10.2.2.2 1000 5000 NAT: Server Response • Firewall acts as proxy for client • Acts as destination for server messages • Relabels destination to local addresses 15 Internet!Corporation X!WNAT!W: Workstation!S: Server Machine!10.2.2.2:1000 S!198.2.4.5:80 243.4.4.4 10.5.5.5 source: !198.2.4.5 dest: !243.4.4.4 src port: 80 dest port: 5000 source: !198.2.4.5 dest: !10.2.2.2 src port: 80 dest port: 1000 Int Addr Int Port NAT Port 10.2.2.2 1000 5000 NAT: Enabling Servers • Use port mapping to make servers available • Manually configure NAT table to include entry for well-known port • External users give address 243.4.4.4:80 • Requests forwarded to server 16 Internet!Corporation X!NAT!C: Remote Client!S: Server!10.3.3.3 C198.2.4.5 243.4.4.4 Int Addr Int Port NAT Port 10.3.3.3 80 80 Firewall has valid IP address!S!5 Properties of Firewalls with NAT • Advantages • Hides IP addresses used in internal network • Easy to change ISP: only NAT box needs to have IP address • Fewer registered IP addresses required • Basic protection against remote attack • Does not expose internal structure to outside world • Can control what packets come in and out of system • Can reliably determine whether packet from inside or outside • Disadvantages • Contrary to the “open addressing” scheme envisioned for IP addressing • Hard to support peer-to-peer applications • Why do so many machines want to serve port 1214? 17 NAT Considerations • NAT has to be consistent during a session. • Set up mapping at the beginning of a session and maintain it during the session • Recall 2nd level goal 1 of Internet: Continue despite loss of networks or gateways • What happens if your NAT reboots? • Recycle the mapping that the end of the session • May be hard to detect • NAT only works for certain applications. • Some applications (e.g. ftp) pass IP information in payload • Need application level gateways to do a matching translation • Breaks a lot of applications. • Example: Let’s look at FTP • NAT is loved and hated - Breaks many apps (FTP) - Inhibits deployment of new applications like p2p (but so do firewalls!) + Little NAT boxes make home networking simple. + Saves addresses. Makes allocation simple. 18 Outline • NAT •
View Full Document
Unlocking...